Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Tepe - 20000000826476479.exe

Overview

General Information

Sample name:Tepe - 20000000826476479.exe
Analysis ID:1586937
MD5:62fe073a652c373cdcceaf4226e62836
SHA1:5b3ebbd663f55a13918f73a8aa842330435476f5
SHA256:ae96c4b2a9f4666798c865510244e61247009328d2f078c7831ee1033c228eba
Tags:exeuser-lowmal3
Infos:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected Telegram RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Tepe - 20000000826476479.exe (PID: 5352 cmdline: "C:\Users\user\Desktop\Tepe - 20000000826476479.exe" MD5: 62FE073A652C373CDCCEAF4226E62836)
    • RegAsm.exe (PID: 6060 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • InstallUtil.exe (PID: 4528 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • InstallUtil.exe (PID: 1528 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • WerFault.exe (PID: 3776 cmdline: C:\Windows\system32\WerFault.exe -u -p 5352 -s 1028 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "blog@alhoneycomb.com", "Password": "W           ORTH          will3611             !", "Server": "mail.alhoneycomb.com", "Port": 587}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2738093564.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000003.00000002.2738093564.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.2738093564.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000003.00000002.2738093564.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0xefb7:$a1: get_encryptedPassword
        • 0xf2df:$a2: get_encryptedUsername
        • 0xed52:$a3: get_timePasswordChanged
        • 0xee73:$a4: get_passwordField
        • 0xefcd:$a5: set_encryptedPassword
        • 0x10929:$a7: get_logins
        • 0x105da:$a8: GetOutlookPasswords
        • 0x103cc:$a9: StartKeylogger
        • 0x10879:$a10: KeyLoggerEventArgs
        • 0x10429:$a11: KeyLoggerEventArgsEventHandler
        00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 16 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.Tepe - 20000000826476479.exe.26092637750.3.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            0.2.Tepe - 20000000826476479.exe.26092637750.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.Tepe - 20000000826476479.exe.26092637750.3.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                0.2.Tepe - 20000000826476479.exe.26092637750.3.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0xd3b7:$a1: get_encryptedPassword
                • 0xd6df:$a2: get_encryptedUsername
                • 0xd152:$a3: get_timePasswordChanged
                • 0xd273:$a4: get_passwordField
                • 0xd3cd:$a5: set_encryptedPassword
                • 0xed29:$a7: get_logins
                • 0xe9da:$a8: GetOutlookPasswords
                • 0xe7cc:$a9: StartKeylogger
                • 0xec79:$a10: KeyLoggerEventArgs
                • 0xe829:$a11: KeyLoggerEventArgsEventHandler
                0.2.Tepe - 20000000826476479.exe.26092637750.3.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x1237f:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x1187d:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x11b8b:$a4: \Orbitum\User Data\Default\Login Data
                • 0x12983:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 18 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Outbound SMTP Connections
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 74.119.238.7, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 4528, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49713

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-09T19:20:52.719930+010028032742Potentially Bad Traffic192.168.2.849704193.122.130.080TCP
                2025-01-09T19:20:58.876061+010028032742Potentially Bad Traffic192.168.2.849704193.122.130.080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 0.2.Tepe - 20000000826476479.exe.26092637750.3.raw.unpackMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "blog@alhoneycomb.com", "Password": "W ORTH will3611 !", "Server": "mail.alhoneycomb.com", "Port": 587}
                Multi AV Scanner detection for submitted file
                Source: Tepe - 20000000826476479.exeReversingLabs: Detection: 42%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: Tepe - 20000000826476479.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 00000000.00000002.1574756756.000002608263B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Tepe - 20000000826476479.exe PID: 5352, type: MEMORYSTR
                Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49706 version: TLS 1.0
                Source: Tepe - 20000000826476479.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER6266.tmp.dmp.7.dr
                Source: Binary string: mscorlib.pdb source: WER6266.tmp.dmp.7.dr
                Source: Binary string: System.ni.pdbRSDS source: WER6266.tmp.dmp.7.dr
                Source: Binary string: mscorlib.ni.pdb source: WER6266.tmp.dmp.7.dr
                Source: Binary string: System.Core.pdb source: WER6266.tmp.dmp.7.dr
                Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER6266.tmp.dmp.7.dr
                Source: Binary string: Microsoft.VisualBasic.pdbH source: WER6266.tmp.dmp.7.dr
                Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER6266.tmp.dmp.7.dr
                Source: Binary string: System.ni.pdb source: WER6266.tmp.dmp.7.dr
                Source: Binary string: System.pdb source: WER6266.tmp.dmp.7.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WER6266.tmp.dmp.7.dr
                Source: Binary string: System.Core.ni.pdb source: WER6266.tmp.dmp.7.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WER6266.tmp.dmp.7.dr
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 012D5782h3_2_012D5363
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 012D51B9h3_2_012D4F08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 012D5782h3_2_012D56AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05231935h3_2_052315F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0523C7D8h3_2_0523C530
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05230FF1h3_2_05230D48
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0523F028h3_2_0523ED80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0523D088h3_2_0523CDE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0523DEC8h3_2_0523DC20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05233EF8h3_2_05233C50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0523BF28h3_2_0523BC80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05230741h3_2_05230498
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0523E778h3_2_0523E4D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0523B220h3_2_0523AF78
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 052331F0h3_2_05232F48
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05233AA0h3_2_052337F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0523F8D8h3_2_0523F630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0523A0C0h3_2_05239E18
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0523D93Ah3_2_0523D690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0523A970h3_2_0523A6C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0523EBD0h3_2_0523E928
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05231449h3_2_052311A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0523CC30h3_2_0523C988
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0523F480h3_2_0523F1D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0523BAD0h3_2_0523B828
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0523E320h3_2_0523E078
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 052302E9h3_2_05230040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05234350h3_2_052340A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05230B99h3_2_052308F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0523C380h3_2_0523C0D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0523ADC8h3_2_0523AB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05233648h3_2_052333A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0523B678h3_2_0523B3D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0523D4E0h3_2_0523D238
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0523A518h3_2_0523A270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0523FD30h3_2_0523FA88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05232D98h3_2_05232AF0
                Source: global trafficTCP traffic: 192.168.2.8:49713 -> 74.119.238.7:587
                Source: global trafficTCP traffic: 192.168.2.8:59006 -> 162.159.36.2:53
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 74.119.238.7 74.119.238.7
                Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                Source: Joe Sandbox ViewASN Name: VPLSNETUS VPLSNETUS
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49704 -> 193.122.130.0:80
                Source: global trafficTCP traffic: 192.168.2.8:49713 -> 74.119.238.7:587
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49706 version: TLS 1.0
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: mail.alhoneycomb.com
                Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
                Source: InstallUtil.exe, 00000003.00000002.2739861946.0000000002CD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: InstallUtil.exe, 00000003.00000002.2739861946.0000000002CD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                Source: InstallUtil.exe, 00000003.00000002.2739861946.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2739861946.0000000002CBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: InstallUtil.exe, 00000003.00000002.2739861946.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: InstallUtil.exe, 00000003.00000002.2739861946.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                Source: Tepe - 20000000826476479.exe, 00000000.00000002.1575435424.0000026092608000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2738093564.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: InstallUtil.exe, 00000003.00000002.2739861946.0000000002CD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                Source: InstallUtil.exe, 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.alhoneycomb.com
                Source: InstallUtil.exe, 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.alhoneycomb.comd
                Source: InstallUtil.exe, 00000003.00000002.2742440897.00000000062ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2742440897.00000000062F7000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2738440509.0000000000FEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.i.lencr.org/0-
                Source: InstallUtil.exe, 00000003.00000002.2742440897.00000000062ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2742440897.00000000062F7000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2738440509.0000000000FEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.o.lencr.org0#
                Source: InstallUtil.exe, 00000003.00000002.2739861946.0000000002CED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                Source: InstallUtil.exe, 00000003.00000002.2739861946.0000000002CED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                Source: InstallUtil.exe, 00000003.00000002.2739861946.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
                Source: Tepe - 20000000826476479.exeString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: Tepe - 20000000826476479.exeString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Digitized
                Source: Tepe - 20000000826476479.exeString found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlLicensed
                Source: InstallUtil.exe, 00000003.00000002.2742440897.00000000062ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2742440897.00000000062B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: InstallUtil.exe, 00000003.00000002.2742440897.00000000062ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2742440897.00000000062B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: InstallUtil.exe, 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: Tepe - 20000000826476479.exe, 00000000.00000002.1575435424.0000026092608000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2738093564.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                Source: InstallUtil.exe, 00000003.00000002.2739861946.0000000002CD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: Tepe - 20000000826476479.exe, 00000000.00000002.1575435424.0000026092608000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2739861946.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2738093564.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: InstallUtil.exe, 00000003.00000002.2739861946.0000000002CD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                Source: InstallUtil.exe, 00000003.00000002.2739861946.0000000002CD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.Tepe - 20000000826476479.exe.26092637750.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.Tepe - 20000000826476479.exe.26092637750.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.Tepe - 20000000826476479.exe.26092620908.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.Tepe - 20000000826476479.exe.26092620908.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.Tepe - 20000000826476479.exe.26092637750.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.Tepe - 20000000826476479.exe.26092620908.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000003.00000002.2738093564.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.1575435424.0000026092608000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: Tepe - 20000000826476479.exe PID: 5352, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: InstallUtil.exe PID: 4528, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeCode function: 0_2_00007FFB4AED3EFB0_2_00007FFB4AED3EFB
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeCode function: 0_2_00007FFB4AECB0800_2_00007FFB4AECB080
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeCode function: 0_2_00007FFB4AECB4610_2_00007FFB4AECB461
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeCode function: 0_2_00007FFB4AECDFE90_2_00007FFB4AECDFE9
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeCode function: 0_2_00007FFB4AECACBF0_2_00007FFB4AECACBF
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeCode function: 0_2_00007FFB4AEC0CC00_2_00007FFB4AEC0CC0
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeCode function: 0_2_00007FFB4AEC85B00_2_00007FFB4AEC85B0
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeCode function: 0_2_00007FFB4AED3F480_2_00007FFB4AED3F48
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeCode function: 0_2_00007FFB4AFA026B0_2_00007FFB4AFA026B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_012DC1683_2_012DC168
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_012DA8213_2_012DA821
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_012DCAB03_2_012DCAB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_012D4F083_2_012D4F08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_012D7E683_2_012D7E68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_012DC37B3_2_012DC37B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_012DB9E03_2_012DB9E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_012DCAAE3_2_012DCAAE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_012D2DDB3_2_012D2DDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_012D7E663_2_012D7E66
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_012D4EFB3_2_012D4EFB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_052345003_2_05234500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_052315F83_2_052315F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05231C583_2_05231C58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_052377703_2_05237770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_052369983_2_05236998
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523C5203_2_0523C520
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523C5303_2_0523C530
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523ED703_2_0523ED70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05230D433_2_05230D43
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05230D483_2_05230D48
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523ED803_2_0523ED80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523CDE03_2_0523CDE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_052315F33_2_052315F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523CDD03_2_0523CDD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523DC203_2_0523DC20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523DC123_2_0523DC12
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523BC713_2_0523BC71
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05233C423_2_05233C42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05233C503_2_05233C50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523BC803_2_0523BC80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_052304893_2_05230489
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05239C903_2_05239C90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_052304983_2_05230498
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523E4C03_2_0523E4C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523E4D03_2_0523E4D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05232F383_2_05232F38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523AF683_2_0523AF68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523AF783_2_0523AF78
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05232F483_2_05232F48
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_052337E83_2_052337E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_052337F83_2_052337F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523F6203_2_0523F620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523F6303_2_0523F630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05239E183_2_05239E18
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523A6B93_2_0523A6B9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523D6823_2_0523D682
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523D6903_2_0523D690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523A6C83_2_0523A6C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523E9283_2_0523E928
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523E91A3_2_0523E91A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523C97A3_2_0523C97A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_052311A03_2_052311A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523C9883_2_0523C988
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_052311973_2_05231197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523F1C83_2_0523F1C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523F1D83_2_0523F1D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523B8283_2_0523B828
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_052300063_2_05230006
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523B8183_2_0523B818
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523E0683_2_0523E068
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523E0783_2_0523E078
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_052300403_2_05230040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_052340A83_2_052340A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_052340983_2_05234098
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_052308EB3_2_052308EB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_052308F03_2_052308F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523C0CA3_2_0523C0CA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523C0D83_2_0523C0D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523AB203_2_0523AB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523AB103_2_0523AB10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_052333A03_2_052333A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_052333923_2_05233392
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523B3C13_2_0523B3C1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523B3D03_2_0523B3D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523D22A3_2_0523D22A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523D2383_2_0523D238
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523A2613_2_0523A261
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523A2703_2_0523A270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523FA783_2_0523FA78
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0523FA883_2_0523FA88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05232AE03_2_05232AE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05232AF03_2_05232AF0
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5352 -s 1028
                Source: Tepe - 20000000826476479.exeStatic PE information: No import functions for PE file found
                Source: Tepe - 20000000826476479.exe, 00000000.00000002.1574530336.0000026080AE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameEwipoyekuvirogokiD vs Tepe - 20000000826476479.exe
                Source: Tepe - 20000000826476479.exe, 00000000.00000002.1575435424.0000026092608000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs Tepe - 20000000826476479.exe
                Source: Tepe - 20000000826476479.exe, 00000000.00000002.1575435424.0000026092608000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEwipoyekuvirogokiD vs Tepe - 20000000826476479.exe
                Source: Tepe - 20000000826476479.exeBinary or memory string: OriginalFilenameOfagusimetolixune< vs Tepe - 20000000826476479.exe
                Source: 0.2.Tepe - 20000000826476479.exe.26092637750.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Tepe - 20000000826476479.exe.26092637750.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.Tepe - 20000000826476479.exe.26092620908.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Tepe - 20000000826476479.exe.26092620908.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.Tepe - 20000000826476479.exe.26092637750.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Tepe - 20000000826476479.exe.26092620908.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000003.00000002.2738093564.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.1575435424.0000026092608000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: Tepe - 20000000826476479.exe PID: 5352, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: InstallUtil.exe PID: 4528, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Tepe - 20000000826476479.exeStatic PE information: Section: .rsrc ZLIB complexity 0.9948613940628638
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@8/5@4/3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5352
                Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\ee71aeae-8a97-4cf0-8187-df986f58ad86Jump to behavior
                Source: Tepe - 20000000826476479.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: InstallUtil.exe, 00000003.00000002.2739861946.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2741164033.0000000003C7D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2739861946.0000000002D40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2739861946.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2739861946.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2739861946.0000000002D63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Tepe - 20000000826476479.exeReversingLabs: Detection: 42%
                Source: unknownProcess created: C:\Users\user\Desktop\Tepe - 20000000826476479.exe "C:\Users\user\Desktop\Tepe - 20000000826476479.exe"
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5352 -s 1028
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Tepe - 20000000826476479.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Tepe - 20000000826476479.exeStatic file information: File size 1449984 > 1048576
                Source: Tepe - 20000000826476479.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER6266.tmp.dmp.7.dr
                Source: Binary string: mscorlib.pdb source: WER6266.tmp.dmp.7.dr
                Source: Binary string: System.ni.pdbRSDS source: WER6266.tmp.dmp.7.dr
                Source: Binary string: mscorlib.ni.pdb source: WER6266.tmp.dmp.7.dr
                Source: Binary string: System.Core.pdb source: WER6266.tmp.dmp.7.dr
                Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER6266.tmp.dmp.7.dr
                Source: Binary string: Microsoft.VisualBasic.pdbH source: WER6266.tmp.dmp.7.dr
                Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER6266.tmp.dmp.7.dr
                Source: Binary string: System.ni.pdb source: WER6266.tmp.dmp.7.dr
                Source: Binary string: System.pdb source: WER6266.tmp.dmp.7.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WER6266.tmp.dmp.7.dr
                Source: Binary string: System.Core.ni.pdb source: WER6266.tmp.dmp.7.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WER6266.tmp.dmp.7.dr
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeCode function: 0_2_00007FFB4AEC8167 push ebx; ret 0_2_00007FFB4AEC816A
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeCode function: 0_2_00007FFB4AFA026B push esp; retf 4810h0_2_00007FFB4AFA0312
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_012D7E59 push edx; ret 3_2_012D7E5A
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: Tepe - 20000000826476479.exe PID: 5352, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: Tepe - 20000000826476479.exe, 00000000.00000002.1574756756.000002608263B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                Source: Tepe - 20000000826476479.exe, 00000000.00000002.1574756756.000002608263B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeMemory allocated: 26080A50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeMemory allocated: 2609A600000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 12D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2C50000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 4C50000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 3672Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 1634Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -19369081277395017s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -100000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -99875s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2664Thread sleep count: 3672 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2664Thread sleep count: 1634 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -99746s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -99626s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -99500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -99389s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -99210s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -99106s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -98918s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -98804s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -98662s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -98546s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -98437s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -98327s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -98218s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -98109s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -97999s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -97890s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -97781s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -97671s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -97562s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -97453s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -97343s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -97232s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -97124s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -97015s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2856Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 100000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99746Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99626Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99500Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99389Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99210Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99106Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98918Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98804Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98662Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98546Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98437Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98327Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98218Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98109Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97999Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97890Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97781Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97671Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97343Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97232Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97124Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: Amcache.hve.7.drBinary or memory string: VMware
                Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
                Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.7.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
                Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
                Source: Tepe - 20000000826476479.exe, 00000000.00000002.1574756756.000002608263B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Tepe - 20000000826476479.exe, 00000000.00000002.1574756756.000002608263B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                Source: Tepe - 20000000826476479.exe, 00000000.00000002.1574756756.000002608263B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: Tepe - 20000000826476479.exe, 00000000.00000002.1574756756.000002608263B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                Source: Tepe - 20000000826476479.exe, 00000000.00000002.1574756756.000002608263B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: InstallUtil.exe, 00000003.00000002.2738440509.0000000000F9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
                Source: Amcache.hve.7.drBinary or memory string: vmci.sys
                Source: Tepe - 20000000826476479.exe, 00000000.00000002.1574756756.000002608263B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
                Source: Tepe - 20000000826476479.exe, 00000000.00000002.1574756756.000002608263B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
                Source: Tepe - 20000000826476479.exe, 00000000.00000002.1574756756.000002608263B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                Source: Tepe - 20000000826476479.exe, 00000000.00000002.1574756756.000002608263B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.7.drBinary or memory string: VMware20,1
                Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Tepe - 20000000826476479.exe, 00000000.00000002.1574756756.000002608263B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                Source: Tepe - 20000000826476479.exe, 00000000.00000002.1574756756.000002608263B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_012DC168 LdrInitializeThunk,LdrInitializeThunk,3_2_012DC168
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 41A000Jump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 41C000Jump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: B27008Jump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                Source: Tepe - 20000000826476479.exeBinary or memory string: Shell_TrayWndC
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeQueries volume information: C:\Users\user\Desktop\Tepe - 20000000826476479.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Tepe - 20000000826476479.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 0.2.Tepe - 20000000826476479.exe.26092637750.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Tepe - 20000000826476479.exe.26092620908.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Tepe - 20000000826476479.exe.26092637750.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Tepe - 20000000826476479.exe.26092620908.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.2738093564.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1575435424.0000026092608000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Tepe - 20000000826476479.exe PID: 5352, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4528, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.Tepe - 20000000826476479.exe.26092637750.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Tepe - 20000000826476479.exe.26092620908.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Tepe - 20000000826476479.exe.26092637750.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Tepe - 20000000826476479.exe.26092620908.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.2738093564.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1575435424.0000026092608000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Tepe - 20000000826476479.exe PID: 5352, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4528, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 0.2.Tepe - 20000000826476479.exe.26092637750.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Tepe - 20000000826476479.exe.26092620908.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Tepe - 20000000826476479.exe.26092637750.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Tepe - 20000000826476479.exe.26092620908.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.2738093564.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1575435424.0000026092608000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Tepe - 20000000826476479.exe PID: 5352, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4528, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 0.2.Tepe - 20000000826476479.exe.26092637750.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Tepe - 20000000826476479.exe.26092620908.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Tepe - 20000000826476479.exe.26092637750.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Tepe - 20000000826476479.exe.26092620908.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.2738093564.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1575435424.0000026092608000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Tepe - 20000000826476479.exe PID: 5352, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4528, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.Tepe - 20000000826476479.exe.26092637750.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Tepe - 20000000826476479.exe.26092620908.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Tepe - 20000000826476479.exe.26092637750.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Tepe - 20000000826476479.exe.26092620908.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.2738093564.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1575435424.0000026092608000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Tepe - 20000000826476479.exe PID: 5352, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4528, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		312
                Process Injection                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)312
                Process Injection                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		1
                Ingress Tool Transfer                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                Obfuscated Files or Information                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Software Packing                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeylogging23
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1586937 Sample: Tepe - 20000000826476479.exe Startdate: 09/01/2025 Architecture: WINDOWS Score: 100 20 reallyfreegeoip.org 2->20 22 mail.alhoneycomb.com 2->22 24 3 other IPs or domains 2->24 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Multi AV Scanner detection for submitted file 2->36 40 6 other signatures 2->40 7 Tepe - 20000000826476479.exe 2 2->7         started        signatures3 38 Tries to detect the country of the analysis system (by using the IP) 20->38 process4 signatures5 42 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->42 44 Writes to foreign memory regions 7->44 46 Allocates memory in foreign processes 7->46 48 Injects a PE file into a foreign processes 7->48 10 InstallUtil.exe 15 2 7->10         started        14 WerFault.exe 19 16 7->14         started        16 RegAsm.exe 7->16         started        18 InstallUtil.exe 7->18         started        process6 dnsIp7 26 mail.alhoneycomb.com 74.119.238.7, 49713, 587 VPLSNETUS United States 10->26 28 checkip.dyndns.com 193.122.130.0, 49704, 80 ORACLE-BMC-31898US United States 10->28 30 reallyfreegeoip.org 104.21.32.1, 443, 49706 CLOUDFLARENETUS United States 10->30 50 Tries to steal Mail credentials (via file / registry access) 10->50 52 Tries to harvest and steal browser information (history, passwords, etc) 10->52 signatures8

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Tepe - 20000000826476479.exe42%ReversingLabsByteCode-MSIL.Trojan.Leonem
                Tepe - 20000000826476479.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://mail.alhoneycomb.comd0%Avira URL Cloudsafe
                http://mail.alhoneycomb.com0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                mail.alhoneycomb.com
                		74.119.238.7
                		truetrue
                  		unknown
                  reallyfreegeoip.org
                  		104.21.32.1
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		193.122.130.0
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high
                        198.187.3.20.in-addr.arpa
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high
                            http://checkip.dyndns.org/false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.apache.org/licenses/LICENSE-2.0Tepe - 20000000826476479.exefalse
                                		high
                                http://r11.i.lencr.org/0-InstallUtil.exe, 00000003.00000002.2742440897.00000000062ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2742440897.00000000062F7000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2738440509.0000000000FEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://r11.o.lencr.org0#InstallUtil.exe, 00000003.00000002.2742440897.00000000062ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2742440897.00000000062F7000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2738440509.0000000000FEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.telegram.org/botInstallUtil.exe, 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://reallyfreegeoip.orgdInstallUtil.exe, 00000003.00000002.2739861946.0000000002CED000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://upx.sf.netAmcache.hve.7.drfalse
                                          		high
                                          http://checkip.dyndns.orgInstallUtil.exe, 00000003.00000002.2739861946.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2739861946.0000000002CBE000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlLicensedTepe - 20000000826476479.exefalse
                                              		high
                                              https://reallyfreegeoip.org/xml/8.46.123.189lInstallUtil.exe, 00000003.00000002.2739861946.0000000002CD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://mail.alhoneycomb.comdInstallUtil.exe, 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://checkip.dyndns.comdInstallUtil.exe, 00000003.00000002.2739861946.0000000002CD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://mail.alhoneycomb.comInstallUtil.exe, 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://x1.c.lencr.org/0InstallUtil.exe, 00000003.00000002.2742440897.00000000062ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2742440897.00000000062B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://x1.i.lencr.org/0InstallUtil.exe, 00000003.00000002.2742440897.00000000062ED000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2742440897.00000000062B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.apache.org/licenses/LICENSE-2.0DigitizedTepe - 20000000826476479.exefalse
                                                        		high
                                                        http://checkip.dyndns.org/qTepe - 20000000826476479.exe, 00000000.00000002.1575435424.0000026092608000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2738093564.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://reallyfreegeoip.org/xml/8.46.123.189dInstallUtil.exe, 00000003.00000002.2739861946.0000000002CD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://reallyfreegeoip.orgInstallUtil.exe, 00000003.00000002.2739861946.0000000002CED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://checkip.dyndns.orgdInstallUtil.exe, 00000003.00000002.2739861946.0000000002CD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://reallyfreegeoip.orgInstallUtil.exe, 00000003.00000002.2739861946.0000000002CD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://checkip.dyndns.comInstallUtil.exe, 00000003.00000002.2739861946.0000000002CD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://checkip.dyndns.org/dInstallUtil.exe, 00000003.00000002.2739861946.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInstallUtil.exe, 00000003.00000002.2739861946.0000000002C51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://api.telegram.org/bot-/sendDocument?chat_id=Tepe - 20000000826476479.exe, 00000000.00000002.1575435424.0000026092608000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2738093564.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://reallyfreegeoip.org/xml/Tepe - 20000000826476479.exe, 00000000.00000002.1575435424.0000026092608000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2739861946.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2738093564.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                            		high

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            74.119.238.7
                                                                            		mail.alhoneycomb.comUnited States
                                                                            		35908VPLSNETUStrue
                                                                            104.21.32.1
                                                                            		reallyfreegeoip.orgUnited States
                                                                            		13335CLOUDFLARENETUSfalse
                                                                            193.122.130.0
                                                                            		checkip.dyndns.comUnited States
                                                                            		31898ORACLE-BMC-31898USfalse

                                                                            General Information

                                                                            Joe Sandbox version:42.0.0 Malachite
                                                                            Analysis ID:1586937
                                                                            Start date and time:2025-01-09 19:19:45 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 5m 37s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Number of analysed new started processes analysed:15
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:Tepe - 20000000826476479.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.spyw.expl.evad.winEXE@8/5@4/3
                                                                            EGA Information:
                                                                            • Successful, ratio: 100%
                                                                            HCA Information:
                                                                            • Successful, ratio: 86%
                                                                            • Number of executed functions: 48
                                                                            • Number of non-executed functions: 33
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                            • Excluded IPs from analysis (whitelisted): 52.168.117.173, 40.126.32.133, 52.149.20.212, 20.3.187.198, 13.107.246.45
                                                                            • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                            • Report size getting too big, too many NtSetInformationFile calls found.
                                                                            • VT rate limit hit for: Tepe - 20000000826476479.exe

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            13:20:55API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                            13:20:57API Interceptor26x Sleep call for process: InstallUtil.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            74.119.238.7Tepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                              NoERE2024000013833.exeGet hashmaliciousAgentTeslaBrowse
                                                                                1863415243647.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  Halkbank_Ekstre_20230426_075819_154085.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      New Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        rPO_CW00402902400415.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          104.21.32.1QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.mzkd6gp5.top/3u0p/
                                                                                          SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                          • redroomaudio.com/administrator/index.php
                                                                                          193.122.130.0SOA NOV. Gateway Freight_MEDWA0577842.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          Tepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          Nuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          VSLS SCHEDULE_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          ungziped_file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          New order 2025.msgGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          DHL DOC INV 191224.gz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • checkip.dyndns.org/

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          reallyfreegeoip.orgPO#3_RKG367.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                          • 104.21.80.1
                                                                                          SOA NOV. Gateway Freight_MEDWA0577842.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 104.21.64.1
                                                                                          dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 104.21.96.1
                                                                                          #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 104.21.96.1
                                                                                          fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 104.21.64.1
                                                                                          fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 104.21.112.1
                                                                                          1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                                                                          • 104.21.96.1
                                                                                          jqxrkk.ps1Get hashmaliciousMassLogger RATBrowse
                                                                                          • 104.21.16.1
                                                                                          Tepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 104.21.16.1
                                                                                          Order_List.scr.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                          • 104.21.64.1
                                                                                          checkip.dyndns.comPO#3_RKG367.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                          • 158.101.44.242
                                                                                          SOA NOV. Gateway Freight_MEDWA0577842.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 193.122.130.0
                                                                                          dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 193.122.130.0
                                                                                          #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 132.226.8.169
                                                                                          1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                                                                          • 132.226.247.73
                                                                                          jqxrkk.ps1Get hashmaliciousMassLogger RATBrowse
                                                                                          • 132.226.8.169
                                                                                          Tepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 193.122.130.0
                                                                                          Order_List.scr.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                          • 132.226.8.169
                                                                                          mail.alhoneycomb.comTepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 74.119.238.7
                                                                                          NoERE2024000013833.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 74.119.238.7
                                                                                          1863415243647.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 74.119.238.7
                                                                                          Halkbank_Ekstre_20230426_075819_154085.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 74.119.238.7
                                                                                          hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 74.119.238.7
                                                                                          New Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 74.119.238.7
                                                                                          rPO_CW00402902400415.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 74.119.238.7

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          ORACLE-BMC-31898USPO#3_RKG367.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                          • 158.101.44.242
                                                                                          SOA NOV. Gateway Freight_MEDWA0577842.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 193.122.130.0
                                                                                          dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 193.122.130.0
                                                                                          Tepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 193.122.130.0
                                                                                          Nuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 193.122.130.0
                                                                                          Payment 01.08.25.pdf.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                          • 193.122.6.168
                                                                                          December Reconciliation QuanKang.exeGet hashmaliciousUnknownBrowse
                                                                                          • 193.122.6.168
                                                                                          PO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 193.122.6.168
                                                                                          BgroUcYHpy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 158.101.44.242
                                                                                          VSLS SCHEDULE_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 193.122.130.0
                                                                                          VPLSNETUSTepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 74.119.238.7
                                                                                          http://vwi46h7.terraclicks.click/rd/4fRUWo26099tRCA461sdwbdplppv232VXGPAFVAHBPJXIV321477KIEL571756p9Get hashmaliciousPhisherBrowse
                                                                                          • 67.198.205.87
                                                                                          Fantazy.arm4.elfGet hashmaliciousUnknownBrowse
                                                                                          • 67.229.74.151
                                                                                          na.elfGet hashmaliciousMiraiBrowse
                                                                                          • 98.126.6.69
                                                                                          loligang.arm.elfGet hashmaliciousMiraiBrowse
                                                                                          • 74.222.148.221
                                                                                          rebirth.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                          • 110.34.245.254
                                                                                          Owari.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                          • 174.139.231.26
                                                                                          nabspc.elfGet hashmaliciousUnknownBrowse
                                                                                          • 96.62.217.206
                                                                                          RHxJqGoGFB.exeGet hashmaliciousSalityBrowse
                                                                                          • 98.126.7.202
                                                                                          la.bot.arm5.elfGet hashmaliciousMiraiBrowse
                                                                                          • 174.139.9.232
                                                                                          CLOUDFLARENETUSPO#3_RKG367.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                          • 104.21.80.1
                                                                                          SOA NOV. Gateway Freight_MEDWA0577842.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 104.21.64.1
                                                                                          dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 104.21.96.1
                                                                                          #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 104.21.96.1
                                                                                          fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 104.21.64.1
                                                                                          fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 104.21.112.1
                                                                                          1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                                                                          • 104.21.96.1
                                                                                          jqxrkk.ps1Get hashmaliciousMassLogger RATBrowse
                                                                                          • 104.21.16.1
                                                                                          0V2JsCrGUB.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                          • 104.21.38.84
                                                                                          https://boutiquedumonde.instawp.xyz/wp-content/themes/twentytwentyfive/envoidoclosa_toutdomaine/wetransfer/index.htmlGet hashmaliciousUnknownBrowse
                                                                                          • 1.1.1.1

                                                                                          JA3 Fingerprints

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          54328bd36c14bd82ddaa0c04b25ed9adPO#3_RKG367.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                          • 104.21.32.1
                                                                                          SOA NOV. Gateway Freight_MEDWA0577842.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 104.21.32.1
                                                                                          dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 104.21.32.1
                                                                                          #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 104.21.32.1
                                                                                          fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 104.21.32.1
                                                                                          fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 104.21.32.1
                                                                                          1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                                                                          • 104.21.32.1
                                                                                          jqxrkk.ps1Get hashmaliciousMassLogger RATBrowse
                                                                                          • 104.21.32.1
                                                                                          Tepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 104.21.32.1
                                                                                          Order_List.scr.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                          • 104.21.32.1

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Tepe - 200000008_b34044648ff360a99e48402af82a47894a32b5a7_b309c098_24496982-b67a-43e7-943a-8c8fcc4671ba\Report.wer

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):65536
                                                                                          Entropy (8bit):1.0081878450373674
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:mQfdzR0UnUlaWB2WPzuiFcRZ24lO83WU5:NVzSUnUlam24zuiFcRY4lO8mU5
                                                                                          MD5:4C3F2F6727ED7395CB3AF20F6B8D4652
                                                                                          SHA1:6F8A2C3DACCDE60F173E643337356DAD4D26C155
                                                                                          SHA-256:51D5E09CD8B2C355780DFA7EEC6D9D6BA7924EF01680F1792DE322E7DE1CD9D8
                                                                                          SHA-512:D13DD0379F255FB9436F997CFCA36F9241B5DF7EBE51BF1543F5C5E0C39B11F075C6471A1B5C7AB4F55141F04A58EC2971EDAD50D813E27E37901CCE19FA1539
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.9.2.0.4.5.0.4.6.6.9.3.9.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.9.2.0.4.5.0.9.9.8.1.7.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.4.4.9.6.9.8.2.-.b.6.7.a.-.4.3.e.7.-.9.4.3.a.-.8.c.8.f.c.c.4.6.7.1.b.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.4.e.2.6.6.b.b.-.7.3.4.c.-.4.e.7.7.-.9.2.a.5.-.e.9.0.a.3.3.1.c.9.9.2.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.T.e.p.e. .-. .2.0.0.0.0.0.0.0.8.2.6.4.7.6.4.7.9...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.O.f.a.g.u.s.i.m.e.t.o.l.i.x.u.n.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.e.8.-.0.0.0.1.-.0.0.1.4.-.8.0.6.a.-.a.8.3.4.c.3.6.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.3.c.7.f.5.0.f.8.7.0.d.9.a.3.4.3.a.c.2.5.e.3.3.9.7.e.1.4.9.9.9.0.0.0.0.0.0.0.0.!.0.0.0.0.5.b.3.e.b.b.d.6.6.3.f.5.5.a.1.3.9.1.8.f.7.3.a.8.a.a.8.4.2.3.3.0.

                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6266.tmp.dmp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                          File Type:Mini DuMP crash report, 16 streams, Thu Jan 9 18:20:50 2025, 0x1205a4 type
                                                                                          Category:dropped
                                                                                          Size (bytes):386309
                                                                                          Entropy (8bit):3.238432305331071
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:cV9zRyDKL1CCq2wg3+vJSNIm+pk1v42sIcS6:GeD2q2wg3QJSZvf
                                                                                          MD5:DD59C06E6B6C9F3BEADB9CB97BFA3866
                                                                                          SHA1:5C56FEF487902921BA3090D326F55D36E18815E3
                                                                                          SHA-256:0218B0727A9685FCE976CA8BFB7E35F5DB41EBC05961EB1B057983B731CC7D28
                                                                                          SHA-512:4650D9608E5E21FC4D14C8D5D981A5F31A355D50CA3536383A5A7EDD824C858E017007D8B3D01500A25BC8C388B1B93CCE89A5934DF8529390DE87C1F50E1EB7
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:MDMP..a..... ..........g....................................$...........L...........TD.. s..........l.......8...........T............(..U............6...........7..............................................................................eJ.......8......Lw......................T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER639F.tmp.WERInternalMetadata.xml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):8854
                                                                                          Entropy (8bit):3.7087609641615362
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:R6l7wVeJQdfJK6YSSKMgmfoMRprk89bpUGqUfnjm:R6lXJy86Y3BgmfoMtpUGBf6
                                                                                          MD5:19E41EDCD8935FB1F153172C916E63E7
                                                                                          SHA1:DC4AC321FBDDFD2DBCCDEFA00A7025F7796D0422
                                                                                          SHA-256:5B4AF0C78971804F13C594A58405C71B61352BF94FC9E1BEFB7C0D8878F2B81A
                                                                                          SHA-512:81E635F4F27864048DFD2AF680741359DB3E0E6EF5E27622ECF8B7C4AF519F6EB4F4E78189CAEC53C360D02B11FE52259312CA140A4AB23BB2240AEA4ACD62AA
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.5.2.<./.P.i.

                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER63CF.tmp.xml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):4839
                                                                                          Entropy (8bit):4.523902810540279
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cvIwWl8zsQJg771I9gLWpW8VYQoYm8M4Jxk5QFuyq85vWIArsZMYQd:uIjfWI7r67VNJ0NrsZMYQd
                                                                                          MD5:54DA3B1BEF2F078DCF76A60E1292DF94
                                                                                          SHA1:E76B3A83FEADD9DD51910F6B0C51DA7473DDEB75
                                                                                          SHA-256:E1D9A39AD21577CDB9095396ACEF98CDE2327DAA0765BE57379D4B5649189845
                                                                                          SHA-512:8F79431845C6C15E25A801CF711AA7F9122256E0F48CBACB1868069DFBDBCC4272D2BE0DECD75423932EA31F66B67026FE2B2D5035CC2BE93167A489E4CFF41C
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="668723" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                          C:\Windows\appcompat\Programs\Amcache.hve

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                          Category:dropped
                                                                                          Size (bytes):1835008
                                                                                          Entropy (8bit):4.372687279708575
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:6FVfpi6ceLP/9skLmb0YyWWSPtaJG8nAge35OlMMhA2AX4WABlguN4iLJ:yV1myWWI/glMM6kF7qqJ
                                                                                          MD5:1D2CB859DB318AA9D9F0277970218435
                                                                                          SHA1:10901D2051C0A334DD253099A0D8EBBDDA9029E9
                                                                                          SHA-256:4346301EB187B60DEF311EC411209EDB5985067793661DA667E8BC94B6A3CDE6
                                                                                          SHA-512:2B9E0B0CD4BC305DFC09E5424BC2AE53694DE47D741B1B8EA66C8076CDEFBDE7817050EF16E31C81AC7407F902389C336932F06AF93F381C9A219F7136849931
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...5.b..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                          Entropy (8bit):7.24119634037318
                                                                                          TrID:
                                                                                          • Win64 Executable GUI (202006/5) 92.65%
                                                                                          • Win64 Executable (generic) (12005/4) 5.51%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                          • DOS Executable Generic (2002/1) 0.92%
                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                          File name:Tepe - 20000000826476479.exe
                                                                                          File size:1'449'984 bytes
                                                                                          MD5:62fe073a652c373cdcceaf4226e62836
                                                                                          SHA1:5b3ebbd663f55a13918f73a8aa842330435476f5
                                                                                          SHA256:ae96c4b2a9f4666798c865510244e61247009328d2f078c7831ee1033c228eba
                                                                                          SHA512:a6e22f13808ce0478976f35a0b40056591b3514f8c77144b4eca2d685eb84296bb29263b60b322b3401e659aa4fa2446722ce2b5ab7add3a5ee514251a8b8e69
                                                                                          SSDEEP:24576:pVmUg589C2ejwb+/3qlrCNoh+UagIwhCNoh+JR9FrIJJpCNoh+7gr5omCUJ+gkBc:pVhgB/iJO2URoGg1omvzS0+td1YndN
                                                                                          TLSH:9465AFB4731075DAEA2A8477C5B0FCC0055B7863637B812AA8D303BA88577CDBE53D96
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...7oig..............0.fg............... ....@...... .......................`............`................................

                                                                                          File Icon

                                                                                          Icon Hash:00928e8e8686b000

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x400000
                                                                                          Entrypoint Section:
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
                                                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x67696F37 [Mon Dec 23 14:09:59 2024 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:4
                                                                                          OS Version Minor:0
                                                                                          File Version Major:4
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:4
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          dec ebp
                                                                                          pop edx
                                                                                          nop
                                                                                          add byte ptr [ebx], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax+eax], al
                                                                                          add byte ptr [eax], al

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xfa0000x6b418.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x20000xf67660xf680007934fb293f0e976dab589edcd9c0de8False0.5059128581389453data6.632295342119814IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0xfa0000x6b4180x6b6008044a40459111471e19ee18ed919b1c7False0.9948613940628638data7.997814243371014IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          YOKOBAKO0xfa31c0x180data1.0286458333333333
                                                                                          YOKOBAKO0xfa49c0x10Non-ISO extended-ASCII text, with no line terminators1.5
                                                                                          YOKOBAKO0xfa4ac0x20data1.28125
                                                                                          YOKOBAKO0xfa4cc0x10data1.5
                                                                                          YOKOBAKO0xfa4dc0x6a610data1.0003235963720487
                                                                                          YOKOBAKO0x164aec0x10data1.5
                                                                                          RT_VERSION0x164afc0x398OpenPGP Public Key0.48586956521739133
                                                                                          RT_VERSION0x164e940x398OpenPGP Public KeyEnglishUnited States0.4880434782608696
                                                                                          RT_MANIFEST0x16522c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                          Possible Origin

                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                          EnglishUnited States

                                                                                          Network Behavior

                                                                                          Suricata IDS Alerts

                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                          2025-01-09T19:20:52.719930+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849704193.122.130.080TCP
                                                                                          2025-01-09T19:20:58.876061+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849704193.122.130.080TCP

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Jan 9, 2025 19:20:51.048044920 CET4970480192.168.2.8193.122.130.0
                                                                                          Jan 9, 2025 19:20:51.053173065 CET8049704193.122.130.0192.168.2.8
                                                                                          Jan 9, 2025 19:20:51.053276062 CET4970480192.168.2.8193.122.130.0
                                                                                          Jan 9, 2025 19:20:51.056054115 CET4970480192.168.2.8193.122.130.0
                                                                                          Jan 9, 2025 19:20:51.060895920 CET8049704193.122.130.0192.168.2.8
                                                                                          Jan 9, 2025 19:20:52.561574936 CET8049704193.122.130.0192.168.2.8
                                                                                          Jan 9, 2025 19:20:52.565979958 CET4970480192.168.2.8193.122.130.0
                                                                                          Jan 9, 2025 19:20:52.572349072 CET8049704193.122.130.0192.168.2.8
                                                                                          Jan 9, 2025 19:20:52.672745943 CET8049704193.122.130.0192.168.2.8
                                                                                          Jan 9, 2025 19:20:52.682287931 CET49706443192.168.2.8104.21.32.1
                                                                                          Jan 9, 2025 19:20:52.682332039 CET44349706104.21.32.1192.168.2.8
                                                                                          Jan 9, 2025 19:20:52.682461023 CET49706443192.168.2.8104.21.32.1
                                                                                          Jan 9, 2025 19:20:52.689119101 CET49706443192.168.2.8104.21.32.1
                                                                                          Jan 9, 2025 19:20:52.689132929 CET44349706104.21.32.1192.168.2.8
                                                                                          Jan 9, 2025 19:20:52.719929934 CET4970480192.168.2.8193.122.130.0
                                                                                          Jan 9, 2025 19:20:53.184103966 CET44349706104.21.32.1192.168.2.8
                                                                                          Jan 9, 2025 19:20:53.184181929 CET49706443192.168.2.8104.21.32.1
                                                                                          Jan 9, 2025 19:20:53.189102888 CET49706443192.168.2.8104.21.32.1
                                                                                          Jan 9, 2025 19:20:53.189122915 CET44349706104.21.32.1192.168.2.8
                                                                                          Jan 9, 2025 19:20:53.189404011 CET44349706104.21.32.1192.168.2.8
                                                                                          Jan 9, 2025 19:20:53.235421896 CET49706443192.168.2.8104.21.32.1
                                                                                          Jan 9, 2025 19:20:53.247250080 CET49706443192.168.2.8104.21.32.1
                                                                                          Jan 9, 2025 19:20:53.291328907 CET44349706104.21.32.1192.168.2.8
                                                                                          Jan 9, 2025 19:20:53.391930103 CET44349706104.21.32.1192.168.2.8
                                                                                          Jan 9, 2025 19:20:53.392003059 CET44349706104.21.32.1192.168.2.8
                                                                                          Jan 9, 2025 19:20:53.392188072 CET49706443192.168.2.8104.21.32.1
                                                                                          Jan 9, 2025 19:20:53.398585081 CET49706443192.168.2.8104.21.32.1
                                                                                          Jan 9, 2025 19:20:58.707268000 CET4970480192.168.2.8193.122.130.0
                                                                                          Jan 9, 2025 19:20:58.712157011 CET8049704193.122.130.0192.168.2.8
                                                                                          Jan 9, 2025 19:20:58.826674938 CET8049704193.122.130.0192.168.2.8
                                                                                          Jan 9, 2025 19:20:58.876060963 CET4970480192.168.2.8193.122.130.0
                                                                                          Jan 9, 2025 19:20:59.158233881 CET49713587192.168.2.874.119.238.7
                                                                                          Jan 9, 2025 19:20:59.163137913 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:20:59.163335085 CET49713587192.168.2.874.119.238.7
                                                                                          Jan 9, 2025 19:20:59.829135895 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:20:59.833349943 CET49713587192.168.2.874.119.238.7
                                                                                          Jan 9, 2025 19:20:59.838244915 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:00.000847101 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:00.003684998 CET49713587192.168.2.874.119.238.7
                                                                                          Jan 9, 2025 19:21:00.008593082 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:00.155623913 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:00.158099890 CET49713587192.168.2.874.119.238.7
                                                                                          Jan 9, 2025 19:21:00.162950993 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:00.328505993 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:00.328526974 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:00.328537941 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:00.328562975 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:00.328598976 CET49713587192.168.2.874.119.238.7
                                                                                          Jan 9, 2025 19:21:00.328644037 CET49713587192.168.2.874.119.238.7
                                                                                          Jan 9, 2025 19:21:00.353754997 CET49713587192.168.2.874.119.238.7
                                                                                          Jan 9, 2025 19:21:00.358741045 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:00.504951000 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:00.512433052 CET49713587192.168.2.874.119.238.7
                                                                                          Jan 9, 2025 19:21:00.517549038 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:00.662344933 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:00.666250944 CET49713587192.168.2.874.119.238.7
                                                                                          Jan 9, 2025 19:21:00.671158075 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:00.839073896 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:00.843955994 CET49713587192.168.2.874.119.238.7
                                                                                          Jan 9, 2025 19:21:00.848875046 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:01.142646074 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:01.143083096 CET49713587192.168.2.874.119.238.7
                                                                                          Jan 9, 2025 19:21:01.147958040 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:01.345741034 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:01.346036911 CET49713587192.168.2.874.119.238.7
                                                                                          Jan 9, 2025 19:21:01.350891113 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:01.563409090 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:01.563823938 CET49713587192.168.2.874.119.238.7
                                                                                          Jan 9, 2025 19:21:01.571538925 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:01.725317955 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:01.725924015 CET49713587192.168.2.874.119.238.7
                                                                                          Jan 9, 2025 19:21:01.725991964 CET49713587192.168.2.874.119.238.7
                                                                                          Jan 9, 2025 19:21:01.726011992 CET49713587192.168.2.874.119.238.7
                                                                                          Jan 9, 2025 19:21:01.726030111 CET49713587192.168.2.874.119.238.7
                                                                                          Jan 9, 2025 19:21:01.730747938 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:01.730792046 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:01.730895042 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:01.730916977 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:01.914511919 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:21:01.969959974 CET49713587192.168.2.874.119.238.7
                                                                                          Jan 9, 2025 19:21:22.461850882 CET5900653192.168.2.8162.159.36.2
                                                                                          Jan 9, 2025 19:21:22.466782093 CET5359006162.159.36.2192.168.2.8
                                                                                          Jan 9, 2025 19:21:22.467396021 CET5900653192.168.2.8162.159.36.2
                                                                                          Jan 9, 2025 19:21:22.472289085 CET5359006162.159.36.2192.168.2.8
                                                                                          Jan 9, 2025 19:21:23.051292896 CET5900653192.168.2.8162.159.36.2
                                                                                          Jan 9, 2025 19:21:23.056431055 CET5359006162.159.36.2192.168.2.8
                                                                                          Jan 9, 2025 19:21:23.057373047 CET5900653192.168.2.8162.159.36.2
                                                                                          Jan 9, 2025 19:21:48.876611948 CET4970480192.168.2.8193.122.130.0
                                                                                          Jan 9, 2025 19:21:48.881675005 CET8049704193.122.130.0192.168.2.8
                                                                                          Jan 9, 2025 19:21:48.881752968 CET4970480192.168.2.8193.122.130.0
                                                                                          Jan 9, 2025 19:22:38.892230988 CET49713587192.168.2.874.119.238.7
                                                                                          Jan 9, 2025 19:22:38.897552967 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:22:39.071489096 CET5874971374.119.238.7192.168.2.8
                                                                                          Jan 9, 2025 19:22:39.072096109 CET49713587192.168.2.874.119.238.7

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Jan 9, 2025 19:20:50.772507906 CET5702353192.168.2.81.1.1.1
                                                                                          Jan 9, 2025 19:20:50.779486895 CET53570231.1.1.1192.168.2.8
                                                                                          Jan 9, 2025 19:20:52.674276114 CET6118553192.168.2.81.1.1.1
                                                                                          Jan 9, 2025 19:20:52.681684971 CET53611851.1.1.1192.168.2.8
                                                                                          Jan 9, 2025 19:20:58.865067959 CET6010553192.168.2.81.1.1.1
                                                                                          Jan 9, 2025 19:20:59.156749964 CET53601051.1.1.1192.168.2.8
                                                                                          Jan 9, 2025 19:21:22.461225986 CET5356568162.159.36.2192.168.2.8
                                                                                          Jan 9, 2025 19:21:23.090610981 CET5952253192.168.2.81.1.1.1
                                                                                          Jan 9, 2025 19:21:23.098062038 CET53595221.1.1.1192.168.2.8

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Jan 9, 2025 19:20:50.772507906 CET192.168.2.81.1.1.10x893Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Jan 9, 2025 19:20:52.674276114 CET192.168.2.81.1.1.10x5ae9Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                          Jan 9, 2025 19:20:58.865067959 CET192.168.2.81.1.1.10x36fbStandard query (0)mail.alhoneycomb.comA (IP address)IN (0x0001)false
                                                                                          Jan 9, 2025 19:21:23.090610981 CET192.168.2.81.1.1.10x6650Standard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Jan 9, 2025 19:20:50.779486895 CET1.1.1.1192.168.2.80x893No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Jan 9, 2025 19:20:50.779486895 CET1.1.1.1192.168.2.80x893No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Jan 9, 2025 19:20:50.779486895 CET1.1.1.1192.168.2.80x893No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Jan 9, 2025 19:20:50.779486895 CET1.1.1.1192.168.2.80x893No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Jan 9, 2025 19:20:50.779486895 CET1.1.1.1192.168.2.80x893No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Jan 9, 2025 19:20:50.779486895 CET1.1.1.1192.168.2.80x893No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Jan 9, 2025 19:20:52.681684971 CET1.1.1.1192.168.2.80x5ae9No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                          Jan 9, 2025 19:20:52.681684971 CET1.1.1.1192.168.2.80x5ae9No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                          Jan 9, 2025 19:20:52.681684971 CET1.1.1.1192.168.2.80x5ae9No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                          Jan 9, 2025 19:20:52.681684971 CET1.1.1.1192.168.2.80x5ae9No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                          Jan 9, 2025 19:20:52.681684971 CET1.1.1.1192.168.2.80x5ae9No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                          Jan 9, 2025 19:20:52.681684971 CET1.1.1.1192.168.2.80x5ae9No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                          Jan 9, 2025 19:20:52.681684971 CET1.1.1.1192.168.2.80x5ae9No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                          Jan 9, 2025 19:20:59.156749964 CET1.1.1.1192.168.2.80x36fbNo error (0)mail.alhoneycomb.com74.119.238.7A (IP address)IN (0x0001)false
                                                                                          Jan 9, 2025 19:21:23.098062038 CET1.1.1.1192.168.2.80x6650Name error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                                                          HTTP Request Dependency Graph

                                                                                          • reallyfreegeoip.org
                                                                                          • checkip.dyndns.org

                                                                                          HTTP Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.849704193.122.130.0804528C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Jan 9, 2025 19:20:51.056054115 CET151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive
                                                                                          Jan 9, 2025 19:20:52.561574936 CET321INHTTP/1.1 200 OK
                                                                                          Date: Thu, 09 Jan 2025 18:20:52 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 104
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 741efe9bf4d3300482fd8e172df7151a
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                          Jan 9, 2025 19:20:52.565979958 CET127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Jan 9, 2025 19:20:52.672745943 CET321INHTTP/1.1 200 OK
                                                                                          Date: Thu, 09 Jan 2025 18:20:52 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 104
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: a410764abda7428ba100a7d74f2b8347
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                          Jan 9, 2025 19:20:58.707268000 CET127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Jan 9, 2025 19:20:58.826674938 CET321INHTTP/1.1 200 OK
                                                                                          Date: Thu, 09 Jan 2025 18:20:58 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 104
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 6d0e0af029d461b6f3a443f853170f9f
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                          HTTPS Proxied Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.849706104.21.32.14434528C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2025-01-09 18:20:53 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          Connection: Keep-Alive
                                                                                          2025-01-09 18:20:53 UTC854INHTTP/1.1 200 OK
                                                                                          Date: Thu, 09 Jan 2025 18:20:53 GMT
                                                                                          Content-Type: text/xml
                                                                                          Content-Length: 362
                                                                                          Connection: close
                                                                                          Age: 1761642
                                                                                          Cache-Control: max-age=31536000
                                                                                          cf-cache-status: HIT
                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tKb2zlexQFvppUEsHe4DJAw5XUwrRHcHk7SYc3eN3AhgQSlY2uwPtVeBraqs8lVk5IcfOK5%2BN%2B5GeCNFeB4gF5mNFWUbJE5G4jmpAfscrd8InwU0aZn5Ee9U0t616BE%2BAAn0s5aS"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8ff671a1286a4344-EWR
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1688&min_rtt=1680&rtt_var=647&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1670480&cwnd=47&unsent_bytes=0&cid=0b561654782de1d7&ts=224&x=0"
                                                                                          2025-01-09 18:20:53 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                          SMTP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                                          Jan 9, 2025 19:20:59.829135895 CET5874971374.119.238.7192.168.2.8220-md-la-5.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 09 Jan 2025 23:50:59 +0530
                                                                                          220-We do not authorize the use of this system to transport unsolicited,
                                                                                          220 and/or bulk e-mail.
                                                                                          Jan 9, 2025 19:20:59.833349943 CET49713587192.168.2.874.119.238.7EHLO 216041
                                                                                          Jan 9, 2025 19:21:00.000847101 CET5874971374.119.238.7192.168.2.8250-md-la-5.webhostbox.net Hello 216041 [8.46.123.189]
                                                                                          250-SIZE 52428800
                                                                                          250-8BITMIME
                                                                                          250-PIPELINING
                                                                                          250-PIPECONNECT
                                                                                          250-AUTH PLAIN LOGIN
                                                                                          250-STARTTLS
                                                                                          250 HELP
                                                                                          Jan 9, 2025 19:21:00.003684998 CET49713587192.168.2.874.119.238.7STARTTLS
                                                                                          Jan 9, 2025 19:21:00.155623913 CET5874971374.119.238.7192.168.2.8220 TLS go ahead

                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:13:20:47
                                                                                          Start date:09/01/2025
                                                                                          Path:C:\Users\user\Desktop\Tepe - 20000000826476479.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Users\user\Desktop\Tepe - 20000000826476479.exe"
                                                                                          Imagebase:0x260805c0000
                                                                                          File size:1'449'984 bytes
                                                                                          MD5 hash:62FE073A652C373CDCCEAF4226E62836
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1575435424.0000026092608000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1575435424.0000026092608000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1575435424.0000026092608000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1575435424.0000026092608000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1574756756.000002608263B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:2
                                                                                          Start time:13:20:48
                                                                                          Start date:09/01/2025
                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                          Wow64 process (32bit):
                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                                                                          Imagebase:
                                                                                          File size:65'440 bytes
                                                                                          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:3
                                                                                          Start time:13:20:49
                                                                                          Start date:09/01/2025
                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                                                                          Imagebase:0x980000
                                                                                          File size:42'064 bytes
                                                                                          MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.2738093564.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2738093564.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.2738093564.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.2738093564.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.2739861946.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:4
                                                                                          Start time:13:20:49
                                                                                          Start date:09/01/2025
                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                          Wow64 process (32bit):
                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                                                                          Imagebase:
                                                                                          File size:42'064 bytes
                                                                                          MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:7
                                                                                          Start time:13:20:50
                                                                                          Start date:09/01/2025
                                                                                          Path:C:\Windows\System32\WerFault.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\WerFault.exe -u -p 5352 -s 1028
                                                                                          Imagebase:0x7ff62b0a0000
                                                                                          File size:570'736 bytes
                                                                                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:11%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:5
                                                                                            Total number of Limit Nodes:1
                                                                                            execution_graph 12331 7ffb4aec7a75 12332 7ffb4aeddb50 12331->12332 12333 7ffb4aeddc39 12332->12333 12334 7ffb4aedde06 VirtualAllocEx 12332->12334 12335 7ffb4aedde56 12334->12335

                                                                                            Executed Functions

                                                                                            Function 00007FFB4AFA026B Relevance: 3.2, Strings: 1, Instructions: 1910COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1577482443.00007FFB4AFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFA0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffb4afa0000_Tepe - 20000000826476479.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: A
                                                                                            • API String ID: 0-3554254475
                                                                                            • Opcode ID: c0d2188678adb51e1e8c86a67c2d5d04b6a8104dd13aa33d090c676aaf762b20
                                                                                            • Instruction ID: 3e9b56e3fb5b32f3166fae1601de998a0dc9be35b824108d8f46425579d4a9dc
                                                                                            • Opcode Fuzzy Hash: c0d2188678adb51e1e8c86a67c2d5d04b6a8104dd13aa33d090c676aaf762b20
                                                                                            • Instruction Fuzzy Hash: 92C2F4B280DB854FE756EF38D8955E4BFE0EF56300F2905FAD489CB1D2DA286846C781
                                                                                            Function 00007FFB4AECDFE9 Relevance: 2.9, Strings: 1, Instructions: 1679COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 335 7ffb4aecdfe9-7ffb4aece05e 340 7ffb4aece0cf-7ffb4aece0e5 call 7ffb4aeca540 335->340 341 7ffb4aece060-7ffb4aece065 335->341 352 7ffb4aece0e7-7ffb4aece0fa 340->352 353 7ffb4aece0ff-7ffb4aece10a 340->353 343 7ffb4aece067-7ffb4aece081 call 7ffb4aec6da0 341->343 344 7ffb4aece0e6-7ffb4aece0fa 341->344 347 7ffb4aece198-7ffb4aece19a 344->347 350 7ffb4aece20b-7ffb4aece210 347->350 351 7ffb4aece19c-7ffb4aece1a1 347->351 355 7ffb4aece222 350->355 354 7ffb4aece1a3-7ffb4aece1bf 351->354 351->355 352->347 356 7ffb4aece121-7ffb4aece12c 353->356 357 7ffb4aece10c-7ffb4aece11f 353->357 358 7ffb4aece228-7ffb4aece276 call 7ffb4aeca540 * 2 call 7ffb4aec6a00 355->358 359 7ffb4aece224-7ffb4aece225 355->359 360 7ffb4aece142-7ffb4aece161 356->360 361 7ffb4aece12e-7ffb4aece140 356->361 357->347 374 7ffb4aece3f9-7ffb4aece453 358->374 375 7ffb4aece27c-7ffb4aece29a 358->375 359->358 360->347 366 7ffb4aece163-7ffb4aece194 360->366 361->347 366->347 393 7ffb4aece459-7ffb4aece4b4 call 7ffb4aeca540 * 2 call 7ffb4aec6a00 374->393 394 7ffb4aece586-7ffb4aece5e3 374->394 375->374 376 7ffb4aece2a0-7ffb4aece2ba 375->376 377 7ffb4aece313-7ffb4aece338 376->377 378 7ffb4aece2bc-7ffb4aece2bf 376->378 383 7ffb4aece33a-7ffb4aece33f 377->383 384 7ffb4aece351-7ffb4aece366 377->384 380 7ffb4aece340-7ffb4aece34a 378->380 381 7ffb4aece2c1-7ffb4aece2e0 378->381 388 7ffb4aece34c-7ffb4aece34f 380->388 389 7ffb4aece37e-7ffb4aece3cf call 7ffb4aecaf10 380->389 381->384 386 7ffb4aece2e2-7ffb4aece2e7 381->386 383->380 385 7ffb4aece368-7ffb4aece379 384->385 385->389 390 7ffb4aece37b-7ffb4aece37c 385->390 386->385 392 7ffb4aece2e9-7ffb4aece312 call 7ffb4aec6da0 386->392 388->389 389->374 398 7ffb4aece3d1-7ffb4aece3f8 389->398 390->389 392->377 393->394 412 7ffb4aece4ba-7ffb4aece510 393->412 405 7ffb4aece5e9-7ffb4aece63e call 7ffb4aeca540 * 2 call 7ffb4aec6a00 394->405 406 7ffb4aece69e-7ffb4aece6a9 394->406 405->406 427 7ffb4aece640-7ffb4aece664 405->427 413 7ffb4aece6ab-7ffb4aece6ad 406->413 414 7ffb4aece6ae-7ffb4aece6f7 406->414 412->394 417 7ffb4aece512-7ffb4aece55d call 7ffb4aecaf10 412->417 413->414 424 7ffb4aece88b-7ffb4aece8ba 414->424 425 7ffb4aece6fd-7ffb4aece756 call 7ffb4aeca540 * 2 call 7ffb4aec6a00 414->425 417->394 428 7ffb4aece55f-7ffb4aece585 417->428 439 7ffb4aece904-7ffb4aece943 call 7ffb4aeca540 * 2 call 7ffb4aec6a00 424->439 440 7ffb4aece8bc-7ffb4aece8e7 424->440 425->424 445 7ffb4aece75c-7ffb4aece77a 425->445 430 7ffb4aece666-7ffb4aece676 427->430 431 7ffb4aece692-7ffb4aece69d 427->431 430->406 434 7ffb4aece678-7ffb4aece68f 430->434 434->431 442 7ffb4aecea47-7ffb4aecea79 439->442 464 7ffb4aece949-7ffb4aece964 439->464 440->442 443 7ffb4aece8ed-7ffb4aece903 440->443 470 7ffb4aeceac3-7ffb4aeceaec call 7ffb4aeca540 442->470 471 7ffb4aecea7b-7ffb4aeceaa6 442->471 443->439 445->424 448 7ffb4aece780-7ffb4aece79a 445->448 451 7ffb4aece7f3-7ffb4aece7f7 448->451 452 7ffb4aece79c-7ffb4aece7ba 448->452 456 7ffb4aece878-7ffb4aece88a 451->456 457 7ffb4aece7f9-7ffb4aece85f call 7ffb4aec6da0 call 7ffb4aecaf10 451->457 460 7ffb4aece7d3-7ffb4aece7e4 452->460 461 7ffb4aece7bc-7ffb4aece7d1 452->461 472 7ffb4aece861 457->472 466 7ffb4aece7e8-7ffb4aece7f0 460->466 461->466 468 7ffb4aece966-7ffb4aece969 464->468 469 7ffb4aece9bd-7ffb4aece9c4 464->469 466->472 473 7ffb4aece7f2 466->473 475 7ffb4aece9ea-7ffb4aece9f9 468->475 476 7ffb4aece96b-7ffb4aece989 468->476 469->442 480 7ffb4aece9ca-7ffb4aece9e7 469->480 495 7ffb4aeceb51-7ffb4aeceb74 470->495 496 7ffb4aeceaee-7ffb4aeceb2d 470->496 478 7ffb4aeceb75-7ffb4aeceb87 471->478 479 7ffb4aeceaac-7ffb4aeceabf 471->479 472->424 477 7ffb4aece863-7ffb4aece876 472->477 473->451 482 7ffb4aece9fa-7ffb4aecea0e call 7ffb4aecaf10 475->482 476->482 483 7ffb4aece98b-7ffb4aece990 476->483 477->456 491 7ffb4aecebc9-7ffb4aecebd7 478->491 492 7ffb4aeceb89-7ffb4aeceb9d 478->492 479->470 480->475 485 7ffb4aecea11-7ffb4aecea1d 482->485 483->485 486 7ffb4aece992-7ffb4aece9b6 call 7ffb4aec6da0 483->486 485->442 490 7ffb4aecea1f-7ffb4aecea46 485->490 486->469 501 7ffb4aeced33-7ffb4aeced49 491->501 502 7ffb4aecebdd-7ffb4aecebf1 491->502 497 7ffb4aeceb9f-7ffb4aecebaa 492->497 498 7ffb4aeceb9e 492->498 495->478 496->498 514 7ffb4aeceb2f-7ffb4aeceb50 call 7ffb4aec6da0 496->514 505 7ffb4aecebf4-7ffb4aecec2f call 7ffb4aeca540 * 2 call 7ffb4aecc6a0 497->505 506 7ffb4aecebac-7ffb4aecebc6 497->506 498->497 511 7ffb4aeced4a 501->511 512 7ffb4aeced4b-7ffb4aeced5f 501->512 502->505 530 7ffb4aecec49-7ffb4aecec54 505->530 531 7ffb4aecec31-7ffb4aecec47 505->531 506->491 511->512 519 7ffb4aeced61-7ffb4aeced99 512->519 522 7ffb4aecedaf 519->522 523 7ffb4aeced9b-7ffb4aecedad call 7ffb4aec0278 519->523 528 7ffb4aecedb4-7ffb4aecedb6 522->528 523->528 532 7ffb4aecedb8-7ffb4aecedc6 528->532 533 7ffb4aecedca-7ffb4aecee41 528->533 538 7ffb4aecec66 530->538 539 7ffb4aecec56-7ffb4aecec64 530->539 531->530 532->533 559 7ffb4aecee47-7ffb4aeceebf 533->559 560 7ffb4aecef28-7ffb4aecef2f 533->560 540 7ffb4aecec68-7ffb4aecec6d 538->540 539->540 542 7ffb4aecec6f-7ffb4aecec8e call 7ffb4aec2598 540->542 543 7ffb4aecec90-7ffb4aececa6 540->543 548 7ffb4aececd3-7ffb4aececd9 542->548 549 7ffb4aececa8-7ffb4aececb9 543->549 550 7ffb4aececba-7ffb4aececcf call 7ffb4aecd090 543->550 548->511 552 7ffb4aececdb-7ffb4aecece0 548->552 549->550 550->548 552->519 555 7ffb4aecece2-7ffb4aeced10 call 7ffb4aec6da0 call 7ffb4aec6a00 552->555 555->501 571 7ffb4aeced12-7ffb4aeced32 555->571 576 7ffb4aecef1f-7ffb4aecef27 call 7ffb4aecef74 559->576 577 7ffb4aeceec1-7ffb4aeceec7 call 7ffb4aec7d80 559->577 561 7ffb4aecef31-7ffb4aecef3e 560->561 562 7ffb4aecef4c-7ffb4aecef5c 560->562 561->562 569 7ffb4aecef40-7ffb4aecef4a 561->569 570 7ffb4aecef62-7ffb4aecef73 562->570 569->562 576->560 581 7ffb4aeceecc-7ffb4aecef1e 577->581 581->576
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1577142173.00007FFB4AEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffb4aec0000_Tepe - 20000000826476479.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 6K_L
                                                                                            • API String ID: 0-3397539424
                                                                                            • Opcode ID: ee7d5098cf1458a3220a0bb3737d367f303f3d0b3e64e25a2dd9801e03baedbf
                                                                                            • Instruction ID: 232f742fe39737157efbba667d77bffe4cc6c1ad7fb2ff8b16ea89f559574820
                                                                                            • Opcode Fuzzy Hash: ee7d5098cf1458a3220a0bb3737d367f303f3d0b3e64e25a2dd9801e03baedbf
                                                                                            • Instruction Fuzzy Hash: 17B2127160CB864FD359EF38C4814B5BBE2FF95301B2446BEE49AC7296DE24E846C781
                                                                                            Function 00007FFB4AEC0CC0 Relevance: 2.0, Strings: 1, Instructions: 724COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 585 7ffb4aec0cc0-7ffb4aec4061 call 7ffb4aec3f20 592 7ffb4aec4084-7ffb4aec4093 585->592 593 7ffb4aec4095-7ffb4aec40af call 7ffb4aec3f20 call 7ffb4aec3f70 592->593 594 7ffb4aec4063-7ffb4aec4079 call 7ffb4aec3f20 call 7ffb4aec3f70 592->594 603 7ffb4aec407b-7ffb4aec4082 594->603 604 7ffb4aec40b0-7ffb4aec4100 594->604 603->592 608 7ffb4aec410c-7ffb4aec4143 604->608 609 7ffb4aec4102-7ffb4aec4107 call 7ffb4aec2730 604->609 612 7ffb4aec4149-7ffb4aec4154 608->612 613 7ffb4aec433f-7ffb4aec43a9 608->613 609->608 614 7ffb4aec4156-7ffb4aec4164 612->614 615 7ffb4aec41c8-7ffb4aec41cd 612->615 645 7ffb4aec43c6-7ffb4aec43d4 613->645 646 7ffb4aec43ab-7ffb4aec43b1 613->646 614->613 619 7ffb4aec416a-7ffb4aec4179 614->619 616 7ffb4aec4240-7ffb4aec424a 615->616 617 7ffb4aec41cf-7ffb4aec41db 615->617 620 7ffb4aec426c-7ffb4aec4274 616->620 621 7ffb4aec424c 616->621 617->613 622 7ffb4aec41e1-7ffb4aec41f4 617->622 624 7ffb4aec41ad-7ffb4aec41b8 619->624 625 7ffb4aec417b-7ffb4aec41ab 619->625 626 7ffb4aec4277-7ffb4aec4282 620->626 629 7ffb4aec4251-7ffb4aec4259 call 7ffb4aec2750 621->629 622->626 624->613 628 7ffb4aec41be-7ffb4aec41c6 624->628 625->624 632 7ffb4aec41f9-7ffb4aec41fc 625->632 626->613 630 7ffb4aec4288-7ffb4aec4298 626->630 628->614 628->615 638 7ffb4aec425e-7ffb4aec426a 629->638 630->613 634 7ffb4aec429e-7ffb4aec42ab 630->634 635 7ffb4aec41fe-7ffb4aec420e 632->635 636 7ffb4aec4212-7ffb4aec421a 632->636 634->613 639 7ffb4aec42b1-7ffb4aec42d1 634->639 635->636 636->613 640 7ffb4aec4220-7ffb4aec423f 636->640 638->620 639->613 650 7ffb4aec42d3-7ffb4aec42e2 639->650 651 7ffb4aec43d6-7ffb4aec43f0 645->651 652 7ffb4aec4421-7ffb4aec4445 645->652 647 7ffb4aec43b3-7ffb4aec43c4 646->647 648 7ffb4aec43f1-7ffb4aec4420 646->648 647->645 647->646 648->652 653 7ffb4aec42e4-7ffb4aec42ef 650->653 654 7ffb4aec432d-7ffb4aec433e 650->654 659 7ffb4aec4459-7ffb4aec4491 652->659 660 7ffb4aec4447-7ffb4aec4457 652->660 653->654 664 7ffb4aec42f1-7ffb4aec4309 653->664 667 7ffb4aec4493-7ffb4aec4499 659->667 668 7ffb4aec44e8-7ffb4aec44ef 659->668 660->659 660->660 667->668 670 7ffb4aec449b-7ffb4aec449c 667->670 671 7ffb4aec4532-7ffb4aec455b 668->671 672 7ffb4aec44f1-7ffb4aec44f2 668->672 673 7ffb4aec449f-7ffb4aec44a2 670->673 674 7ffb4aec44f5-7ffb4aec44f8 672->674 675 7ffb4aec44a8-7ffb4aec44b5 673->675 676 7ffb4aec455c-7ffb4aec4571 673->676 674->676 677 7ffb4aec44fa-7ffb4aec450b 674->677 679 7ffb4aec44b7-7ffb4aec44de 675->679 680 7ffb4aec44e1-7ffb4aec44e6 675->680 687 7ffb4aec4573-7ffb4aec457a 676->687 688 7ffb4aec457b-7ffb4aec4601 676->688 681 7ffb4aec4529-7ffb4aec4530 677->681 682 7ffb4aec450d-7ffb4aec4513 677->682 679->680 680->668 680->673 681->671 681->674 682->676 686 7ffb4aec4515-7ffb4aec4525 682->686 686->681 687->688
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1577142173.00007FFB4AEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffb4aec0000_Tepe - 20000000826476479.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: d
                                                                                            • API String ID: 0-2564639436
                                                                                            • Opcode ID: 6605f822dd545b3bf1a13633eacb70e9a60d8b31583670d09815a3d595abec93
                                                                                            • Instruction ID: 1a1b880c94e91802beb68e74d6d50b707a38173c5e9cde91dfec630f873c00b8
                                                                                            • Opcode Fuzzy Hash: 6605f822dd545b3bf1a13633eacb70e9a60d8b31583670d09815a3d595abec93
                                                                                            • Instruction Fuzzy Hash: 942255B195CA4A4FE359FF38D4855B177D0FF85310B2442FAD4AAC719BEE28A8438781
                                                                                            Function 00007FFB4AECB461 Relevance: 1.5, Instructions: 1543COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1577142173.00007FFB4AEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffb4aec0000_Tepe - 20000000826476479.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e76d8fd83ed96b76284f722a404c7f1abe107bd389f0337c6d753e7f98e5e13d
                                                                                            • Instruction ID: e31bb9aff350e06d5fa5b1836f4ae7980febe95c2c986a8c1d8eb0248c12a0dd
                                                                                            • Opcode Fuzzy Hash: e76d8fd83ed96b76284f722a404c7f1abe107bd389f0337c6d753e7f98e5e13d
                                                                                            • Instruction Fuzzy Hash: 2FB2377151CB8A8FE749EF38C4944B5BBE1FF95300B2445FED49AC72A2DA38A846C741
                                                                                            Function 00007FFB4AEC85B0 Relevance: .9, Instructions: 931COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1633 7ffb4aec85b0-7ffb4aecc895 1635 7ffb4aecc897-7ffb4aecc8de 1633->1635 1636 7ffb4aecc8df-7ffb4aecc909 1633->1636 1635->1636 1639 7ffb4aecc922 1636->1639 1640 7ffb4aecc90b-7ffb4aecc920 1636->1640 1641 7ffb4aecc924-7ffb4aecc929 1639->1641 1640->1641 1643 7ffb4aecca26-7ffb4aecca46 1641->1643 1644 7ffb4aecc92f-7ffb4aecc93e 1641->1644 1646 7ffb4aecca97-7ffb4aeccaa2 1643->1646 1648 7ffb4aecc948-7ffb4aecc949 1644->1648 1649 7ffb4aecc940-7ffb4aecc946 1644->1649 1650 7ffb4aecca48-7ffb4aecca4e 1646->1650 1651 7ffb4aeccaa4-7ffb4aeccab3 1646->1651 1654 7ffb4aecc94b-7ffb4aecc96e 1648->1654 1649->1654 1652 7ffb4aecca54-7ffb4aecca75 call 7ffb4aec8590 1650->1652 1653 7ffb4aeccf12-7ffb4aeccf2a 1650->1653 1660 7ffb4aeccac9 1651->1660 1661 7ffb4aeccab5-7ffb4aeccac7 1651->1661 1670 7ffb4aecca7a-7ffb4aecca94 1652->1670 1663 7ffb4aeccf74-7ffb4aeccfa1 call 7ffb4aec3a08 1653->1663 1664 7ffb4aeccf2c-7ffb4aeccf67 call 7ffb4aec7d38 1653->1664 1659 7ffb4aecc9c3-7ffb4aecc9ce 1654->1659 1665 7ffb4aecc970-7ffb4aecc976 1659->1665 1666 7ffb4aecc9d0-7ffb4aecc9e7 1659->1666 1662 7ffb4aeccacb-7ffb4aeccad0 1660->1662 1661->1662 1668 7ffb4aeccad6-7ffb4aeccaf8 call 7ffb4aec8590 1662->1668 1669 7ffb4aeccb5c-7ffb4aeccb70 1662->1669 1708 7ffb4aeccfa3-7ffb4aeccfab 1663->1708 1709 7ffb4aeccfac-7ffb4aeccfaf 1663->1709 1712 7ffb4aeccf69-7ffb4aeccf72 1664->1712 1713 7ffb4aeccfb1-7ffb4aeccfbb 1664->1713 1665->1653 1671 7ffb4aecc97c-7ffb4aecc9c0 call 7ffb4aec8590 1665->1671 1681 7ffb4aecc9e9-7ffb4aecca0f call 7ffb4aec8590 1666->1681 1682 7ffb4aecca16-7ffb4aecca21 call 7ffb4aec7fa8 1666->1682 1701 7ffb4aeccafa-7ffb4aeccb24 1668->1701 1702 7ffb4aeccb26-7ffb4aeccb27 1668->1702 1672 7ffb4aeccbc0-7ffb4aeccbcf 1669->1672 1673 7ffb4aeccb72-7ffb4aeccb78 1669->1673 1670->1646 1671->1659 1697 7ffb4aeccbd1-7ffb4aeccbda 1672->1697 1698 7ffb4aeccbdc 1672->1698 1677 7ffb4aeccb97-7ffb4aeccbbb 1673->1677 1678 7ffb4aeccb7a-7ffb4aeccb95 1673->1678 1704 7ffb4aeccd68-7ffb4aeccd7d 1677->1704 1678->1677 1681->1682 1682->1669 1706 7ffb4aeccbde-7ffb4aeccbe3 1697->1706 1698->1706 1715 7ffb4aeccb29-7ffb4aeccb30 1701->1715 1702->1715 1722 7ffb4aeccd7f-7ffb4aeccdbb 1704->1722 1723 7ffb4aeccdbd 1704->1723 1716 7ffb4aeccbe9-7ffb4aeccbec 1706->1716 1717 7ffb4aecceef-7ffb4aeccef0 1706->1717 1708->1709 1709->1713 1712->1663 1720 7ffb4aeccfc6-7ffb4aeccfd7 1713->1720 1721 7ffb4aeccfbd-7ffb4aeccfc5 1713->1721 1715->1669 1726 7ffb4aeccb32-7ffb4aeccb57 call 7ffb4aec85b8 1715->1726 1718 7ffb4aeccc34 1716->1718 1719 7ffb4aeccbee-7ffb4aeccc0b call 7ffb4aec0278 1716->1719 1725 7ffb4aeccef3-7ffb4aeccf02 1717->1725 1731 7ffb4aeccc36-7ffb4aeccc3b 1718->1731 1719->1718 1762 7ffb4aeccc0d-7ffb4aeccc32 1719->1762 1728 7ffb4aeccfd9-7ffb4aeccfe1 1720->1728 1729 7ffb4aeccfe2-7ffb4aecd01d 1720->1729 1721->1720 1733 7ffb4aeccdbf-7ffb4aeccdc4 1722->1733 1723->1733 1740 7ffb4aeccf03-7ffb4aeccf0b 1725->1740 1744 7ffb4aeccede-7ffb4aecceee 1726->1744 1728->1729 1745 7ffb4aecd024-7ffb4aecd02f 1729->1745 1746 7ffb4aecd01f call 7ffb4aeca540 1729->1746 1737 7ffb4aeccc41-7ffb4aeccc4d 1731->1737 1738 7ffb4aeccd3c-7ffb4aeccd5f 1731->1738 1741 7ffb4aecce34-7ffb4aecce48 1733->1741 1742 7ffb4aeccdc6-7ffb4aecce1d call 7ffb4aec3940 1733->1742 1737->1653 1750 7ffb4aeccc53-7ffb4aeccc62 1737->1750 1753 7ffb4aeccd65-7ffb4aeccd66 1738->1753 1740->1653 1747 7ffb4aecce97-7ffb4aeccea3 call 7ffb4aec6a00 1741->1747 1748 7ffb4aecce4a-7ffb4aecce75 call 7ffb4aec3940 1741->1748 1790 7ffb4aecce1f-7ffb4aecce23 1742->1790 1791 7ffb4aecce8e-7ffb4aecce93 1742->1791 1768 7ffb4aecd041 1745->1768 1769 7ffb4aecd031-7ffb4aecd03f 1745->1769 1746->1745 1761 7ffb4aeccea4-7ffb4aeccebc 1747->1761 1776 7ffb4aecce7a-7ffb4aecce82 1748->1776 1756 7ffb4aeccc64-7ffb4aeccc73 1750->1756 1757 7ffb4aeccc75-7ffb4aeccc82 call 7ffb4aec0278 1750->1757 1753->1704 1772 7ffb4aeccc88-7ffb4aeccc8e 1756->1772 1757->1772 1761->1653 1766 7ffb4aeccebe-7ffb4aeccece 1761->1766 1762->1731 1774 7ffb4aecced0-7ffb4aeccedb 1766->1774 1771 7ffb4aecd043-7ffb4aecd048 1768->1771 1769->1771 1777 7ffb4aecd04a-7ffb4aecd05d call 7ffb4aec2598 1771->1777 1778 7ffb4aecd05f-7ffb4aecd067 call 7ffb4aec3958 1771->1778 1779 7ffb4aecccc3-7ffb4aecccc8 1772->1779 1780 7ffb4aeccc90-7ffb4aecccbd 1772->1780 1774->1744 1776->1725 1782 7ffb4aecce84-7ffb4aecce87 1776->1782 1792 7ffb4aecd06c-7ffb4aecd073 1777->1792 1778->1792 1779->1653 1787 7ffb4aecccce-7ffb4aecccee 1779->1787 1780->1779 1782->1740 1788 7ffb4aecce89 1782->1788 1797 7ffb4aecccf0-7ffb4aeccd01 1787->1797 1798 7ffb4aeccd02-7ffb4aeccd32 call 7ffb4aec7d78 1787->1798 1788->1774 1794 7ffb4aecce8b 1788->1794 1790->1761 1796 7ffb4aecce25-7ffb4aecce2f 1790->1796 1791->1747 1794->1791 1796->1741 1797->1798 1802 7ffb4aeccd37-7ffb4aeccd3a 1798->1802 1802->1704
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1577142173.00007FFB4AEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffb4aec0000_Tepe - 20000000826476479.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7fa5710802ada8f22dd39ad222fc9aab1aca218d4edb2b7cabf04a65e776cb03
                                                                                            • Instruction ID: 0e85c0d3be5a2777743f0bff58f7a165748891b338fb83b91a5fcb29134ef44f
                                                                                            • Opcode Fuzzy Hash: 7fa5710802ada8f22dd39ad222fc9aab1aca218d4edb2b7cabf04a65e776cb03
                                                                                            • Instruction Fuzzy Hash: 1352D470A0CA498FDB68FF29D455A7977E5FF99300B2401BDE49EC7292DE24EC428781
                                                                                            Function 00007FFB4AECB080 Relevance: .4, Instructions: 442COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1577142173.00007FFB4AEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffb4aec0000_Tepe - 20000000826476479.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a7ae507583cd753807b26918a7e3b9af4466c9a96cd913588dbfa7de3b4a0ed0
                                                                                            • Instruction ID: b5c814123b0e9125280f08cdb7ab97d8fbfe0931f7d3bab9269c293dae923323
                                                                                            • Opcode Fuzzy Hash: a7ae507583cd753807b26918a7e3b9af4466c9a96cd913588dbfa7de3b4a0ed0
                                                                                            • Instruction Fuzzy Hash: 13D146B150CB864FE71CEF29C4951B5B7D2FFE5301B2446BED4DAC72A1DA28A802C781
                                                                                            Function 00007FFB4AECACBF Relevance: .3, Instructions: 330COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1577142173.00007FFB4AEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffb4aec0000_Tepe - 20000000826476479.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a47bb184838a2c7b731ceca776935da304226d0a7a3c407ffdb83a801c1be8c2
                                                                                            • Instruction ID: 8a33022bbd61603b6a217403ab26d30399066f288a6d944d818dbec9b8437711
                                                                                            • Opcode Fuzzy Hash: a47bb184838a2c7b731ceca776935da304226d0a7a3c407ffdb83a801c1be8c2
                                                                                            • Instruction Fuzzy Hash: 85917BB1A4DB860FE31DEE399491175BBD3FFC5201B6482BEE4D6C32D1DD2898029381
                                                                                            Function 00007FFB4AED3EFB Relevance: .2, Instructions: 185COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1577142173.00007FFB4AEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffb4aec0000_Tepe - 20000000826476479.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fbf1738d643b4325c1144292cd297171d796f4a1cfd3c87fef0c7f8ca50baca3
                                                                                            • Instruction ID: e708f040d08dbabfb46de5c7ea85653efdad3b82c26005f9bd0d9987a696654d
                                                                                            • Opcode Fuzzy Hash: fbf1738d643b4325c1144292cd297171d796f4a1cfd3c87fef0c7f8ca50baca3
                                                                                            • Instruction Fuzzy Hash: D841267164C78A0FD71EAE38C8561B57BAAEB83210B25C2BFD49BC7197DD2858078391
                                                                                            Function 00007FFB4AED3F48 Relevance: .1, Instructions: 145COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1577142173.00007FFB4AEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffb4aec0000_Tepe - 20000000826476479.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d1750643d31a1c46fe6d54fb8e9e6ef579e802157be7e2cfa98fa1ef5bac0032
                                                                                            • Instruction ID: 7387fadf46e9c25c3812759f883658eae99bdec706b331b4f05768998d6804f6
                                                                                            • Opcode Fuzzy Hash: d1750643d31a1c46fe6d54fb8e9e6ef579e802157be7e2cfa98fa1ef5bac0032
                                                                                            • Instruction Fuzzy Hash: BF41296154D7CE0FD31EAE74C8511A67FA9EB93200F1682FBD4DAC7197DD28580B8391
                                                                                            Function 00007FFB4AEC7A75 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 387COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1577142173.00007FFB4AEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffb4aec0000_Tepe - 20000000826476479.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: IJ_L
                                                                                            • API String ID: 0-4162620573
                                                                                            • Opcode ID: eb4d8a8a228952af95e45cf422a800cc4441fa6e1ae61067c75ec45b7817538e
                                                                                            • Instruction ID: e30e9d1c7a42aa15305574ca4c8d437d3b4a2088f55c9f0fc37c3a2f3a3f29b0
                                                                                            • Opcode Fuzzy Hash: eb4d8a8a228952af95e45cf422a800cc4441fa6e1ae61067c75ec45b7817538e
                                                                                            • Instruction Fuzzy Hash: 8BB129B1A0DA464FE758FE7CD8865B5B7D5FF98310F2042BEE09DC3292DD65A8028781
                                                                                            Function 00007FFB4AFA10C9 Relevance: .2, Instructions: 156COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1577482443.00007FFB4AFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFA0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffb4afa0000_Tepe - 20000000826476479.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 920a143ccc8502e13790b7c61af5db2ef1644ff3f59fd0e9346607fb55ee43a6
                                                                                            • Instruction ID: 39ff3ca191da23f8552e1e016155b76a90b4097a5790c71275ce6018020ccb7c
                                                                                            • Opcode Fuzzy Hash: 920a143ccc8502e13790b7c61af5db2ef1644ff3f59fd0e9346607fb55ee43a6
                                                                                            • Instruction Fuzzy Hash: 8D415C7290DA8D4FEB56EF24D8914E87BE4FF55300B1505FBD04ACB1D2DA25AC41C781
                                                                                            Function 00007FFB4AFA0A04 Relevance: .0, Instructions: 20COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1577482443.00007FFB4AFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFA0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffb4afa0000_Tepe - 20000000826476479.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a1ddada2fdc3a3d3723ed44fe851841ae9bbb260f94a545a6aa9907019645713
                                                                                            • Instruction ID: 88325c2e08871217a9882fadcf93c5838a7db6b02a64827f625a3e0ff2189155
                                                                                            • Opcode Fuzzy Hash: a1ddada2fdc3a3d3723ed44fe851841ae9bbb260f94a545a6aa9907019645713
                                                                                            • Instruction Fuzzy Hash: 34E01231A0562C8EEF60EB18CC81FEAB3B1FB88300F1041E6D44DE3241CA306A85CF82

                                                                                            Execution Graph

                                                                                            Execution Coverage:12.5%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:25%
                                                                                            Total number of Nodes:56
                                                                                            Total number of Limit Nodes:4
                                                                                            execution_graph 17581 12d46d8 17582 12d46e4 17581->17582 17585 12d48c9 17582->17585 17583 12d4713 17586 12d48e4 17585->17586 17593 12d4f08 17586->17593 17600 12d4efb 17586->17600 17587 12d48f0 17607 52315f3 17587->17607 17614 52315f8 17587->17614 17588 12d491a 17588->17583 17594 12d4f2a 17593->17594 17595 12d4ff6 17594->17595 17621 12dc76c 17594->17621 17627 12dc163 17594->17627 17633 12dc37b 17594->17633 17639 12dc168 17594->17639 17595->17587 17601 12d4f2a 17600->17601 17602 12d4ff6 17601->17602 17603 12dc76c 2 API calls 17601->17603 17604 12dc168 LdrInitializeThunk 17601->17604 17605 12dc37b 2 API calls 17601->17605 17606 12dc163 2 API calls 17601->17606 17602->17587 17603->17602 17604->17602 17605->17602 17606->17602 17608 523161a 17607->17608 17609 523172c 17608->17609 17610 12dc76c 2 API calls 17608->17610 17611 12dc168 LdrInitializeThunk 17608->17611 17612 12dc37b 2 API calls 17608->17612 17613 12dc163 2 API calls 17608->17613 17609->17588 17610->17609 17611->17609 17612->17609 17613->17609 17615 523161a 17614->17615 17616 523172c 17615->17616 17617 12dc76c 2 API calls 17615->17617 17618 12dc168 LdrInitializeThunk 17615->17618 17619 12dc37b 2 API calls 17615->17619 17620 12dc163 2 API calls 17615->17620 17616->17588 17617->17616 17618->17616 17619->17616 17620->17616 17626 12dc623 17621->17626 17622 12dc764 LdrInitializeThunk 17624 12dc8c1 17622->17624 17624->17595 17625 12dc168 LdrInitializeThunk 17625->17626 17626->17622 17626->17625 17628 12dc17a 17627->17628 17631 12dc17f 17627->17631 17628->17595 17629 12dc764 LdrInitializeThunk 17629->17628 17631->17628 17631->17629 17632 12dc168 LdrInitializeThunk 17631->17632 17632->17631 17637 12dc3b9 17633->17637 17634 12dc519 17634->17595 17635 12dc764 LdrInitializeThunk 17635->17634 17637->17634 17637->17635 17638 12dc168 LdrInitializeThunk 17637->17638 17638->17637 17640 12dc17a 17639->17640 17642 12dc17f 17639->17642 17640->17595 17641 12dc8a9 LdrInitializeThunk 17641->17640 17642->17640 17642->17641 17643 12dcab0 17644 12dcadd 17643->17644 17645 12dc168 LdrInitializeThunk 17644->17645 17646 12de9bf 17644->17646 17647 12dcde6 17644->17647 17645->17647 17647->17646 17648 12dc168 LdrInitializeThunk 17647->17648 17648->17647

                                                                                            Executed Functions

                                                                                            Function 012DC168 Relevance: 2.0, APIs: 1, Instructions: 497COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 863 12dc168-12dc178 864 12dc17f-12dc18b 863->864 865 12dc17a 863->865 868 12dc18d 864->868 869 12dc192-12dc1a7 864->869 866 12dc2ab-12dc2b5 865->866 868->866 872 12dc1ad-12dc1b8 869->872 873 12dc2bb-12dc2fb call 12d5d08 869->873 876 12dc1be-12dc1c5 872->876 877 12dc2b6 872->877 891 12dc302-12dc378 call 12d5d08 call 12d5c00 873->891 878 12dc1c7-12dc1de 876->878 879 12dc1f2-12dc1fd 876->879 877->873 890 12dc1e4-12dc1e7 878->890 878->891 884 12dc1ff-12dc207 879->884 885 12dc20a-12dc214 879->885 884->885 893 12dc29e-12dc2a3 885->893 894 12dc21a-12dc224 885->894 890->877 895 12dc1ed-12dc1f0 890->895 923 12dc3df-12dc454 call 12d5ca8 891->923 924 12dc37a 891->924 893->866 894->877 901 12dc22a-12dc246 894->901 895->878 895->879 906 12dc248 901->906 907 12dc24a-12dc24d 901->907 906->866 908 12dc24f-12dc252 907->908 909 12dc254-12dc257 907->909 911 12dc25a-12dc268 908->911 909->911 911->877 917 12dc26a-12dc271 911->917 917->866 918 12dc273-12dc279 917->918 918->877 920 12dc27b-12dc280 918->920 920->877 921 12dc282-12dc295 920->921 921->877 927 12dc297-12dc29a 921->927 930 12dc4f3-12dc4f9 923->930 927->918 929 12dc29c 927->929 929->866 931 12dc4ff-12dc517 930->931 932 12dc459-12dc46c 930->932 933 12dc519-12dc526 931->933 934 12dc52b-12dc53e 931->934 935 12dc46e 932->935 936 12dc473-12dc4c4 932->936 937 12dc8c1-12dc9bf 933->937 938 12dc545-12dc561 934->938 939 12dc540 934->939 935->936 953 12dc4d7-12dc4e9 936->953 954 12dc4c6-12dc4d4 936->954 944 12dc9c7-12dc9d1 937->944 945 12dc9c1-12dc9c6 call 12d5ca8 937->945 940 12dc568-12dc58c 938->940 941 12dc563 938->941 939->938 949 12dc58e 940->949 950 12dc593-12dc5c5 940->950 941->940 945->944 949->950 959 12dc5cc-12dc60e 950->959 960 12dc5c7 950->960 956 12dc4eb 953->956 957 12dc4f0 953->957 954->931 956->957 957->930 962 12dc615-12dc61e 959->962 963 12dc610 959->963 960->959 964 12dc846-12dc84c 962->964 963->962 965 12dc623-12dc648 964->965 966 12dc852-12dc865 964->966 967 12dc64f-12dc686 965->967 968 12dc64a 965->968 969 12dc86c-12dc887 966->969 970 12dc867 966->970 978 12dc68d-12dc6bf 967->978 979 12dc688 967->979 968->967 971 12dc88e-12dc8a2 969->971 972 12dc889 969->972 970->969 976 12dc8a9-12dc8bf LdrInitializeThunk 971->976 977 12dc8a4 971->977 972->971 976->937 977->976 981 12dc6c1-12dc6e6 978->981 982 12dc723-12dc736 978->982 979->978 983 12dc6ed-12dc71b 981->983 984 12dc6e8 981->984 985 12dc73d-12dc762 982->985 986 12dc738 982->986 983->982 984->983 989 12dc764-12dc765 985->989 990 12dc771-12dc7a9 985->990 986->985 989->966 991 12dc7ab 990->991 992 12dc7b0-12dc811 call 12dc168 990->992 991->992 998 12dc818-12dc83c 992->998 999 12dc813 992->999 1002 12dc83e 998->1002 1003 12dc843 998->1003 999->998 1002->1003 1003->964
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2739489555.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_12d0000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6f311415cb27f6e2326962cdc4690278243b53bff47c4cfb926d362cc2318e8a
                                                                                            • Instruction ID: 4d4ed90f36cfe43e22d7bd7eca0969e4e4027ea2e59975ea4d6c7e696a9e30a0
                                                                                            • Opcode Fuzzy Hash: 6f311415cb27f6e2326962cdc4690278243b53bff47c4cfb926d362cc2318e8a
                                                                                            • Instruction Fuzzy Hash: 56223A74E102198FDB14DFA8C884BADBBB6FF88310F1481A9D409AB355DB719D85CF90
                                                                                            Function 05236998 Relevance: 1.0, Instructions: 963COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a485acb1dbf81c1230dbfa5a82ba8eb34b84ab7d0a234b1b114a1616057bf219
                                                                                            • Instruction ID: 19b768912223f58dbfcd31eab5e993ffa4639e910d134cb051045c3e82eecba1
                                                                                            • Opcode Fuzzy Hash: a485acb1dbf81c1230dbfa5a82ba8eb34b84ab7d0a234b1b114a1616057bf219
                                                                                            • Instruction Fuzzy Hash: 478240B5A102199FDB14DF69C885AAEBBF6FF88300F148559E806EB355DB30ED41CB90
                                                                                            Function 05237770 Relevance: .9, Instructions: 901COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 74d3d76e8644823ac98513373eed8a4d6a8cc09d6c0a0c4b9eb234d326700d4a
                                                                                            • Instruction ID: 59c2746900db326c505cfe4b3ece80cf78689c27f9cf008377ea9ec76c3f817c
                                                                                            • Opcode Fuzzy Hash: 74d3d76e8644823ac98513373eed8a4d6a8cc09d6c0a0c4b9eb234d326700d4a
                                                                                            • Instruction Fuzzy Hash: F3824DB4A10606DFDB14CF68C985EAEBBF2FF88310F198555E84A9B2A1D730ED41CB50
                                                                                            Function 05234500 Relevance: .7, Instructions: 745COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2877 5234500-5234520 2878 5234522 2877->2878 2879 5234527-52345a0 2877->2879 2878->2879 2883 52345a2-52345e9 2879->2883 2884 52345ee-5234641 2879->2884 2891 5234689-5234743 call 5235858 2883->2891 2884->2891 2892 5234643-5234688 2884->2892 2902 5234749-523476f 2891->2902 2892->2891 2904 5235330-5235365 2902->2904 2905 5234775-5234878 2902->2905 2915 5235323-5235329 2905->2915 2916 523532f 2915->2916 2917 523487d-523495b 2915->2917 2916->2904 2925 5234962-52349cb 2917->2925 2926 523495d 2917->2926 2930 52349d2-52349e3 2925->2930 2931 52349cd 2925->2931 2926->2925 2932 5234a70-5234b77 2930->2932 2933 52349e9-52349f3 2930->2933 2931->2930 2951 5234b79 2932->2951 2952 5234b7e-5234be7 2932->2952 2934 52349f5 2933->2934 2935 52349fa-5234a6f 2933->2935 2934->2935 2935->2932 2951->2952 2956 5234be9 2952->2956 2957 5234bee-5234bff 2952->2957 2956->2957 2958 5234c05-5234c0f 2957->2958 2959 5234c8c-5234e40 2957->2959 2960 5234c11 2958->2960 2961 5234c16-5234c8b 2958->2961 2980 5234e42 2959->2980 2981 5234e47-5234ec5 2959->2981 2960->2961 2961->2959 2980->2981 2985 5234ec7 2981->2985 2986 5234ecc-5234edd 2981->2986 2985->2986 2987 5234ee3-5234eed 2986->2987 2988 5234f6a-5235003 2986->2988 2989 5234ef4-5234f69 2987->2989 2990 5234eef 2987->2990 2998 5235005 2988->2998 2999 523500a-5235082 2988->2999 2989->2988 2990->2989 2998->2999 3006 5235084 2999->3006 3007 5235089-523509a 2999->3007 3006->3007 3008 52350a0-5235134 3007->3008 3009 5235188-523521c call 5232a50 * 2 3007->3009 3025 5235136 3008->3025 3026 523513b-5235187 3008->3026 3020 5235222-523530d 3009->3020 3021 523530e-5235319 3009->3021 3020->3021 3023 5235320 3021->3023 3024 523531b 3021->3024 3023->2915 3024->3023 3025->3026 3026->3009
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b4c06b656985a7620f9cb8d7e1b6782ad6e4ae6a4f58157770e57c9abdc5470b
                                                                                            • Instruction ID: f23b9667a6bfe8e2b5f3e5cf4e8127bf9d4baab784f3aeebda53b5d573579c6c
                                                                                            • Opcode Fuzzy Hash: b4c06b656985a7620f9cb8d7e1b6782ad6e4ae6a4f58157770e57c9abdc5470b
                                                                                            • Instruction Fuzzy Hash: C0827E74E012298FDB65DF69C998BDDBBB2BF89301F1081EA940DA7254DB305E85DF40
                                                                                            Function 052315F8 Relevance: .3, Instructions: 296COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 3099 52315f8-5231618 3100 523161a 3099->3100 3101 523161f-52316e1 3099->3101 3100->3101 3106 52316e7-5231704 3101->3106 3107 5231aac-5231baa 3101->3107 3158 5231707 call 12d56af 3106->3158 3159 5231707 call 12d5363 3106->3159 3109 5231bb2-5231bb8 3107->3109 3110 5231bac-5231bb1 3107->3110 3110->3109 3113 523170c-5231725 3160 5231727 call 12dc76c 3113->3160 3161 5231727 call 12dc168 3113->3161 3162 5231727 call 12dc37b 3113->3162 3163 5231727 call 12dc163 3113->3163 3114 523172c-523174e 3116 5231750 3114->3116 3117 5231755-523175e 3114->3117 3116->3117 3118 5231a9f-5231aa5 3117->3118 3119 5231763-52317fb 3118->3119 3120 5231aab 3118->3120 3125 52318d3-5231934 3119->3125 3126 5231801-523183d 3119->3126 3120->3107 3137 5231935-5231944 3125->3137 3164 5231843 call 5231eb9 3126->3164 3165 5231843 call 5231c58 3126->3165 3134 5231849-5231884 3135 5231886-52318a3 3134->3135 3136 52318ce-52318d1 3134->3136 3140 52318a9-52318cd 3135->3140 3136->3137 3139 523194d-523198c 3137->3139 3142 5231a83-5231a95 3139->3142 3143 5231992-5231a82 3139->3143 3140->3136 3145 5231a97 3142->3145 3146 5231a9c 3142->3146 3143->3142 3145->3146 3146->3118 3158->3113 3159->3113 3160->3114 3161->3114 3162->3114 3163->3114 3164->3134 3165->3134
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0b15a980a76f0dde7ddd6678269014abbc98d9e968236698433bf951e17698bc
                                                                                            • Instruction ID: bddfdf9a2ed59bc7dc2d9d8efc5dff826d4e17e039a53ebc2443cbafb0da5b77
                                                                                            • Opcode Fuzzy Hash: 0b15a980a76f0dde7ddd6678269014abbc98d9e968236698433bf951e17698bc
                                                                                            • Instruction Fuzzy Hash: 17E1ADB4E01218CFEB64DFA5C944B9DBBB2BF89300F2081A9D809B7394DB755A85CF54
                                                                                            Function 012D4F08 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 3166 12d4f08-12d4f28 3167 12d4f2f-12d4fc0 3166->3167 3168 12d4f2a 3166->3168 3172 12d5314-12d5348 3167->3172 3173 12d4fc6-12d4fd6 3167->3173 3168->3167 3222 12d4fd9 call 12d56af 3173->3222 3223 12d4fd9 call 12d5363 3173->3223 3176 12d4fdf-12d4fee 3224 12d4ff0 call 12dc76c 3176->3224 3225 12d4ff0 call 12dc168 3176->3225 3226 12d4ff0 call 12dc37b 3176->3226 3227 12d4ff0 call 12dc163 3176->3227 3177 12d4ff6-12d5012 3179 12d5019-12d5022 3177->3179 3180 12d5014 3177->3180 3181 12d5307-12d530d 3179->3181 3180->3179 3182 12d5027-12d50a1 3181->3182 3183 12d5313 3181->3183 3188 12d515d-12d51b8 3182->3188 3189 12d50a7-12d5115 call 12d3760 3182->3189 3183->3172 3201 12d51b9-12d5209 3188->3201 3199 12d5158-12d515b 3189->3199 3200 12d5117-12d5157 3189->3200 3199->3201 3200->3199 3206 12d520f-12d52f1 3201->3206 3207 12d52f2-12d52fd 3201->3207 3206->3207 3208 12d52ff 3207->3208 3209 12d5304 3207->3209 3208->3209 3209->3181 3222->3176 3223->3176 3224->3177 3225->3177 3226->3177 3227->3177
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2739489555.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_12d0000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 949882eeec80fa3509982a57a8125a0531c71336fbf257c5ac5ff55618d8da9f
                                                                                            • Instruction ID: 78386d6f05d1a2a926d020005aaa4de2656e56d9e63caa65e02ddd45f203ac5f
                                                                                            • Opcode Fuzzy Hash: 949882eeec80fa3509982a57a8125a0531c71336fbf257c5ac5ff55618d8da9f
                                                                                            • Instruction Fuzzy Hash: 96C19E78E01218CFDB64DFA9D944B9DBBB2BF88301F2080A9D809A7354DB359E85CF50
                                                                                            Function 012D5363 Relevance: .2, Instructions: 222COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 3228 12d5363-12d5393 3229 12d539a-12d542d 3228->3229 3230 12d5395 3228->3230 3240 12d5687-12d5786 3229->3240 3241 12d5433-12d5445 3229->3241 3230->3229 3246 12d578f-12d5796 3240->3246 3247 12d5788-12d578e 3240->3247 3291 12d544a call 12d5e21 3241->3291 3292 12d544a call 12d5e30 3241->3292 3243 12d5450-12d546e 3250 12d547d-12d5481 3243->3250 3251 12d5470-12d5474 3243->3251 3247->3246 3254 12d5488 3250->3254 3255 12d5483 3250->3255 3252 12d547b 3251->3252 3253 12d5476 3251->3253 3252->3254 3253->3252 3293 12d5488 call 12d761b 3254->3293 3294 12d5488 call 12d7620 3254->3294 3255->3254 3256 12d548e-12d54af 3285 12d54b4 call 12d76ab 3256->3285 3286 12d54b4 call 12d76b0 3256->3286 3258 12d54ba-12d54e1 3261 12d54e8-12d54ef 3258->3261 3262 12d54e3 3258->3262 3287 12d54f5 call 12d7a37 3261->3287 3288 12d54f5 call 12d7a40 3261->3288 3262->3261 3263 12d54fb-12d556d 3269 12d556f 3263->3269 3270 12d5574-12d5578 3263->3270 3269->3270 3271 12d557f-12d5584 3270->3271 3272 12d557a 3270->3272 3273 12d558b-12d5655 3271->3273 3274 12d5586 3271->3274 3272->3271 3281 12d566d-12d567c 3273->3281 3282 12d5657-12d566a 3273->3282 3274->3273 3289 12d567f call 12d7e68 3281->3289 3290 12d567f call 12d7e66 3281->3290 3282->3281 3283 12d5685-12d5686 3283->3240 3285->3258 3286->3258 3287->3263 3288->3263 3289->3283 3290->3283 3291->3243 3292->3243 3293->3256 3294->3256
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2739489555.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_12d0000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 41d1e1874c8d868bbb7d55f8de6bd73e1fc255407416f3e6dce0232f20ae179d
                                                                                            • Instruction ID: f200f382488d6b6aaee6e2d45507caf2dde3f9e536dd0cadbde32656d2060319
                                                                                            • Opcode Fuzzy Hash: 41d1e1874c8d868bbb7d55f8de6bd73e1fc255407416f3e6dce0232f20ae179d
                                                                                            • Instruction Fuzzy Hash: 78A11474D00209CFEB24DFA8D948B9DBBB1FF88300F208269E509A7395DB759985CF51
                                                                                            Function 012D56AF Relevance: .2, Instructions: 202COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 3588 12d56af-12d56b9 3589 12d56bb-12d56c3 3588->3589 3590 12d56c5-12d56c8 3588->3590 3591 12d56cb-12d56d1 3589->3591 3590->3591 3592 12d56da-12d56db 3591->3592 3593 12d56d3 3591->3593 3595 12d5766-12d5777 3592->3595 3593->3592 3594 12d568e-12d56a0 3593->3594 3596 12d56a9-12d56aa 3594->3596 3597 12d56a2 3594->3597 3614 12d5782-12d5786 3595->3614 3596->3595 3597->3592 3597->3594 3597->3596 3598 12d55cd-12d5636 3597->3598 3599 12d566d-12d567c 3597->3599 3600 12d5688-12d5689 3597->3600 3601 12d5686 3597->3601 3602 12d5402 3597->3602 3603 12d5542-12d556d 3597->3603 3604 12d549d-12d54af 3597->3604 3605 12d54fc-12d553a 3597->3605 3606 12d54bb-12d54e1 3597->3606 3607 12d5595-12d55ca 3597->3607 3608 12d5657-12d566a 3597->3608 3609 12d5451-12d546e 3597->3609 3610 12d5410-12d542d 3597->3610 3611 12d5433-12d5445 3597->3611 3647 12d5641-12d5655 3598->3647 3656 12d567f call 12d7e68 3599->3656 3657 12d567f call 12d7e66 3599->3657 3600->3614 3613 12d5687 3601->3613 3623 12d5408-12d5409 3602->3623 3628 12d556f 3603->3628 3629 12d5574-12d5578 3603->3629 3652 12d54b4 call 12d76ab 3604->3652 3653 12d54b4 call 12d76b0 3604->3653 3605->3603 3632 12d54e8-12d54ef 3606->3632 3633 12d54e3 3606->3633 3607->3598 3608->3599 3630 12d547d-12d5481 3609->3630 3631 12d5470-12d5474 3609->3631 3610->3611 3610->3613 3648 12d544a call 12d5e21 3611->3648 3649 12d544a call 12d5e30 3611->3649 3613->3600 3625 12d578f-12d5796 3614->3625 3626 12d5788-12d578e 3614->3626 3615 12d5450 3615->3609 3620 12d54ba 3620->3606 3622 12d5685 3622->3601 3623->3610 3626->3625 3628->3629 3634 12d557f-12d5584 3629->3634 3635 12d557a 3629->3635 3638 12d5488 3630->3638 3639 12d5483 3630->3639 3636 12d547b 3631->3636 3637 12d5476 3631->3637 3650 12d54f5 call 12d7a37 3632->3650 3651 12d54f5 call 12d7a40 3632->3651 3633->3632 3643 12d558b-12d5591 3634->3643 3644 12d5586 3634->3644 3635->3634 3636->3638 3637->3636 3654 12d5488 call 12d761b 3638->3654 3655 12d5488 call 12d7620 3638->3655 3639->3638 3643->3607 3644->3643 3645 12d54fb 3645->3605 3646 12d548e-12d549a 3646->3604 3647->3599 3647->3608 3648->3615 3649->3615 3650->3645 3651->3645 3652->3620 3653->3620 3654->3646 3655->3646 3656->3622 3657->3622
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2739489555.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_12d0000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: eeeb01b9a68bee557d9e58dbc9cb1f1cc5483c87569fbde4f11689e64ab6cfea
                                                                                            • Instruction ID: 0a7f8aaeba0d01ca81500c630bb2b417f012265c43d85fd6f0956faf1728fae8
                                                                                            • Opcode Fuzzy Hash: eeeb01b9a68bee557d9e58dbc9cb1f1cc5483c87569fbde4f11689e64ab6cfea
                                                                                            • Instruction Fuzzy Hash: 11911374D00208CFEB20DFA8D948BACBBB1FF48300F209259E509AB291DBB59985CF55
                                                                                            Function 05231C58 Relevance: .2, Instructions: 182COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d713f22e1672ce8bcc465b92da49c6f3ac99ff03249ba7b926fe3d17fe7c348c
                                                                                            • Instruction ID: a2f32086611c95a5a868035f0dd6ad60f1857a46dbaeb137c85f3ae02ac107e8
                                                                                            • Opcode Fuzzy Hash: d713f22e1672ce8bcc465b92da49c6f3ac99ff03249ba7b926fe3d17fe7c348c
                                                                                            • Instruction Fuzzy Hash: 3381CEB4E1021CCFDB18DFAAD8947ADBBF2BF89300F20816AD419AB254DB305945CF40
                                                                                            Function 052315F3 Relevance: .1, Instructions: 110COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 708971dca052dbbe1230e7e13d4c0ffad77b3f17277fa5176703f4f0751987b3
                                                                                            • Instruction ID: f0b00c93fb5ec3ce9a2de76f37b8ef1fc3d21b03dcb07f4ba8db13ff4df1460f
                                                                                            • Opcode Fuzzy Hash: 708971dca052dbbe1230e7e13d4c0ffad77b3f17277fa5176703f4f0751987b3
                                                                                            • Instruction Fuzzy Hash: 0C41B2B0D112098BEB68DFAAC8447EEBBF2BF89300F14C169D418BB294DB755946CF54
                                                                                            Function 012DC76C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1557 12dc76c 1558 12dc82b-12dc83c 1557->1558 1559 12dc83e 1558->1559 1560 12dc843-12dc84c 1558->1560 1559->1560 1562 12dc623-12dc648 1560->1562 1563 12dc852-12dc865 1560->1563 1564 12dc64f-12dc686 1562->1564 1565 12dc64a 1562->1565 1566 12dc86c-12dc887 1563->1566 1567 12dc867 1563->1567 1576 12dc68d-12dc6bf 1564->1576 1577 12dc688 1564->1577 1565->1564 1568 12dc88e-12dc8a2 1566->1568 1569 12dc889 1566->1569 1567->1566 1573 12dc8a9-12dc8bf LdrInitializeThunk 1568->1573 1574 12dc8a4 1568->1574 1569->1568 1575 12dc8c1-12dc9bf 1573->1575 1574->1573 1580 12dc9c7-12dc9d1 1575->1580 1581 12dc9c1-12dc9c6 call 12d5ca8 1575->1581 1582 12dc6c1-12dc6e6 1576->1582 1583 12dc723-12dc736 1576->1583 1577->1576 1581->1580 1585 12dc6ed-12dc71b 1582->1585 1586 12dc6e8 1582->1586 1588 12dc73d-12dc762 1583->1588 1589 12dc738 1583->1589 1585->1583 1586->1585 1592 12dc764-12dc765 1588->1592 1593 12dc771-12dc7a9 1588->1593 1589->1588 1592->1563 1594 12dc7ab 1593->1594 1595 12dc7b0-12dc811 call 12dc168 1593->1595 1594->1595 1601 12dc818-12dc82a 1595->1601 1602 12dc813 1595->1602 1601->1558 1602->1601
                                                                                            APIs
                                                                                            • LdrInitializeThunk.NTDLL(00000000), ref: 012DC8AE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2739489555.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_12d0000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 53cca5861d50a275fd96367837501aa0fc1dd72f4a702a901e41405eb37aa54c
                                                                                            • Instruction ID: 8576fecb8691008a8dc741490d105c5107912546efebbb970ff552534ec3ad83
                                                                                            • Opcode Fuzzy Hash: 53cca5861d50a275fd96367837501aa0fc1dd72f4a702a901e41405eb37aa54c
                                                                                            • Instruction Fuzzy Hash: 31116A74E142098FDB15DBA8D485EADBBB9FB88314F148129E848E7346D770AD41CB60
                                                                                            Function 05238848 Relevance: .8, Instructions: 781COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2666 5238848-5238d36 2741 5239288-52392a8 2666->2741 2742 5238d3c-5238d4c 2666->2742 2747 52392aa-52392bd 2741->2747 2748 52392f9-5239301 2741->2748 2742->2741 2743 5238d52-5238d62 2742->2743 2743->2741 2744 5238d68-5238d78 2743->2744 2744->2741 2746 5238d7e-5238d8e 2744->2746 2746->2741 2749 5238d94-5238da4 2746->2749 2750 52392c9-52392e7 2747->2750 2751 52392bf-52392c4 2747->2751 2755 5239303-523930e 2748->2755 2756 5239326-5239329 2748->2756 2749->2741 2753 5238daa-5238dba 2749->2753 2775 52392e9-52392f3 2750->2775 2776 523935e-523936a 2750->2776 2754 52393ae-52393b3 2751->2754 2753->2741 2757 5238dc0-5238dd0 2753->2757 2755->2756 2769 5239310-523931a 2755->2769 2760 5239340-523934c 2756->2760 2761 523932b-5239337 2756->2761 2757->2741 2759 5238dd6-5238de6 2757->2759 2759->2741 2765 5238dec-5238dfc 2759->2765 2762 52393b4-5239410 2760->2762 2763 523934e-5239355 2760->2763 2761->2760 2771 5239339-523933e 2761->2771 2788 5239423-523942e 2762->2788 2789 5239412-523941d 2762->2789 2763->2762 2768 5239357-523935c 2763->2768 2765->2741 2770 5238e02-5238e12 2765->2770 2768->2754 2769->2756 2779 523931c-5239321 2769->2779 2770->2741 2773 5238e18-5239287 2770->2773 2771->2754 2775->2776 2784 52392f5-52392f7 2775->2784 2785 5239381-523938d 2776->2785 2786 523936c-5239378 2776->2786 2779->2754 2784->2748 2793 52393a4-52393a6 2785->2793 2794 523938f-523939b 2785->2794 2786->2785 2797 523937a-523937f 2786->2797 2800 5239434-5239491 2788->2800 2801 52394ff-523952b 2788->2801 2789->2788 2798 52394a6-52394f8 2789->2798 2793->2754 2794->2793 2803 523939d-52393a2 2794->2803 2797->2754 2798->2801 2812 523949a-52394a3 2800->2812 2803->2754
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 319168a2586ab52772481647988289477d386746657c7282de6b109227070025
                                                                                            • Instruction ID: 6dca3f74304782d647c8285e7cf1f425098fdd414f142d9c780dfdf0e3642327
                                                                                            • Opcode Fuzzy Hash: 319168a2586ab52772481647988289477d386746657c7282de6b109227070025
                                                                                            • Instruction Fuzzy Hash: C6626074A102199FEB24DBA4C860BAEBB72FFC8700F1080A9D50AAB394DF755D85DF51
                                                                                            Function 052365F1 Relevance: .2, Instructions: 220COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 3295 52365f1-523660d 3296 5236615-5236617 3295->3296 3297 523660f-5236613 3295->3297 3299 5236828-523682f 3296->3299 3297->3296 3298 523661c-5236627 3297->3298 3300 5236830 3298->3300 3301 523662d-5236634 3298->3301 3304 5236835-523686d 3300->3304 3302 523663a-5236649 3301->3302 3303 52367c9-52367cf 3301->3303 3302->3304 3305 523664f-523665e 3302->3305 3306 52367d1-52367d3 3303->3306 3307 52367d5-52367d9 3303->3307 3325 5236876-523687a 3304->3325 3326 523686f-5236874 3304->3326 3313 5236673-5236676 3305->3313 3314 5236660-5236663 3305->3314 3306->3299 3308 5236826 3307->3308 3309 52367db-52367e1 3307->3309 3308->3299 3309->3300 3311 52367e3-52367e6 3309->3311 3311->3300 3315 52367e8-52367fd 3311->3315 3316 5236682-5236688 3313->3316 3318 5236678-523667b 3313->3318 3314->3316 3317 5236665-5236668 3314->3317 3337 5236821-5236824 3315->3337 3338 52367ff-5236805 3315->3338 3327 52366a0-52366bd 3316->3327 3328 523668a-5236690 3316->3328 3320 5236769-523676f 3317->3320 3321 523666e 3317->3321 3322 52366ce-52366d4 3318->3322 3323 523667d 3318->3323 3331 5236771-5236777 3320->3331 3332 5236787-5236791 3320->3332 3334 5236794-52367a1 3321->3334 3335 52366d6-52366dc 3322->3335 3336 52366ec-52366fe 3322->3336 3323->3334 3333 5236880-5236882 3325->3333 3326->3333 3368 52366c6-52366c9 3327->3368 3329 5236692 3328->3329 3330 5236694-523669e 3328->3330 3329->3327 3330->3327 3341 523677b-5236785 3331->3341 3342 5236779 3331->3342 3332->3334 3339 5236897-523689e 3333->3339 3340 5236884-5236896 3333->3340 3354 52367a3-52367a7 3334->3354 3355 52367b5-52367b7 3334->3355 3344 52366e0-52366ea 3335->3344 3345 52366de 3335->3345 3358 5236700-523670c 3336->3358 3359 523670e-5236731 3336->3359 3337->3299 3346 5236817-523681a 3338->3346 3347 5236807-5236815 3338->3347 3341->3332 3342->3332 3344->3336 3345->3336 3346->3300 3349 523681c-523681f 3346->3349 3347->3300 3347->3346 3349->3337 3349->3338 3354->3355 3362 52367a9-52367ad 3354->3362 3363 52367bb-52367be 3355->3363 3369 5236759-5236767 3358->3369 3359->3300 3372 5236737-523673a 3359->3372 3362->3300 3364 52367b3 3362->3364 3363->3300 3365 52367c0-52367c3 3363->3365 3364->3363 3365->3302 3365->3303 3368->3334 3369->3334 3372->3300 3373 5236740-5236752 3372->3373 3373->3369
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ab758fc50caa7dfe0691d0f7c25785744c7f65fdb7b7f22af3f1b8917e3757e9
                                                                                            • Instruction ID: c135a030f46656b2bcf3f8d4c44503e535acd678fbb5ba7f65335fcf379596bf
                                                                                            • Opcode Fuzzy Hash: ab758fc50caa7dfe0691d0f7c25785744c7f65fdb7b7f22af3f1b8917e3757e9
                                                                                            • Instruction Fuzzy Hash: A681B5B4B24106EFCB14CF68C485A6ABBBAFF88244B588169D416E7364D731FC41CF50
                                                                                            Function 052362A8 Relevance: .2, Instructions: 216COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 3375 52362a8-52362b6 3376 52362c5-52362d6 call 5232a50 3375->3376 3377 52362b8-52362be 3375->3377 3380 523636a-523636c 3376->3380 3381 52362dc-52362e0 3376->3381 3377->3376 3447 523636e call 5236130 3380->3447 3448 523636e call 52362a8 3380->3448 3382 52362e2-52362ee 3381->3382 3383 52362f0-52362fd 3381->3383 3389 52362ff-5236309 3382->3389 3383->3389 3384 5236374-523637a 3387 5236386-523638d 3384->3387 3388 523637c-5236382 3384->3388 3390 5236384 3388->3390 3391 52363e8-5236447 3388->3391 3394 5236336-523633a 3389->3394 3395 523630b-523631a 3389->3395 3390->3387 3404 523644e-523647e 3391->3404 3396 5236346-523634a 3394->3396 3397 523633c-5236342 3394->3397 3406 523632a-5236334 3395->3406 3407 523631c-5236323 3395->3407 3396->3387 3401 523634c-5236350 3396->3401 3399 5236390-52363e1 3397->3399 3400 5236344 3397->3400 3399->3391 3400->3387 3403 5236356-5236368 3401->3403 3401->3404 3403->3387 3418 52364a3-52364b0 3404->3418 3419 5236480-523648d 3404->3419 3406->3394 3407->3406 3427 52364b2-52364bc 3418->3427 3424 523649f-52364a1 3419->3424 3425 523648f-523649d 3419->3425 3424->3427 3425->3427 3432 52364e4-52364e6 call 52365f1 3427->3432 3433 52364be-52364cc 3427->3433 3436 52364ec-52364f0 3432->3436 3438 52364d9-52364e2 3433->3438 3439 52364ce-52364d2 3433->3439 3440 52364f2-5236507 3436->3440 3441 5236509-523650d 3436->3441 3438->3432 3439->3438 3442 523652b-5236531 3440->3442 3441->3442 3443 523650f-5236524 3441->3443 3443->3442 3447->3384 3448->3384
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b1e02e44632d49ff861108885f3e913852d10c55908d9e5c59c898bf4b669279
                                                                                            • Instruction ID: 56719955c8dfb0489fa5897ef4a8d966ba9e8109e4abcfb8e593aaa563b31a8d
                                                                                            • Opcode Fuzzy Hash: b1e02e44632d49ff861108885f3e913852d10c55908d9e5c59c898bf4b669279
                                                                                            • Instruction Fuzzy Hash: FB71E174710202AFDB299B74D499B3E7BABBFC9601B148469E50ACB384DF74EC42C790
                                                                                            Function 05236130 Relevance: .2, Instructions: 178COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ca2cdd9ac4fd9c26df57022b7f145b2e00f052685597022c0cdc4a7d2c22718f
                                                                                            • Instruction ID: 25de9565472c321c94d96be564c37ce41b480890a68a8c1ca5566e8e66fd353c
                                                                                            • Opcode Fuzzy Hash: ca2cdd9ac4fd9c26df57022b7f145b2e00f052685597022c0cdc4a7d2c22718f
                                                                                            • Instruction Fuzzy Hash: FC5106B5724212AFDB158F64D849BBE7BFAFF88200F054819E44ACB380DB74E801C790
                                                                                            Function 052384F8 Relevance: .2, Instructions: 176COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 354f00d5ee29b7ce88f0fcdaead2ea56d0f0641c64e0e47870bb10b6230976d2
                                                                                            • Instruction ID: 4ad22c4f042da08b72762daf757741e88d0a49f5b4a1771aea13e301d8e9865f
                                                                                            • Opcode Fuzzy Hash: 354f00d5ee29b7ce88f0fcdaead2ea56d0f0641c64e0e47870bb10b6230976d2
                                                                                            • Instruction Fuzzy Hash: 635190B5B251129FCB14DF39C899A7A7BEABF4825070644BAF40ACF361EB70DC018B50
                                                                                            Function 05232508 Relevance: .2, Instructions: 173COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b288a636eb0bc13e201fa44b869474e41b68e436dc67dcad08e720702615f1db
                                                                                            • Instruction ID: 1ddb4abbc76c5e7b236b2bc431f0cbf8ce51e039e37136ba1e6192729494799a
                                                                                            • Opcode Fuzzy Hash: b288a636eb0bc13e201fa44b869474e41b68e436dc67dcad08e720702615f1db
                                                                                            • Instruction Fuzzy Hash: 2E518035F102199BDB19EBB5C4506AEBBB2BFC4700F148529E406BB380DF34AD46CB91
                                                                                            Function 052344F0 Relevance: .2, Instructions: 172COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e98162bb724360e3d6b4e8e55284a8865656c70060351ab239cc5b5501ae046a
                                                                                            • Instruction ID: 6923525316bedbe9f2eb5cbf001903da5c76e07ad07f023a12d15fd8b8858c17
                                                                                            • Opcode Fuzzy Hash: e98162bb724360e3d6b4e8e55284a8865656c70060351ab239cc5b5501ae046a
                                                                                            • Instruction Fuzzy Hash: 7481B174E112698FDB65DF29D894BEDBBB2BF89300F1080EAD849A7254DB715E81CF40
                                                                                            Function 05235F08 Relevance: .1, Instructions: 138COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b7f8b6e4b1f5c3dbb72b5e307fc9afac423322cbb5d205b926233261cc17c40a
                                                                                            • Instruction ID: ed09048cbad6df9aa47e0a77f0221d1097f0607ec6f1a491e3ffe1c205a9cd2f
                                                                                            • Opcode Fuzzy Hash: b7f8b6e4b1f5c3dbb72b5e307fc9afac423322cbb5d205b926233261cc17c40a
                                                                                            • Instruction Fuzzy Hash: 2741CE343107028FD724AB39D819B3A7BE6BFC5644F14856DE44ACB3A0EB60EC058B40
                                                                                            Function 05232503 Relevance: .1, Instructions: 115COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 19ec5bb2e2f9674e30405a371a8b548e9d6a9870243a9e83c378ff7c6f8a7249
                                                                                            • Instruction ID: ca6ad2b8ee49e82449b34424443ea138a8b7f8c8fd3c070acbeb98c38193f913
                                                                                            • Opcode Fuzzy Hash: 19ec5bb2e2f9674e30405a371a8b548e9d6a9870243a9e83c378ff7c6f8a7249
                                                                                            • Instruction Fuzzy Hash: 29415575E1021ADBDB14DFA5C891AEEBBF5BF88700F148129E406B7240DB70AD46CF90
                                                                                            Function 052382F8 Relevance: .1, Instructions: 111COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e3339959f5ddb4c69efb55dcdfec807395902da296a26e6f5fea7630736d6105
                                                                                            • Instruction ID: 0f45e29362c4938491c244a0064ae0e71f625a3d08e0aa0ef0a871f6ef4f825d
                                                                                            • Opcode Fuzzy Hash: e3339959f5ddb4c69efb55dcdfec807395902da296a26e6f5fea7630736d6105
                                                                                            • Instruction Fuzzy Hash: 8F4148B5624115DFCB18DF68D849AAE7BB2BF88311F110069FA0ACB3A1DB70DD51CB91
                                                                                            Function 05235858 Relevance: .1, Instructions: 103COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e257e4d27fb6128656709bd0ca69fd051257459fecf3b60af239920201591ed7
                                                                                            • Instruction ID: a3fa4b76cad288c636132591d85d2c7f6dec05a6ec989bbff7bfc55f5687f54f
                                                                                            • Opcode Fuzzy Hash: e257e4d27fb6128656709bd0ca69fd051257459fecf3b60af239920201591ed7
                                                                                            • Instruction Fuzzy Hash: B041C07971420AAFCF059FA4D899ABE3BB2FF48210F004415F90AD7294DB35CD61DB91
                                                                                            Function 05238729 Relevance: .1, Instructions: 89COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9b9cf6fe5c74d3fd134ed56a0e08aefb6dfc4e83c0e1ccc3f55ff2c857de7faf
                                                                                            • Instruction ID: 020e3f333bc5d918be97c4717029ad9044e3ca7a6960fc2ab9b1d8aab5d7d101
                                                                                            • Opcode Fuzzy Hash: 9b9cf6fe5c74d3fd134ed56a0e08aefb6dfc4e83c0e1ccc3f55ff2c857de7faf
                                                                                            • Instruction Fuzzy Hash: A92136B93362128BDB249735845573E298BBFC8605F148039E80ACF398EE75CC819381
                                                                                            Function 05238640 Relevance: .1, Instructions: 86COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5b1881974cd1ec474ba27f623a4381a53b218bd5dab2e516dab99957991ee0a6
                                                                                            • Instruction ID: 187df82373ec4a598482e3b99d82a21c356fdf14cd01e332c484e22bfa31468b
                                                                                            • Opcode Fuzzy Hash: 5b1881974cd1ec474ba27f623a4381a53b218bd5dab2e516dab99957991ee0a6
                                                                                            • Instruction Fuzzy Hash: 0E2180B533A1569BCB14DE669C41A7B7BEBBF89250B144436F816DF244DBB0D801CBA0
                                                                                            Function 0128D030 Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2739199706.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_128d000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b3af685c6751f00006c4cc921272cab4b7eb6e5f051e9fb4a7fe3b58e1888d20
                                                                                            • Instruction ID: 08fd33a722760fc99a93e18c97eec825d93cbf932106a4253a86d18960da2221
                                                                                            • Opcode Fuzzy Hash: b3af685c6751f00006c4cc921272cab4b7eb6e5f051e9fb4a7fe3b58e1888d20
                                                                                            • Instruction Fuzzy Hash: E6212271618308DFDB11EF54D980B26BBA1FB84314F20C66DD9094B2C2C37AD84BCB62
                                                                                            Function 05231EB9 Relevance: .1, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 657ce83d49b631a15a5cb2672142d4a240b44d9fbaa8939e5803ee46c0f56353
                                                                                            • Instruction ID: 272ffd9e6404ee01f3576962c13f441f67f07014ab8993cb8d54f2c520d28490
                                                                                            • Opcode Fuzzy Hash: 657ce83d49b631a15a5cb2672142d4a240b44d9fbaa8939e5803ee46c0f56353
                                                                                            • Instruction Fuzzy Hash: 5211E874E502498FDB14DBE8D851BAEBBF5EF88311F048061E808E7348E73199528B51
                                                                                            Function 0128D02B Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2739199706.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_128d000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                                                            • Instruction ID: dc927a4e6e4ca7ffd1592c5a82cc6c927803883dd4c22298e8fa3ca4e8a3afda
                                                                                            • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                                                            • Instruction Fuzzy Hash: B911BB75504288CFCB12DF58D5C0B15BBA2FB84324F28C6AAD9494B697C33AD44BCB62
                                                                                            Function 05232990 Relevance: .1, Instructions: 52COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: bc6ad77892407ff43eb1d17c8a3421eb38d69f733b2cc1b0b82a32e6a9e55246
                                                                                            • Instruction ID: d191ff7332c3a5ae2b50ca2649bd1b86875ac08cefe53d54c08c81c7abdca7d7
                                                                                            • Opcode Fuzzy Hash: bc6ad77892407ff43eb1d17c8a3421eb38d69f733b2cc1b0b82a32e6a9e55246
                                                                                            • Instruction Fuzzy Hash: 781142B680024ADFCB10CF99C845BEEBBF5EF48320F14841AE518A7250D339A594DFA0
                                                                                            Function 05232998 Relevance: .1, Instructions: 52COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 38d9ea3eb61530b2b6b53522415e28ccbba91726acaae72b479cb81b9a42432b
                                                                                            • Instruction ID: 8a7cb385fc46411dba510c35279cb94a8169f109402750db8e197b532f3c26d6
                                                                                            • Opcode Fuzzy Hash: 38d9ea3eb61530b2b6b53522415e28ccbba91726acaae72b479cb81b9a42432b
                                                                                            • Instruction Fuzzy Hash: 2F1123B6800249DFDB20DF9AC845BEEBFF5EF48320F148419E518A7250C379A554DFA1
                                                                                            Function 05235EF8 Relevance: .1, Instructions: 51COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5afff07d434394e3685aa9937a2ee9b55b4ae11b9039d21c3b714a49ef38d0c9
                                                                                            • Instruction ID: d854d3b8e9b4e881c928dcbed3080003bbc483fb4f4695a1c4a48a3cc556bfe4
                                                                                            • Opcode Fuzzy Hash: 5afff07d434394e3685aa9937a2ee9b55b4ae11b9039d21c3b714a49ef38d0c9
                                                                                            • Instruction Fuzzy Hash: BD11C274300B068FD725DB29D404B6ABBB2BFC1745F048A59D45E8B661EB70E8088785
                                                                                            Function 052360B0 Relevance: .0, Instructions: 46COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1b1e5be0f0f56b9ac1aba0700a2fde54495547ecb8099efcd3dc6252a64a1a9d
                                                                                            • Instruction ID: 9f32259fdd508f79c78e521d1511e537efb97c8355eab96ce82f9624219568a8
                                                                                            • Opcode Fuzzy Hash: 1b1e5be0f0f56b9ac1aba0700a2fde54495547ecb8099efcd3dc6252a64a1a9d
                                                                                            • Instruction Fuzzy Hash: 340126767241197BCB01DE58D805EAF3BABEFC8650F04802AF509D7280DE719C11D794
                                                                                            Function 052360A0 Relevance: .0, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5d27e7bdfdcf3a2b829a3802c5b4de5779a02223c76431186cc48a9d451cfb28
                                                                                            • Instruction ID: 2d789aa7331203abe341fad3762f39da8bfd665c918df34c114cf2227076817f
                                                                                            • Opcode Fuzzy Hash: 5d27e7bdfdcf3a2b829a3802c5b4de5779a02223c76431186cc48a9d451cfb28
                                                                                            • Instruction Fuzzy Hash: 32F0F4B7A14119BBDB11CE94DC06FEF3BAAEF88340F088026F509D7280DA35D911C750
                                                                                            Function 0523274B Relevance: .0, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ff8e5f220d99169ce17e250de99279085485e32414caf87314463db5cbc7fa81
                                                                                            • Instruction ID: de034f36b0ff901a2004ff0a8421a6aa87c0d4c4c57a49e1ae1144001d94b66c
                                                                                            • Opcode Fuzzy Hash: ff8e5f220d99169ce17e250de99279085485e32414caf87314463db5cbc7fa81
                                                                                            • Instruction Fuzzy Hash: A6F0F63B3043956FCB069FA89854AFE3FB7EFC9210B04442AF545C7251CA3148219765
                                                                                            Function 0523947D Relevance: .0, Instructions: 16COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4895f0a1c2d2fec4842b720a03899dfceab2a3793e70a06594ff5e78958201fb
                                                                                            • Instruction ID: 5421bfe52e3cdc87f37ca77d7ac96593b45f61a58066b788f770bcd079c4b1f1
                                                                                            • Opcode Fuzzy Hash: 4895f0a1c2d2fec4842b720a03899dfceab2a3793e70a06594ff5e78958201fb
                                                                                            • Instruction Fuzzy Hash: 61D0673AB00008AFCB149F99EC54DDDF776FB98221B049116F915A3260C6319925DB60
                                                                                            Function 052368A1 Relevance: .0, Instructions: 15COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 289c45cbe7418e315bb0836e7463a7e9c344857b135570a03fc401bc7b0d5a7f
                                                                                            • Instruction ID: 10ef8c6dfab099e6681eccb22dab536db7376593e11e5e9b2316bd06106bdb47
                                                                                            • Opcode Fuzzy Hash: 289c45cbe7418e315bb0836e7463a7e9c344857b135570a03fc401bc7b0d5a7f
                                                                                            • Instruction Fuzzy Hash: 20D05E3441432D4FD605FBA8FC45F563B3ABBC0506FC49221E4059A1CEEEB899A48785
                                                                                            Function 052368B0 Relevance: .0, Instructions: 12COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c65d52c685aab03e614966fa08b146d7095473b2977db89fa7229d82b77cea7b
                                                                                            • Instruction ID: fc75e24d32f5fd6ba2b789c9ece9107bea48e5d6b30b29b2233add0045aac49b
                                                                                            • Opcode Fuzzy Hash: c65d52c685aab03e614966fa08b146d7095473b2977db89fa7229d82b77cea7b
                                                                                            • Instruction Fuzzy Hash: 7DC012340503194FD541FBA5F845A55373A7AC05017C0A610E4055E18DDF745DA54791

                                                                                            Non-executed Functions

                                                                                            Function 0523E928 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 668f57ad2c3f871f141a299c67c5132903a941636c5a36e64c41f36343c8c729
                                                                                            • Instruction ID: 928a0d6097fc757a0363d897b9098b98e0c73a9708e29be4a52d94170e4bd931
                                                                                            • Opcode Fuzzy Hash: 668f57ad2c3f871f141a299c67c5132903a941636c5a36e64c41f36343c8c729
                                                                                            • Instruction Fuzzy Hash: 59C1BF74E01218CFDB54DFA5C984BADBBB2BF89300F6080A9D809AB354DB359E85CF50
                                                                                            Function 0523C530 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1fe6468179d02c0d718ef075413f870e625625f10bc25257d6938ef0d2e2b22a
                                                                                            • Instruction ID: 5a245824bd99d01aed9b73ac9962ced7836ccf1143d0e1fbafafda53576f9692
                                                                                            • Opcode Fuzzy Hash: 1fe6468179d02c0d718ef075413f870e625625f10bc25257d6938ef0d2e2b22a
                                                                                            • Instruction Fuzzy Hash: AEC18D74E11218CFDB54DFA5C984BADBBB2BF89300F6080A9D809BB254DB359E85CF50
                                                                                            Function 05230D48 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f48a10d18ce513de60ff14d6e5efef426c8b2d6dca1cab499f8b94e17e5ec4a4
                                                                                            • Instruction ID: b1147b527ca602ddf06b210cf7035f15cf17801870b29fedb1fa00ee944740de
                                                                                            • Opcode Fuzzy Hash: f48a10d18ce513de60ff14d6e5efef426c8b2d6dca1cab499f8b94e17e5ec4a4
                                                                                            • Instruction Fuzzy Hash: 05C1AF78E01218CFDB54DFA5D994BADBBB2BF89300F5080A9D809AB354DB359E85CF50
                                                                                            Function 052311A0 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a097ddb9aa4d8eb0b179a468962ea39cdbbbe30ff35a5763f44bb5229c55988a
                                                                                            • Instruction ID: 617dd4af1f1d1657f9e68b27be15f1f63fba089e788c367e4af7b3c9133265df
                                                                                            • Opcode Fuzzy Hash: a097ddb9aa4d8eb0b179a468962ea39cdbbbe30ff35a5763f44bb5229c55988a
                                                                                            • Instruction Fuzzy Hash: 03C19D74E01218CFDB54DFA5C994BADBBB2BF89300F6081A9D809AB354DB359E85CF50
                                                                                            Function 0523ED80 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 62fa86f8786df8b675b9b56ce0b55b1bef9286db1e3f10bc8dc9f8645aabd186
                                                                                            • Instruction ID: b02eca38a246f1cadf2b30b28dfa2d9293ee5c25161c96425f0002fa17f8a8a8
                                                                                            • Opcode Fuzzy Hash: 62fa86f8786df8b675b9b56ce0b55b1bef9286db1e3f10bc8dc9f8645aabd186
                                                                                            • Instruction Fuzzy Hash: 28C1BF74E01218CFDB54DFA5D984BADBBB2BF89300F6080A9D809AB354DB359E85CF50
                                                                                            Function 0523C988 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 522323ba46892338ba2715d61c48dec96f2709b8bb52dbf0f88e1169f72edc95
                                                                                            • Instruction ID: 84e9e8f739e1e3275670f178b13f2d43fac404fa56c98f7ac492da09f96fff54
                                                                                            • Opcode Fuzzy Hash: 522323ba46892338ba2715d61c48dec96f2709b8bb52dbf0f88e1169f72edc95
                                                                                            • Instruction Fuzzy Hash: 7DC18B74E11218CFDB54DFA5C994BADBBB2BF89300F6080A9D809BB254DB359E85CF50
                                                                                            Function 0523CDE0 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fc42d8c69716160e298ce373ac31d7fbb0c9f1bcd11389ba0237d7c905a5cfe1
                                                                                            • Instruction ID: c264d8bb66b33b7bfa123a582d83b597f95c137b50c8b427e8f5b0f23701784c
                                                                                            • Opcode Fuzzy Hash: fc42d8c69716160e298ce373ac31d7fbb0c9f1bcd11389ba0237d7c905a5cfe1
                                                                                            • Instruction Fuzzy Hash: 0FC19E74E11218CFDB54DFA5C984BADBBB2BF89300F6080A9D809AB355DB359E85CF50
                                                                                            Function 0523F1D8 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c689da7d66c4e6e3f19a497a4d1e7c7d81209863c3d60e20c6e49c1740322304
                                                                                            • Instruction ID: 7b55788db51586dfe14d202a38e474daede2b4ac3841483ee431b63a0782db93
                                                                                            • Opcode Fuzzy Hash: c689da7d66c4e6e3f19a497a4d1e7c7d81209863c3d60e20c6e49c1740322304
                                                                                            • Instruction Fuzzy Hash: 74C1AF74E11218CFDB54DFA5D984BADBBB2BF89300F6081A9D809AB354DB359E81CF50
                                                                                            Function 0523DC20 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 49f9bfbb9d06d9baa4615c5ec9444dbe52af33d56451f419846caf576d97a7ca
                                                                                            • Instruction ID: 5a474d68192065e30b19b364a0aa36d323e9ca0b2733cecc3928a5c32bef5cc6
                                                                                            • Opcode Fuzzy Hash: 49f9bfbb9d06d9baa4615c5ec9444dbe52af33d56451f419846caf576d97a7ca
                                                                                            • Instruction Fuzzy Hash: FCC1AF74E10218CFDB54DFA5C984BADBBB2BF89300F6080A9D809AB355DB359E85CF50
                                                                                            Function 0523B828 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cb08f2ea7a1e5e6f94f3c5a1ffb2052ee97022273fd883320ef6ab003d20e671
                                                                                            • Instruction ID: 9e403fcb4e31e0e74b0e3d987ff25451704a499bbc52e8df954356ddf0139bdf
                                                                                            • Opcode Fuzzy Hash: cb08f2ea7a1e5e6f94f3c5a1ffb2052ee97022273fd883320ef6ab003d20e671
                                                                                            • Instruction Fuzzy Hash: C7C1A074E10218CFDB54DFA5C994BADBBB2BF89300F6080A9D409AB364DB359E85CF50
                                                                                            Function 0523E078 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e68b338fb2e15a3fa0d03e089be8eeed9c27903ce9127e18ce9ce29d55bfbd06
                                                                                            • Instruction ID: 2da6324dc0062a6342eb2c977609f95c2e1bf016189062b4647d42be51bfb927
                                                                                            • Opcode Fuzzy Hash: e68b338fb2e15a3fa0d03e089be8eeed9c27903ce9127e18ce9ce29d55bfbd06
                                                                                            • Instruction Fuzzy Hash: 6BC1AF74E10218CFDB54DFA5C984BADBBB2BF89300F6080A9D809AB355DB359E85CF50
                                                                                            Function 05230040 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d6b20bc5fc26e12b4d08e48f94103515609b7c81967381c6c93e2ac8005efacc
                                                                                            • Instruction ID: 6e26ebdf252c2974bf3f02907b97cd4c77b3557be47e9c1528a63d6fb2542572
                                                                                            • Opcode Fuzzy Hash: d6b20bc5fc26e12b4d08e48f94103515609b7c81967381c6c93e2ac8005efacc
                                                                                            • Instruction Fuzzy Hash: 47C1AF74E01218CFDB54DFA5D944BADBBB2BF89300F5080A9D809AB355DB359E85CF50
                                                                                            Function 05233C50 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4fb57a525e94563903bb7d19534ae22bc95b0f7db05f887dd181d4de15a9f81a
                                                                                            • Instruction ID: 595d7c6d358d83caeffb83ade1dd1f85644d17b99c015172775e1e9835cd8493
                                                                                            • Opcode Fuzzy Hash: 4fb57a525e94563903bb7d19534ae22bc95b0f7db05f887dd181d4de15a9f81a
                                                                                            • Instruction Fuzzy Hash: F3C1A074E11218CFDB54DFA5C944BADBBB2BF89300F6080A9D809AB355DB359E85CF50
                                                                                            Function 052340A8 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cecc1b743f05e01e1176e7d45fa8a1d1c3a8a12172341990437d6b6103e9a84b
                                                                                            • Instruction ID: 8063f21050db709458f36da4e9de273885252fbb13433ecb43cdb1d4869f43a4
                                                                                            • Opcode Fuzzy Hash: cecc1b743f05e01e1176e7d45fa8a1d1c3a8a12172341990437d6b6103e9a84b
                                                                                            • Instruction Fuzzy Hash: 57C19E74E10218CFDB54EFA5C984BADBBB2BF89300F6081A9D409AB355DB359E81CF50
                                                                                            Function 0523BC80 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ab65d9642cf84491c9c85b8dcde8ba14abf222d5ee8f4fd5978c0a18887bd768
                                                                                            • Instruction ID: 921087dd96a1e8892ddd0c5415066c177944a9d32ee5c6b8166d95fec5e10fc0
                                                                                            • Opcode Fuzzy Hash: ab65d9642cf84491c9c85b8dcde8ba14abf222d5ee8f4fd5978c0a18887bd768
                                                                                            • Instruction Fuzzy Hash: 1AC19D74E10218CFDB54DFA5C984BADBBB2BF89300F6081A9D809AB355DB359E85CF50
                                                                                            Function 05230498 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b07b4ff8f80f459072c56eacc9bb1ad9a8a26066a321fec796e4f704a4b236e4
                                                                                            • Instruction ID: b32380eb14dddd77f7f8238ee2a2e1ea399aeb9cf44e6163e21bbdbedcfed740
                                                                                            • Opcode Fuzzy Hash: b07b4ff8f80f459072c56eacc9bb1ad9a8a26066a321fec796e4f704a4b236e4
                                                                                            • Instruction Fuzzy Hash: C6C19D74E01218CFDB54DFA5C994BADBBB2BF89300F6080A9D809AB355DB359E85CF50
                                                                                            Function 052308F0 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: bbe47238a7160a46b2ed4649925cbb57afa7319fdedc428d2e350cb76a0b8d25
                                                                                            • Instruction ID: 1c92995c1ac82ed78b1d97fb33d5a2ae510883879346cb0f27a1520ce8a0ff75
                                                                                            • Opcode Fuzzy Hash: bbe47238a7160a46b2ed4649925cbb57afa7319fdedc428d2e350cb76a0b8d25
                                                                                            • Instruction Fuzzy Hash: 0DC1AE74E01218CFDB54DFA5C984BADBBB2BF89300F6081A9D809AB354DB359E85CF50
                                                                                            Function 0523E4D0 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2cd551924b3063a7484b6334a6a5a0039df82c187f933f0cc38e6a4689fec7cb
                                                                                            • Instruction ID: f86c4ea3a42293b472375c6a492c59bac529724384df89b041d31eac1715874e
                                                                                            • Opcode Fuzzy Hash: 2cd551924b3063a7484b6334a6a5a0039df82c187f933f0cc38e6a4689fec7cb
                                                                                            • Instruction Fuzzy Hash: 24C19F74E11218CFDB54DFA5C984BADBBB2BF89300F6080A9D409AB364DB359E85CF50
                                                                                            Function 0523C0D8 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d6e346a8a0dcc497f3b9e9a9496639dbb7b6bb2820d860f9da4cd236b5ee0747
                                                                                            • Instruction ID: a2138b8ae5274c4a0f368deefa96e02b1635ab9918a34c958ad051654ddddfb2
                                                                                            • Opcode Fuzzy Hash: d6e346a8a0dcc497f3b9e9a9496639dbb7b6bb2820d860f9da4cd236b5ee0747
                                                                                            • Instruction Fuzzy Hash: C4C19B74E10218CFDB54DFA5C984BADBBB2AF89300F6081A9D809BB254DB359E85CF50
                                                                                            Function 0523AB20 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 668d551b2a3304634449d05783b30cb44399f23151c98f4c0e632fac0bb9c4c5
                                                                                            • Instruction ID: 4f387551bef25944c267dc18bb4826868626df33a4d195caea678ab4a11935f2
                                                                                            • Opcode Fuzzy Hash: 668d551b2a3304634449d05783b30cb44399f23151c98f4c0e632fac0bb9c4c5
                                                                                            • Instruction Fuzzy Hash: 60C1A074E10218CFDB54DFA5C944BADBBB2BF89300F6080A9D809AB355DB359E85CF50
                                                                                            Function 0523AF78 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 54b0863229733745b92c4ef28284988c9aac65cbe06bb9b17ddea42ca4020edd
                                                                                            • Instruction ID: 72bfb6084c1dd3efdfdba7f6d7b177c24290b6452d16189c56ca812529238796
                                                                                            • Opcode Fuzzy Hash: 54b0863229733745b92c4ef28284988c9aac65cbe06bb9b17ddea42ca4020edd
                                                                                            • Instruction Fuzzy Hash: 1CC1AF74E11218CFDB54DFA5C984BADBBB2BF89300F6081A9D409AB364DB359E85CF50
                                                                                            Function 05232F48 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c41c02a9ba939b393dc2b604eb46cdbe6f46dbf57e6ae4e67d902bab71c8d3f0
                                                                                            • Instruction ID: fe03fa701ce9a83d9bbd6d6c38dbef8213079bce4d62947a70d72fbc76aa6ccf
                                                                                            • Opcode Fuzzy Hash: c41c02a9ba939b393dc2b604eb46cdbe6f46dbf57e6ae4e67d902bab71c8d3f0
                                                                                            • Instruction Fuzzy Hash: 54C1AF74E00218CFDB54DFA9C984BADBBB2BF89300F6081A9D409AB355DB359E81CF50
                                                                                            Function 052333A0 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 90df24e77397eb8e96db396c242da3ffd955a4a6efff92c897055e2a221f60e5
                                                                                            • Instruction ID: 1d690285feb398fd6b27af588af95e72972d0cda5ab59978874a3ad5c7dbccdc
                                                                                            • Opcode Fuzzy Hash: 90df24e77397eb8e96db396c242da3ffd955a4a6efff92c897055e2a221f60e5
                                                                                            • Instruction Fuzzy Hash: C9C1AF74E00218CFDB54DFA5C984BADBBB2BF89300F6081A9D809AB354DB359E81CF50
                                                                                            Function 052337F8 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 25b659608dc679676257335d6f88d422f06e52357c8d1db2b9085f221b6e895e
                                                                                            • Instruction ID: d0b403e83d8d56373c2e998e1fb406df12e7d1722b2b87d4769a6e934f75afd1
                                                                                            • Opcode Fuzzy Hash: 25b659608dc679676257335d6f88d422f06e52357c8d1db2b9085f221b6e895e
                                                                                            • Instruction Fuzzy Hash: D1C1AE74E00218CFDB54DFA5C984BADBBB2BF89300F6085A9D809AB355DB359E85CF50
                                                                                            Function 0523B3D0 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b6534f5b4ab42b915432d70f0fc7f6755899d56c97df5563277ecb65d9e6faf1
                                                                                            • Instruction ID: aef14a5bf4b03a0c8b82a5fe0291e24822248c9732b6acccaf278de90d8427d0
                                                                                            • Opcode Fuzzy Hash: b6534f5b4ab42b915432d70f0fc7f6755899d56c97df5563277ecb65d9e6faf1
                                                                                            • Instruction Fuzzy Hash: 8BC1AE74E01218CFDB54DFA5C994BADBBB2BF89300F6080A9D809AB355DB359E81CF50
                                                                                            Function 0523F630 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f26b25dcec94bd8aa01498fc07d981b7c2e56670802a4666c89707435e2dbef2
                                                                                            • Instruction ID: 8339b6304f117038d56d80e80bd50fedee8f9a5de16aa5109dea254d90bfc884
                                                                                            • Opcode Fuzzy Hash: f26b25dcec94bd8aa01498fc07d981b7c2e56670802a4666c89707435e2dbef2
                                                                                            • Instruction Fuzzy Hash: 6DC1AF74E11218CFDB54DFA5D984BADBBB2BF89300F6080A9D809AB354DB359E85CF50
                                                                                            Function 0523D238 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 44f817d70cb2b2012f48c3f85a00981fac7cee3b83d03bb447ece40f1bb6f450
                                                                                            • Instruction ID: a85be137240bd6175d9c72ab52ceaebdae67d3507b1fd786a1655d2228907edf
                                                                                            • Opcode Fuzzy Hash: 44f817d70cb2b2012f48c3f85a00981fac7cee3b83d03bb447ece40f1bb6f450
                                                                                            • Instruction Fuzzy Hash: 61C1BF74E10218CFDB54DFA5C984BADBBB2BF89300F6080A9D809AB354DB359E81CF50
                                                                                            Function 05239E18 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5fa49f1e95d9ad89f42081a051a7febfc18ebb46b475dbc625886ab73666be68
                                                                                            • Instruction ID: 98ccf6aaf5347d9d86179de43e5d838834e4087914998bc85c51529ed7b55408
                                                                                            • Opcode Fuzzy Hash: 5fa49f1e95d9ad89f42081a051a7febfc18ebb46b475dbc625886ab73666be68
                                                                                            • Instruction Fuzzy Hash: 17C1AF74E11218CFDB54DFA5C994BADBBB2BF89300F6080A9D809AB354DB359E85CF50
                                                                                            Function 0523A270 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d93caf633a5b5f07212249b1ca0c4c5b64d72c3c860d65696dc119e3bc8e35b5
                                                                                            • Instruction ID: 77394ea5099a8cca1385da9fd34c5e4a7d1aceb26bc122833c922bab1eadca76
                                                                                            • Opcode Fuzzy Hash: d93caf633a5b5f07212249b1ca0c4c5b64d72c3c860d65696dc119e3bc8e35b5
                                                                                            • Instruction Fuzzy Hash: 67C1A074E11218CFDB54DFA5C944BADBBB2BF89300F6081A9D809AB354DB359E85CF50
                                                                                            Function 0523FA88 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: bdd07bb3e99759ea33244d0187ce719f99f508140574a73b6c2d77e70eec09e4
                                                                                            • Instruction ID: 16f399850757edc8eb7d5b7a7a3b374ec2db035085e02e67b6b53df7a9a26da3
                                                                                            • Opcode Fuzzy Hash: bdd07bb3e99759ea33244d0187ce719f99f508140574a73b6c2d77e70eec09e4
                                                                                            • Instruction Fuzzy Hash: C1C1B074E10218CFDB54DFA5D944BADBBB2BF89300F6080A9D809AB365DB359E85CF50
                                                                                            Function 0523D690 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0d0d39ef12cde9aa0735a6cfcadd509365fc6b9513d34a02d4ec4167b3b07b52
                                                                                            • Instruction ID: e1b837771d29a361b2c7e236fcc2940b79f016419398b24740cb2f240e35c1fa
                                                                                            • Opcode Fuzzy Hash: 0d0d39ef12cde9aa0735a6cfcadd509365fc6b9513d34a02d4ec4167b3b07b52
                                                                                            • Instruction Fuzzy Hash: 63C1BF74E10218CFDB14DFA5C984BADBBB2BF89300F6480A9D809AB354DB359E81CF50
                                                                                            Function 05232AF0 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 146d9c4e1b4e323a13889df4ecacc0d08c50885733867f5b166399705c9ef881
                                                                                            • Instruction ID: a6f4b67d35da1df58ae7ff69ee76bd3cc749dddf8b2b8a93a6ba8c5f1670af5f
                                                                                            • Opcode Fuzzy Hash: 146d9c4e1b4e323a13889df4ecacc0d08c50885733867f5b166399705c9ef881
                                                                                            • Instruction Fuzzy Hash: E3C19F78E11218CFDB54DFA5C954BADBBB2BF89300F6080A9D809AB354DB359E85CF50
                                                                                            Function 0523A6C8 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2742067362.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5230000_InstallUtil.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 16a82e47529e0cb595b05d239ddd23331e5cdda19d2ca8ee6c1ffb26f0a54617
                                                                                            • Instruction ID: 582798d3b05c87f5ad69492e99ff91b2443b1b5788425a178ab8257c7e04724a
                                                                                            • Opcode Fuzzy Hash: 16a82e47529e0cb595b05d239ddd23331e5cdda19d2ca8ee6c1ffb26f0a54617
                                                                                            • Instruction Fuzzy Hash: 95C19E74E11218CFDB54DFA5C984BADBBB2BF89300F6080A9D809AB354DB359E81CF50