Edit tour

Windows Analysis Report
nDHL_AWB_6078538091_scr.exe

Overview

General Information

Sample name:	nDHL_AWB_6078538091_scr.exe
Analysis ID:	1518416
MD5:	cb44c4a51aae324c4e6b46a35a0a74d5
SHA1:	e5d778b7fbb2fb0c03bf9e4bbdf92f342c76b899
SHA256:	66472d444cb6711510279a537213dac4de18ef68b30c50bb92789ceeb2d7bd1c
Tags:	DHLexeFormbooknDHL_AWB_6078538091_scruser-abuse_ch
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Allocates memory in foreign processes

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

nDHL_AWB_6078538091_scr.exe (PID: 2376 cmdline: "C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe" MD5: CB44C4A51AAE324C4E6B46A35A0A74D5)

InstallUtil.exe (PID: 2284 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

Tcdyttxfbca.exe (PID: 4020 cmdline: "C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe" MD5: CB44C4A51AAE324C4E6B46A35A0A74D5)

InstallUtil.exe (PID: 4536 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

Tcdyttxfbca.exe (PID: 1824 cmdline: "C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe" MD5: CB44C4A51AAE324C4E6B46A35A0A74D5)

InstallUtil.exe (PID: 4316 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "nffplp.com", "Username": "airlet@nffplp.com", "Password": "$Nke%8XIIDtm"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.1570629164.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.1664483302.000000000256C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1664483302.000000000256C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1496540734.0000000005F90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000002.2700048230.0000000002C38000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2700048230.0000000002C38000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1570629164.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2700048230.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.1664175759.000000000340C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.1664483302.00000000025F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.1664483302.0000000002597000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1664483302.0000000002597000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2700048230.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1570629164.0000000002C87000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1570629164.0000000002C87000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.1664483302.00000000025CA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1468627740.0000000003111000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.1568824306.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000002.00000002.1570629164.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1570629164.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: nDHL_AWB_6078538091_scr.exe PID: 2376	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: nDHL_AWB_6078538091_scr.exe PID: 2376	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InstallUtil.exe PID: 2284	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 2284	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Tcdyttxfbca.exe PID: 4020	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Tcdyttxfbca.exe PID: 4020	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InstallUtil.exe PID: 4536	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 4536	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Tcdyttxfbca.exe PID: 1824	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Tcdyttxfbca.exe PID: 1824	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InstallUtil.exe PID: 4316	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 4316	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.nDHL_AWB_6078538091_scr.exe.5f90000.12.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.nDHL_AWB_6078538091_scr.exe.4db1fb0.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.nDHL_AWB_6078538091_scr.exe.4b86250.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe, ProcessId: 2376, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tcdyttxfbca

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DesusertionIp: 163.44.198.71, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 2284, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49706

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: InstallUtil.exe.4316.7.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "nffplp.com", "Username": "airlet@nffplp.com", "Password": "$Nke%8XIIDtm"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe

ReversingLabs: Detection: 44%

Multi AV Scanner detection for submitted file

Source: nDHL_AWB_6078538091_scr.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: nDHL_AWB_6078538091_scr.exe

Joe Sandbox ML: detected

Source: nDHL_AWB_6078538091_scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: nDHL_AWB_6078538091_scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004FC3000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1468627740.0000000003383000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1497780094.0000000006260000.00000004.08000000.00040000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1498197628.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000003.00000002.1568824306.0000000003252000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000006.00000002.1664175759.0000000003578000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004FC3000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1468627740.0000000003383000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1497780094.0000000006260000.00000004.08000000.00040000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1498197628.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000003.00000002.1568824306.0000000003252000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000006.00000002.1664175759.0000000003578000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_0603D7C8
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_0606FE02
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_0606FE08
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 4x nop then jmp 060646C4h	0_2_060644B0
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 4x nop then jmp 060646C4h	0_2_060644C0
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 4x nop then jmp 0606B658h	0_2_0606B598
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 4x nop then jmp 0606B658h	0_2_0606B5A0
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 4x nop then jmp 06084803h	0_2_06084758
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 4x nop then jmp 060811E1h	0_2_06080E98
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 4x nop then jmp 060811E1h	0_2_06080EA8
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 4x nop then jmp 060811E1h	0_2_06080F90
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 4x nop then jmp 06084803h	0_2_06084758
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	3_2_05DBD7C8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then jmp 05DEB658h	3_2_05DEB598
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then jmp 05DEB658h	3_2_05DEB5A0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then jmp 05DE46C4h	3_2_05DE44C0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then jmp 05DE46C4h	3_2_05DE44B0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	3_2_05DEFE08
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	3_2_05DEFE03
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then jmp 05E04803h	3_2_05E04758
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then jmp 05E011E1h	3_2_05E00F90
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then jmp 05E011E1h	3_2_05E00EA8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then jmp 05E011E1h	3_2_05E00E98
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then jmp 05E04803h	3_2_05E04758
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	6_2_0623D7C8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	6_2_0626FE02
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	6_2_0626FE08
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then jmp 062646C4h	6_2_062644B0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then jmp 062646C4h	6_2_062644C0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then jmp 0626B658h	6_2_0626B5A0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then jmp 0626B658h	6_2_0626B598
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then jmp 06284803h	6_2_06284758
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then jmp 062811E1h	6_2_06280EA8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then jmp 062811E1h	6_2_06280E98
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then jmp 062811E1h	6_2_06280F90
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 4x nop then jmp 06284803h	6_2_06284758

Source: global traffic

TCP traffic: 192.168.2.9:49706 -> 163.44.198.71:587

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

TCP traffic: 192.168.2.9:49706 -> 163.44.198.71:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: nffplp.com

Source: InstallUtil.exe, 00000002.00000002.1588599097.0000000005603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodo
Source: InstallUtil.exe, 00000002.00000002.1588599097.0000000005603000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1567070498.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1570629164.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.000000000591A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.00000000058D0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C75000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2696912738.0000000000E20000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2714825696.0000000005F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: InstallUtil.exe, 00000002.00000002.1588599097.0000000005603000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.000000000591A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1660340383.0000000000770000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2714825696.0000000005F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: InstallUtil.exe, 00000004.00000002.1682859235.000000000591A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertifi
Source: InstallUtil.exe, 00000002.00000002.1588599097.0000000005603000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1570629164.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.000000000591A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.00000000058D0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C75000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2714825696.0000000005F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: InstallUtil.exe, 00000002.00000002.1588599097.0000000005603000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1570629164.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.000000000591A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.00000000058D0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C75000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2714825696.0000000005F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: InstallUtil.exe, 00000002.00000002.1570629164.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.000000000256C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: InstallUtil.exe, 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: InstallUtil.exe, 00000002.00000002.1570629164.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.00000000025CE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nffplp.com
Source: InstallUtil.exe, 00000007.00000002.2714825696.0000000005F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.com
Source: InstallUtil.exe, 00000002.00000002.1588599097.0000000005603000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1567070498.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1570629164.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.000000000591A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.00000000058D0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C75000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2696912738.0000000000E20000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2714825696.0000000005F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: InstallUtil.exe, 00000002.00000002.1588599097.0000000005603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.com~v(
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1468627740.0000000003383000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1570629164.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000003.00000002.1568824306.0000000003252000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.000000000256C000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000006.00000002.1664175759.0000000003578000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000002.00000002.1570629164.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.000000000256C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp, Tcdyttxfbca.exe, 00000003.00000002.1602077026.0000000004DD4000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000006.00000002.1692713652.0000000005164000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 00000002.00000002.1588599097.0000000005603000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1570629164.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.000000000591A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.00000000058D0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C75000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2714825696.0000000005F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1468627740.0000000003111000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp, Tcdyttxfbca.exe, 00000003.00000002.1568824306.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000006.00000002.1664175759.0000000003415000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe			Jump to behavior

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_0606CED8 NtProtectVirtualMemory,	0_2_0606CED8
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_0606E410 NtResumeThread,	0_2_0606E410
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_0606CED0 NtProtectVirtualMemory,	0_2_0606CED0
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_0606E409 NtResumeThread,	0_2_0606E409
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DEE410 NtResumeThread,	3_2_05DEE410
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DECED8 NtProtectVirtualMemory,	3_2_05DECED8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DEE409 NtResumeThread,	3_2_05DEE409
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DECED0 NtProtectVirtualMemory,	3_2_05DECED0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_0626CED8 NtProtectVirtualMemory,	6_2_0626CED8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_0626E410 NtResumeThread,	6_2_0626E410
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_0626CED0 NtProtectVirtualMemory,	6_2_0626CED0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_0626E409 NtResumeThread,	6_2_0626E409

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_02F65790	0_2_02F65790
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_02F698B8	0_2_02F698B8
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_02F661CC	0_2_02F661CC
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_02F6ED40	0_2_02F6ED40
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_02F65780	0_2_02F65780
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_05EE0048	0_2_05EE0048
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_05EE0002	0_2_05EE0002
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_05F866F0	0_2_05F866F0
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_05F859E0	0_2_05F859E0
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_05F859D1	0_2_05F859D1
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_05F86C68	0_2_05F86C68
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_05F80040	0_2_05F80040
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_05F80006	0_2_05F80006
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_05F866E1	0_2_05F866E1
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_05F85268	0_2_05F85268
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_05F85258	0_2_05F85258
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_0603001E	0_2_0603001E
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06030040	0_2_06030040
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_0603ECD0	0_2_0603ECD0
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_060319A7	0_2_060319A7
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06053E88	0_2_06053E88
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_060507CF	0_2_060507CF
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06050B07	0_2_06050B07
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_060519E8	0_2_060519E8
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06069C90	0_2_06069C90
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06066128	0_2_06066128
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06067729	0_2_06067729
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06067738	0_2_06067738
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_0606C010	0_2_0606C010
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06060878	0_2_06060878
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06069C80	0_2_06069C80
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06066118	0_2_06066118
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06088E00	0_2_06088E00
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06080218	0_2_06080218
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06086B90	0_2_06086B90
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06089900	0_2_06089900
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06087E27	0_2_06087E27
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06080E98	0_2_06080E98
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06080EA8	0_2_06080EA8
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06080F90	0_2_06080F90
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_0608D591	0_2_0608D591
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_0608D5D0	0_2_0608D5D0
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_0608D5E0	0_2_0608D5E0
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06088DF3	0_2_06088DF3
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06086B81	0_2_06086B81
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_0608DBA0	0_2_0608DBA0
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_0608DBB0	0_2_0608DBB0
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_060898F3	0_2_060898F3
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06390007	0_2_06390007
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06390040	0_2_06390040
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_063AD130	0_2_063AD130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110A310	2_2_0110A310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110E318	2_2_0110E318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011063B0	2_2_011063B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011096F8	2_2_011096F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110A810	2_2_0110A810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110AB38	2_2_0110AB38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01105BC0	2_2_01105BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01106F30	2_2_01106F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_011063A0	2_2_011063A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110E610	2_2_0110E610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110E62C	2_2_0110E62C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110E69A	2_2_0110E69A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110A809	2_2_0110A809
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01105B1F	2_2_01105B1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01105B35	2_2_01105B35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110AB2C	2_2_0110AB2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01109A40	2_2_01109A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01102A9C	2_2_01102A9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01102AA8	2_2_01102AA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01106F27	2_2_01106F27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110AEF8	2_2_0110AEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0633FB68	2_2_0633FB68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06335C62	2_2_06335C62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_063330BE	2_2_063330BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_063726B8	2_2_063726B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_063756C8	2_2_063756C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0637ACF0	2_2_0637ACF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_063795C8	2_2_063795C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0637EA00	2_2_0637EA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0637D2D8	2_2_0637D2D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06370040	2_2_06370040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06377880	2_2_06377880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0637D920	2_2_0637D920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_063726AB	2_2_063726AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0637CE98	2_2_0637CE98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0637BF60	2_2_0637BF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0637A4A8	2_2_0637A4A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0637ACE0	2_2_0637ACE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_063784D3	2_2_063784D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_063784D8	2_2_063784D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06379D38	2_2_06379D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0637F510	2_2_0637F510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06379D48	2_2_06379D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06378D90	2_2_06378D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0637CA58	2_2_0637CA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0637B284	2_2_0637B284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_063772E0	2_2_063772E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06377305	2_2_06377305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0637BBB0	2_2_0637BBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06370006	2_2_06370006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06377870	2_2_06377870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0637D911	2_2_0637D911
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0637E9F2	2_2_0637E9F2
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_015198B8	3_2_015198B8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_01516218	3_2_01516218
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_0151ED40	3_2_0151ED40
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_01515790	3_2_01515790
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_01515780	3_2_01515780
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05D066F0	3_2_05D066F0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05D059D1	3_2_05D059D1
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05D059E0	3_2_05D059E0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05D00040	3_2_05D00040
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05D06C68	3_2_05D06C68
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05D00007	3_2_05D00007
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05D066E1	3_2_05D066E1
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05D05258	3_2_05D05258
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05D05268	3_2_05D05268
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DB19A7	3_2_05DB19A7
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DBECD0	3_2_05DBECD0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DB0040	3_2_05DB0040
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DB0007	3_2_05DB0007
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DD07CF	3_2_05DD07CF
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DD19E8	3_2_05DD19E8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DD0B07	3_2_05DD0B07
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DE6128	3_2_05DE6128
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DE9C90	3_2_05DE9C90
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DE6118	3_2_05DE6118
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DE4938	3_2_05DE4938
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DE9C80	3_2_05DE9C80
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DE0878	3_2_05DE0878
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DEC010	3_2_05DEC010
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DE7738	3_2_05DE7738
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DE7729	3_2_05DE7729
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05E07F70	3_2_05E07F70
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05E08A70	3_2_05E08A70
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05E00218	3_2_05E00218
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05E0CD88	3_2_05E0CD88
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05E0CD78	3_2_05E0CD78
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05E0C7A8	3_2_05E0C7A8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05E00F90	3_2_05E00F90
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05E0C799	3_2_05E0C799
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05E07F60	3_2_05E07F60
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05E00EA8	3_2_05E00EA8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05E00E98	3_2_05E00E98
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05E07679	3_2_05E07679
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05E08A61	3_2_05E08A61
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_06010026	3_2_06010026
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_06010040	3_2_06010040
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_0602D130	3_2_0602D130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00B6A1D8	4_2_00B6A1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00B695C0	4_2_00B695C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00B66500	4_2_00B66500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00B6A6D8	4_2_00B6A6D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00B6E6C0	4_2_00B6E6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00B6AA00	4_2_00B6AA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00B66DF8	4_2_00B66DF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00B664F1	4_2_00B664F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00B6550B	4_2_00B6550B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00B6A6C8	4_2_00B6A6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00B6E9B8	4_2_00B6E9B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00B6A9F0	4_2_00B6A9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00B6E9D4	4_2_00B6E9D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00B65910	4_2_00B65910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00B69908	4_2_00B69908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00B6EA42	4_2_00B6EA42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00B62B06	4_2_00B62B06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00B62C00	4_2_00B62C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00B66DE8	4_2_00B66DE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E057C1	4_2_05E057C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E1E990	4_2_05E1E990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E1DD70	4_2_05E1DD70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E19958	4_2_05E19958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E1D8A1	4_2_05E1D8A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E1B080	4_2_05E1B080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E10040	4_2_05E10040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E17C10	4_2_05E17C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E103D0	4_2_05E103D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E1D268	4_2_05E1D268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E15658	4_2_05E15658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E1263B	4_2_05E1263B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E1C9E8	4_2_05E1C9E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E1E981	4_2_05E1E981
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E19120	4_2_05E19120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E1A0C8	4_2_05E1A0C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E1A0D8	4_2_05E1A0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E1F8A0	4_2_05E1F8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E10040	4_2_05E10040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E18863	4_2_05E18863
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E18868	4_2_05E18868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E1B070	4_2_05E1B070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E1A838	4_2_05E1A838
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E17C00	4_2_05E17C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E10007	4_2_05E10007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E1001F	4_2_05E1001F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E103C0	4_2_05E103C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E1BF40	4_2_05E1BF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E1C2F0	4_2_05E1C2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E1CE28	4_2_05E1CE28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E1B614	4_2_05E1B614
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_018598B8	6_2_018598B8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_01856218	6_2_01856218
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_0185ED40	6_2_0185ED40
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_01855780	6_2_01855780
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_01855790	6_2_01855790
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_061866F0	6_2_061866F0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06185258	6_2_06185258
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06185268	6_2_06185268
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_061866E1	6_2_061866E1
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06180007	6_2_06180007
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06180040	6_2_06180040
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06186C68	6_2_06186C68
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_061859D1	6_2_061859D1
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_061859E0	6_2_061859E0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_0623001F	6_2_0623001F
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06230040	6_2_06230040
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_0623ECD0	6_2_0623ECD0
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_062319A7	6_2_062319A7
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_062507CF	6_2_062507CF
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06250B07	6_2_06250B07
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_062519E8	6_2_062519E8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06269C90	6_2_06269C90
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06266128	6_2_06266128
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06267729	6_2_06267729
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06267738	6_2_06267738
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_0626C010	6_2_0626C010
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06260878	6_2_06260878
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06269C80	6_2_06269C80
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06266118	6_2_06266118
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06287F70	6_2_06287F70
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06280218	6_2_06280218
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06288A70	6_2_06288A70
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_0628767A	6_2_0628767A
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06280EA8	6_2_06280EA8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06280E98	6_2_06280E98
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06287F60	6_2_06287F60
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_0628C740	6_2_0628C740
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_0628C750	6_2_0628C750
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06280F90	6_2_06280F90
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_0628CD20	6_2_0628CD20
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_0628CD30	6_2_0628CD30
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06288A61	6_2_06288A61
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06490040	6_2_06490040
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06490006	6_2_06490006
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_064AD130	6_2_064AD130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A9A1D8	7_2_02A9A1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A9E6C0	7_2_02A9E6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A9A6D8	7_2_02A9A6D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A995C0	7_2_02A995C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A96500	7_2_02A96500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A9AA00	7_2_02A9AA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A92E88	7_2_02A92E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A96DF8	7_2_02A96DF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A93285	7_2_02A93285
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A932C2	7_2_02A932C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A932DB	7_2_02A932DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A93202	7_2_02A93202
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A9326A	7_2_02A9326A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A93240	7_2_02A93240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A93256	7_2_02A93256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A9533D	7_2_02A9533D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A9A6C8	7_2_02A9A6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A964F4	7_2_02A964F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A9EA42	7_2_02A9EA42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A92BF2	7_2_02A92BF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A9E9B8	7_2_02A9E9B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A9A9F0	7_2_02A9A9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A9E9D4	7_2_02A9E9D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A99908	7_2_02A99908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A92C00	7_2_02A92C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A96DE8	7_2_02A96DE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A9ADC0	7_2_02A9ADC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02A9ADD0	7_2_02A9ADD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_065457C1	7_2_065457C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06555658	7_2_06555658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0655D268	7_2_0655D268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0655263A	7_2_0655263A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_065503D0	7_2_065503D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06550040	7_2_06550040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06557C10	7_2_06557C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0655B080	7_2_0655B080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0655D8A1	7_2_0655D8A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06559958	7_2_06559958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0655DD70	7_2_0655DD70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06559120	7_2_06559120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0655E990	7_2_0655E990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0655B614	7_2_0655B614
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06553220	7_2_06553220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0655CE28	7_2_0655CE28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0655C2F0	7_2_0655C2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0655BF40	7_2_0655BF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_065503C0	7_2_065503C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0655B070	7_2_0655B070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06558862	7_2_06558862
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06558868	7_2_06558868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06550006	7_2_06550006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06557C00	7_2_06557C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0655A838	7_2_0655A838
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0655A0D8	7_2_0655A0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0655A0C8	7_2_0655A0C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06550040	7_2_06550040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0655F8A0	7_2_0655F8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0655C9E8	7_2_0655C9E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0655E982	7_2_0655E982

Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1488219580.0000000005910000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMrhjishcuy.dll" vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1498197628.000000000720F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename46da3e76-ea11-4ef3-9ed6-348209ad609f.exe4 vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1458608672.00000000013DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004FC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1468627740.0000000003383000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1468627740.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename46da3e76-ea11-4ef3-9ed6-348209ad609f.exe4 vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1497780094.0000000006260000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1468627740.0000000003111000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004111000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMrhjishcuy.dll" vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMrhjishcuy.dll" vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000000.1442310652.0000000000E0A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameairtel.exe. vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1498197628.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1498197628.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameairtel.exe. vs nDHL_AWB_6078538091_scr.exe
Source: nDHL_AWB_6078538091_scr.exe	Binary or memory string: OriginalFilenameairtel.exe. vs nDHL_AWB_6078538091_scr.exe

Source: nDHL_AWB_6078538091_scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/2@2/2

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe

File created: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Mutant created: NULL

Source: nDHL_AWB_6078538091_scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: nDHL_AWB_6078538091_scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: nDHL_AWB_6078538091_scr.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe

File read: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe "C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe"
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe "C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe"
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe "C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe"
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: nDHL_AWB_6078538091_scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: nDHL_AWB_6078538091_scr.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: nDHL_AWB_6078538091_scr.exe

Static file information: File size 2324480 > 1048576

Source: nDHL_AWB_6078538091_scr.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x236e00

Source: nDHL_AWB_6078538091_scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004FC3000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1468627740.0000000003383000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1497780094.0000000006260000.00000004.08000000.00040000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1498197628.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000003.00000002.1568824306.0000000003252000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000006.00000002.1664175759.0000000003578000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004FC3000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1468627740.0000000003383000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1497780094.0000000006260000.00000004.08000000.00040000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1498197628.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000003.00000002.1568824306.0000000003252000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000006.00000002.1664175759.0000000003578000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.nDHL_AWB_6078538091_scr.exe.5f90000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nDHL_AWB_6078538091_scr.exe.4db1fb0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nDHL_AWB_6078538091_scr.exe.4b86250.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1496540734.0000000005F90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1664175759.000000000340C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1468627740.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1568824306.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nDHL_AWB_6078538091_scr.exe PID: 2376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Tcdyttxfbca.exe PID: 4020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Tcdyttxfbca.exe PID: 1824, type: MEMORYSTR

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_05EE2EA7 push esp; retf	0_2_05EE2EA8
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_05F8A227 push ebp; retf	0_2_05F8A22A
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06033265 pushad ; iretd	0_2_0603326C
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06030526 push ss; ret	0_2_06030527
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06069752 push es; ret	0_2_0606976C
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_0606B099 push es; retf	0_2_0606B09C
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_06086498 push esp; iretd	0_2_06086499
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_0608C8F3 push es; ret	0_2_0608C8F4
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Code function: 0_2_0639318C push E8000001h; retf	0_2_06393191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0633121B push ebp; iretd	2_2_0633121F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06331744 push eax; iretd	2_2_06331748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06330F84 push edi; iretd	2_2_06330F88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_063314E9 push edx; iretd	2_2_063314EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0633294C push cs; iretd	2_2_0633294F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06372F89 push es; ret	2_2_06372FA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06376941 push es; iretd	2_2_06376950
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05642EA7 push esp; retf	3_2_05642EA8
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05D0A227 push ebp; retf	3_2_05D0A22A
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DB0526 push ss; ret	3_2_05DB0527
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DB3265 pushad ; iretd	3_2_05DB326C
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05DE42D9 push ebx; ret	3_2_05DE42DA
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_05E06498 push esp; iretd	3_2_05E06499
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 3_2_0601318C push E8000001h; retf	3_2_06013191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_00B6DE88 pushfd ; ret	4_2_00B6DE89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05E0C46B push esi; ret	4_2_05E0C471
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_0618CE31 push es; iretd	6_2_0618CE34
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_0618A227 push ebp; retf	6_2_0618A22A
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_0618CA6D push es; ret	6_2_0618CA78
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_0618CAFF push es; iretd	6_2_0618CB00
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_0618CC5F push es; ret	6_2_0618CC60
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Code function: 6_2_06233265 pushad ; iretd	6_2_0623326C

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe

File created: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe

Jump to dropped file

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tcdyttxfbca			Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tcdyttxfbca			Jump to behavior

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: nDHL_AWB_6078538091_scr.exe PID: 2376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Tcdyttxfbca.exe PID: 4020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Tcdyttxfbca.exe PID: 1824, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1468627740.0000000003111000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1570629164.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1570629164.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000003.00000002.1568824306.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.000000000256C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.0000000002597000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C38000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Memory allocated: 2F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Memory allocated: 3110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Memory allocated: 5110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Memory allocated: 6F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Memory allocated: 6100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory allocated: 14D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory allocated: 2E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory allocated: 6B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory allocated: 5E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory allocated: 1850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory allocated: 3370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory allocated: 3230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory allocated: 7010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory allocated: 6300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4C00000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_06335C62 rdtsc

2_2_06335C62

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799920	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799804	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799673	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799594	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2722	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 7110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2773	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 7066	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 7474	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1780	Thread sleep count: 2722 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -99888s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1780	Thread sleep count: 7110 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -99668s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -99558s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -99422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -99172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -98937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -98812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -98703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -98594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -98463s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -98359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -98250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -98140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -98031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -97922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -97812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -97703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -97594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -97469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -97359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -97250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -97140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -97023s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -96922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -96811s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -96703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -96592s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -96482s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -96371s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -96256s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -96128s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -95999s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -95890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -95781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -95671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -95562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -95453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -95344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -95234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -95125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -95015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -94905s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -94797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -94685s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -94578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -94469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -94359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -94250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -94140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -94030s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6924	Thread sleep time: -93836s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6176	Thread sleep count: 2773 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6176	Thread sleep count: 7066 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -99651s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -99546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -98999s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -98891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -98766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -98641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -98515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -98405s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -98138s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -97973s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -97844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -97734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -97625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -97515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -97406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -97297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -97182s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -97078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -96969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -96849s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -96734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -96625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -96516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -96406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -96297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -96187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -96078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -95969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -95859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -95750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -95640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -95530s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -95422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -95312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -95203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -95089s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -94947s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -94841s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -94734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -1799920s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -1799804s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -1799673s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -1799547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -1799438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2844	Thread sleep time: -1799328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5364	Thread sleep count: 2374 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -99874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5364	Thread sleep count: 7474 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -99546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -98999s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -98891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -98343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -98234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -98124s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -98009s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -97903s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -97652s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -97450s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -97344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -97234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -97125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -97016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -96906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -96797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -96688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -96578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -96469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -96344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -96234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -96125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -96016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -95906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -95796s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -95687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -95578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -95469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -95344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -95234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -95062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -94950s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -94826s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -94717s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -94609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -94500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -1799922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -1799812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -1799703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608	Thread sleep time: -1799594s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99888	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99668	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99558	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98463	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97023	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96811	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96592	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96482	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96371	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96256	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96128	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94905	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94685	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94030	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 93836	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99651	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98405	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98138	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97973	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97182	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96849	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95530	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95089	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94947	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94841	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799920	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799804	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799673	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98009	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97903	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97652	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97450	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94950	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94826	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94717	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799594	Jump to behavior

Source: InstallUtil.exe, 00000007.00000002.2700048230.0000000002C38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: InstallUtil.exe, 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VIRTUAL#vmware%VirtualBox&root\CIMV2'SELECT * FROM Win32_VideoController(Name)VMware
Source: InstallUtil.exe, 00000007.00000002.2700048230.0000000002C38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: InstallUtil.exe, 00000004.00000002.1682859235.00000000058EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
Source: Tcdyttxfbca.exe, 00000003.00000002.1568824306.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: Tcdyttxfbca.exe, 00000003.00000002.1568824306.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: InstallUtil.exe, 00000002.00000002.1588599097.0000000005603000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: InstallUtil.exe, 00000007.00000002.2714825696.0000000005F10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 4_2_00B6C7B4 CheckRemoteDebuggerPresent,

4_2_00B6C7B4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_06335C62 rdtsc

2_2_06335C62

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 560000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 560000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 492000	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 494000	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: AB6008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 560000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 562000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 5F2000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 5F4000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 342008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 492000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 494000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: A79008	Jump to behavior

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Queries volume information: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Queries volume information: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Queries volume information: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000002.00000002.1570629164.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1664483302.000000000256C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2700048230.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1570629164.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2700048230.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1664483302.00000000025F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1664483302.0000000002597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2700048230.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1570629164.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1664483302.00000000025CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1570629164.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 4536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 4316, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000004.00000002.1664483302.000000000256C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2700048230.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1664483302.0000000002597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1570629164.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1570629164.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 4536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 4316, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000002.00000002.1570629164.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1664483302.000000000256C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2700048230.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1570629164.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2700048230.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1664483302.00000000025F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1664483302.0000000002597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2700048230.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1570629164.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1664483302.00000000025CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1570629164.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 4536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 4316, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	311 Process Injection	2 Obfuscated Files or Information	11 Input Capture	34 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	1 Credentials in Registry	641 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	11 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	261 Virtualization/Sandbox Evasion	LSA Secrets	261 Virtualization/Sandbox Evasion	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	311 Process Injection	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
nDHL_AWB_6078538091_scr.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.Leonem
nDHL_AWB_6078538091_scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.Leonem

Source	Detection	Scanner	Label
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://stackoverflow.com/q/14436606/23354	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
https://stackoverflow.com/q/11564914/23354;	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://nffplp.com	0%	Avira URL Cloud	safe
http://ocsp.com	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-neti	0%	Avira URL Cloud	safe
http://crl.comodo	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-net	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-netJ	0%	Avira URL Cloud	safe
http://ip-api.com	0%	Avira URL Cloud	safe
http://ocsp.com~v(	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	true		unknown
nffplp.com	163.44.198.71	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nffplp.com	InstallUtil.exe, 00000002.00000002.1570629164.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.00000000025CE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	InstallUtil.exe, 00000002.00000002.1588599097.0000000005603000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1570629164.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.000000000591A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1682859235.00000000058D0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.00000000025D4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C75000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2714825696.0000000005F10000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-neti	nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/14436606/23354	nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1468627740.0000000003111000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp, Tcdyttxfbca.exe, 00000003.00000002.1568824306.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000006.00000002.1664175759.0000000003415000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	InstallUtil.exe, 00000002.00000002.1570629164.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.000000000256C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-netJ	nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp, Tcdyttxfbca.exe, 00000003.00000002.1602077026.0000000004DD4000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000006.00000002.1692713652.0000000005164000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.comodo	InstallUtil.exe, 00000002.00000002.1588599097.0000000005603000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.com	InstallUtil.exe, 00000007.00000002.2714825696.0000000005F10000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/11564914/23354;	nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/2152978/23354	nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	InstallUtil.exe, 00000002.00000002.1570629164.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.000000000256C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-net	nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1494728095.0000000005F10000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.com~v(	InstallUtil.exe, 00000002.00000002.1588599097.0000000005603000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	nDHL_AWB_6078538091_scr.exe, 00000000.00000002.1468627740.0000000003383000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1570629164.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000003.00000002.1568824306.0000000003252000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.1664483302.000000000256C000.00000004.00000800.00020000.00000000.sdmp, Tcdyttxfbca.exe, 00000006.00000002.1664175759.0000000003578000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true
163.44.198.71	nffplp.com	Singapore		135161	GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1518416
Start date and time:	2024-09-25 17:09:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	nDHL_AWB_6078538091_scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/2@2/2
EGA Information:	Successful, ratio: 83.3%
HCA Information:	Successful, ratio: 85% Number of executed functions: 446 Number of non-executed functions: 34
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target InstallUtil.exe, PID 2284 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: nDHL_AWB_6078538091_scr.exe

Simulations

Behavior and APIs

Time	Type	Description
11:10:20	API Interceptor	1366359x Sleep call for process: InstallUtil.exe modified
16:10:18	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Tcdyttxfbca C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe
16:10:27	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Tcdyttxfbca C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	CCE_000110.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	rMT103SwiftCopyoFPayment.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	QUOTE_467654.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	PO Invoice XJ210821Q.PDF.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	PO Invoice XJ210821Q.PDF.scr.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	comprobante_HSBC_765543465768798086756458665345768.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Company profile.js	Get hash	malicious	PXRECVOWEIWOEI Stealer, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.Win32.SpywareX-gen.28752.22116.exe	Get hash	malicious	PureLog Stealer	Browse	ip-api.com/json/
	SecuriteInfo.com.Win32.SpywareX-gen.28752.22116.exe	Get hash	malicious	PureLog Stealer	Browse	ip-api.com/json/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nffplp.com	IDR-500000000.scr.exe	Get hash	malicious	AgentTesla	Browse	163.44.198.71
	Payment-Details.scr.exe	Get hash	malicious	AgentTesla	Browse	163.44.198.71
	Outward Remittance_Payment Receipt.exe	Get hash	malicious	AgentTesla	Browse	163.44.198.71
	SOA Payment for June 30th.exe	Get hash	malicious	AgentTesla	Browse	163.44.198.71
	US00061Q0904081THBKK.exe	Get hash	malicious	AgentTesla	Browse	163.44.198.71
	SecuriteInfo.com.Win32.PWSX-gen.17036.7156.exe	Get hash	malicious	AgentTesla	Browse	163.44.198.71
	SecuriteInfo.com.Win32.PWSX-gen.25669.202.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	163.44.198.71
	Commercial_Inv_and_PList.exe	Get hash	malicious	AgentTesla	Browse	163.44.198.71
ip-api.com	CCE_000110.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rMT103SwiftCopyoFPayment.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	QUOTE_467654.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	http://getcloudapp.com	Get hash	malicious	Unknown	Browse	208.95.112.2
	PO Invoice XJ210821Q.PDF.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PO Invoice XJ210821Q.PDF.scr.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	comprobante_HSBC_765543465768798086756458665345768.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Company profile.js	Get hash	malicious	PXRECVOWEIWOEI Stealer, PureLog Stealer	Browse	208.95.112.1
	SecuriteInfo.com.Win32.SpywareX-gen.28752.22116.exe	Get hash	malicious	PureLog Stealer	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG	https://16883719-16-20211227182314.webstarterz.com/hdfckychdfclog/index.php	Get hash	malicious	Unknown	Browse	150.95.98.21
	islHUvTZcI.exe	Get hash	malicious	GuLoader	Browse	118.27.130.234
	islHUvTZcI.exe	Get hash	malicious	GuLoader	Browse	118.27.130.234
	IDR-500000000.scr.exe	Get hash	malicious	AgentTesla	Browse	163.44.198.71
	eCRzQywfQl.exe	Get hash	malicious	GuLoader	Browse	118.27.130.234
	P.O_Qouts_t87E90Y-E4R7G-PDF.exe	Get hash	malicious	Remcos, GuLoader	Browse	118.27.130.234
	Payment-Details.scr.exe	Get hash	malicious	AgentTesla	Browse	163.44.198.71
	Qoute_EXW_prices_43GJI_pdf.exe	Get hash	malicious	Remcos, GuLoader	Browse	118.27.130.234
	Qoute_EXW_prices_43GJI_pdf.exe	Get hash	malicious	Remcos, GuLoader	Browse	118.27.130.234
	https://cpanel12wh.bkk1.cloud.z.com/~cp318430/app/browser/info/billing2.php/	Get hash	malicious	Unknown	Browse	163.44.198.61
TUT-ASUS	0umBa15TaN.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	0umBa15TaN.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	CCE_000110.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rMT103SwiftCopyoFPayment.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	QUOTE_467654.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	http://getcloudapp.com	Get hash	malicious	Unknown	Browse	208.95.112.2
	PO Invoice XJ210821Q.PDF.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PO Invoice XJ210821Q.PDF.scr.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	comprobante_HSBC_765543465768798086756458665345768.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2324480
Entropy (8bit):	4.060050924280117
Encrypted:	false
SSDEEP:	24576:d9e7mYTj0ZlM4m97t5fDnuvCvLvW6cnhBceUEIqCJz1:
MD5:	CB44C4A51AAE324C4E6B46A35A0A74D5
SHA1:	E5D778B7FBB2FB0C03BF9E4BBDF92F342C76B899
SHA-256:	66472D444CB6711510279A537213DAC4DE18EF68B30C50BB92789CEEB2D7BD1C
SHA-512:	986A70A3A8379866524529FF68B4F18BDB4D49BFD02CE1F30419B0652543247CD2F969B730217A6FD4D0BACBBA6D56CF34A0F509AD574EB27060468E70BED209
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 45%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................n#...........#.. ....#...@.. ........................#...........`..................................#.W.....#.......................#...................................................... ............... ..H............text...$l#.. ...n#................. ..`.rsrc.........#......p#.............@..@.reloc........#......v#.............@..B..................#.....H.......d=#.`N...........8....#..........................................(.....(......((....~....:....r...p.....(....o)...s........~.....~...........j(....rC..p~....o+...t......((.....}......}......}......o<...}......o=.....{......{....o<....;.....{....9.....{....o.....{.....{....o=.....{....(,...u8...%:....&.8....(-...u....J.{.....s....(/...&...s9....~.....~......(B...:&....~....{....;.....u....:....ra..ps5...z2.{....o4...2.{....o5...J.(....}.....((...*6.

C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.060050924280117
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	nDHL_AWB_6078538091_scr.exe
File size:	2'324'480 bytes
MD5:	cb44c4a51aae324c4e6b46a35a0a74d5
SHA1:	e5d778b7fbb2fb0c03bf9e4bbdf92f342c76b899
SHA256:	66472d444cb6711510279a537213dac4de18ef68b30c50bb92789ceeb2d7bd1c
SHA512:	986a70a3a8379866524529ff68b4f18bdb4d49bfd02ce1f30419b0652543247cd2f969b730217a6fd4d0bacbba6d56cf34a0f509ad574eb27060468e70bed209
SSDEEP:	24576:d9e7mYTj0ZlM4m97t5fDnuvCvLvW6cnhBceUEIqCJz1:
TLSH:	DAB58DF490AF40D1FC075EC56828BED6073235B3CEE90824276E7A085FBFD996549E4A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................n#...........#.. ....#...@.. ........................#...........`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x638c1e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F3AE81 [Wed Sep 25 06:32:33 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x238bc4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23a000	0x596	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x23c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x236c24	0x236e00	193ecb745ff3064c929e57c2f5f0597f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x23a000	0x596	0x600	653652ca56872110eb396cca7c5780fd	False	0.4140625	data	4.023936480290302	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x23c000	0xc	0x200	0fd5de226b711ad50c6b54c1b8df34a0	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x23a0a0	0x30c	data			0.4269230769230769
RT_MANIFEST	0x23a3ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 17:10:20.377135038 CEST	49705	80	192.168.2.9	208.95.112.1
Sep 25, 2024 17:10:20.381985903 CEST	80	49705	208.95.112.1	192.168.2.9
Sep 25, 2024 17:10:20.382070065 CEST	49705	80	192.168.2.9	208.95.112.1
Sep 25, 2024 17:10:20.387079000 CEST	49705	80	192.168.2.9	208.95.112.1
Sep 25, 2024 17:10:20.391865015 CEST	80	49705	208.95.112.1	192.168.2.9
Sep 25, 2024 17:10:20.905216932 CEST	80	49705	208.95.112.1	192.168.2.9
Sep 25, 2024 17:10:20.944935083 CEST	49705	80	192.168.2.9	208.95.112.1
Sep 25, 2024 17:10:22.117827892 CEST	49706	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:22.122823000 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:22.122921944 CEST	49706	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:23.873440027 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:23.873852015 CEST	49706	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:23.878928900 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:24.222423077 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:24.226977110 CEST	49706	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:24.232136965 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:24.574682951 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:24.582079887 CEST	49706	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:24.587614059 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:24.945894957 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:24.945916891 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:24.945993900 CEST	49706	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:24.946074009 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:24.946089983 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:24.946167946 CEST	49706	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:25.033111095 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:25.092350006 CEST	49706	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:25.098722935 CEST	49706	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:25.104242086 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:25.445257902 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:25.493936062 CEST	49706	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:25.581355095 CEST	49706	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:25.586534023 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:25.926361084 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:25.927655935 CEST	49706	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:25.932645082 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:26.274265051 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:26.274730921 CEST	49706	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:26.279966116 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:26.638402939 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:26.638731003 CEST	49706	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:26.644001961 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:26.984375954 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:26.984805107 CEST	49706	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:26.989886045 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:27.391125917 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:27.391505957 CEST	49706	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:27.396552086 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:27.737287998 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:27.776575089 CEST	49706	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:27.776675940 CEST	49706	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:27.781445026 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:27.781826019 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:27.783302069 CEST	49706	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:27.783318996 CEST	49706	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:27.790198088 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:27.790281057 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:28.457297087 CEST	587	49706	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:28.507409096 CEST	49706	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:30.005316973 CEST	49707	80	192.168.2.9	208.95.112.1
Sep 25, 2024 17:10:30.010953903 CEST	80	49707	208.95.112.1	192.168.2.9
Sep 25, 2024 17:10:30.011172056 CEST	49707	80	192.168.2.9	208.95.112.1
Sep 25, 2024 17:10:30.011284113 CEST	49707	80	192.168.2.9	208.95.112.1
Sep 25, 2024 17:10:30.016109943 CEST	80	49707	208.95.112.1	192.168.2.9
Sep 25, 2024 17:10:30.501503944 CEST	80	49707	208.95.112.1	192.168.2.9
Sep 25, 2024 17:10:30.554263115 CEST	49707	80	192.168.2.9	208.95.112.1
Sep 25, 2024 17:10:32.090485096 CEST	49708	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:32.095372915 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:32.095452070 CEST	49708	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:32.638088942 CEST	49705	80	192.168.2.9	208.95.112.1
Sep 25, 2024 17:10:32.638091087 CEST	49706	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:32.961317062 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:32.961564064 CEST	49708	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:32.966347933 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:33.306761026 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:33.307060003 CEST	49708	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:33.311881065 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:33.670084000 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:33.678440094 CEST	49708	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:33.683289051 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:34.037256002 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:34.037281036 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:34.037296057 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:34.037321091 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:34.037379026 CEST	49708	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:34.037424088 CEST	49708	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:34.124295950 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:34.136292934 CEST	49708	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:34.141894102 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:34.481960058 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:34.496340990 CEST	49708	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:34.502717018 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:34.960644960 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:34.961131096 CEST	49708	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:34.968174934 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:35.317001104 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:35.317394018 CEST	49708	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:35.324213028 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:35.688873053 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:35.689223051 CEST	49708	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:35.694113970 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:36.033842087 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:36.034123898 CEST	49708	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:36.041477919 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:36.438131094 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:36.438525915 CEST	49708	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:36.443485022 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:36.783025026 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:36.784028053 CEST	49708	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:36.784115076 CEST	49708	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:36.784115076 CEST	49708	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:36.784184933 CEST	49708	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:36.789055109 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:36.789128065 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:36.789171934 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:36.789182901 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:37.387743950 CEST	587	49708	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:37.429291010 CEST	49708	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:39.433439016 CEST	49714	80	192.168.2.9	208.95.112.1
Sep 25, 2024 17:10:39.440291882 CEST	80	49714	208.95.112.1	192.168.2.9
Sep 25, 2024 17:10:39.440361977 CEST	49714	80	192.168.2.9	208.95.112.1
Sep 25, 2024 17:10:39.440644979 CEST	49714	80	192.168.2.9	208.95.112.1
Sep 25, 2024 17:10:39.445812941 CEST	80	49714	208.95.112.1	192.168.2.9
Sep 25, 2024 17:10:40.769870043 CEST	80	49714	208.95.112.1	192.168.2.9
Sep 25, 2024 17:10:40.771117926 CEST	80	49714	208.95.112.1	192.168.2.9
Sep 25, 2024 17:10:40.771178007 CEST	49714	80	192.168.2.9	208.95.112.1
Sep 25, 2024 17:10:40.772082090 CEST	80	49714	208.95.112.1	192.168.2.9
Sep 25, 2024 17:10:40.772216082 CEST	49714	80	192.168.2.9	208.95.112.1
Sep 25, 2024 17:10:41.441109896 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:41.446155071 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:41.446229935 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:41.926238060 CEST	49708	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:41.926584005 CEST	49707	80	192.168.2.9	208.95.112.1
Sep 25, 2024 17:10:42.316292048 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:42.316519976 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:42.321373940 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:42.663503885 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:42.664007902 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:42.668998003 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:43.014631987 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:43.018532991 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:43.023432016 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:43.380414009 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:43.380446911 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:43.380472898 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:43.380498886 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:43.380568027 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:43.380729914 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:43.468332052 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:43.515782118 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:43.521265984 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:43.863221884 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:43.913806915 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:43.964890003 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:43.972822905 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:44.314655066 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:44.315107107 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:44.321002960 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:44.663291931 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:44.663729906 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:44.668746948 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:45.026407957 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:45.026777029 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:45.031930923 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:45.374273062 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:45.374646902 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:45.379976034 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:45.788234949 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:45.788851976 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:45.796138048 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:46.337337017 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:46.349807978 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:46.349931002 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:46.363017082 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:46.363101006 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:46.363111019 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:46.363152981 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:10:46.369956017 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:46.370054007 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:46.370214939 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:46.370374918 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:46.968682051 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:10:47.023083925 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:11:31.446034908 CEST	49714	80	192.168.2.9	208.95.112.1
Sep 25, 2024 17:11:31.451839924 CEST	80	49714	208.95.112.1	192.168.2.9
Sep 25, 2024 17:11:31.451953888 CEST	49714	80	192.168.2.9	208.95.112.1
Sep 25, 2024 17:12:21.460972071 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:12:21.679569006 CEST	49715	587	192.168.2.9	163.44.198.71
Sep 25, 2024 17:12:21.856163979 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:12:21.856185913 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:12:22.199887991 CEST	587	49715	163.44.198.71	192.168.2.9
Sep 25, 2024 17:12:22.204258919 CEST	49715	587	192.168.2.9	163.44.198.71

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 17:10:20.363380909 CEST	54467	53	192.168.2.9	1.1.1.1
Sep 25, 2024 17:10:20.370559931 CEST	53	54467	1.1.1.1	192.168.2.9
Sep 25, 2024 17:10:21.716533899 CEST	55911	53	192.168.2.9	1.1.1.1
Sep 25, 2024 17:10:22.116449118 CEST	53	55911	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 25, 2024 17:10:20.363380909 CEST	192.168.2.9	1.1.1.1	0xe039	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Sep 25, 2024 17:10:21.716533899 CEST	192.168.2.9	1.1.1.1	0xb044	Standard query (0)	nffplp.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 25, 2024 17:10:20.370559931 CEST	1.1.1.1	192.168.2.9	0xe039	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Sep 25, 2024 17:10:22.116449118 CEST	1.1.1.1	192.168.2.9	0xb044	No error (0)	nffplp.com		163.44.198.71	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49705	208.95.112.1	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 17:10:20.387079000 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Sep 25, 2024 17:10:20.905216932 CEST	175	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 15:10:20 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49707	208.95.112.1	80	4536	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 17:10:30.011284113 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Sep 25, 2024 17:10:30.501503944 CEST	175	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 15:10:29 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 50 X-Rl: 43 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49714	208.95.112.1	80	4316	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 17:10:39.440644979 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Sep 25, 2024 17:10:40.769870043 CEST	175	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 15:10:39 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 40 X-Rl: 42 Data Raw: 66 61 6c 73 65 0a Data Ascii: false
Sep 25, 2024 17:10:40.771117926 CEST	175	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 15:10:39 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 40 X-Rl: 42 Data Raw: 66 61 6c 73 65 0a Data Ascii: false
Sep 25, 2024 17:10:40.772082090 CEST	175	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 15:10:39 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 40 X-Rl: 42 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Sep 25, 2024 17:10:23.873440027 CEST	587	49706	163.44.198.71	192.168.2.9	220-cpanel16wh.bkk1.cloud.z.com ESMTP Exim 4.96.2 #2 Wed, 25 Sep 2024 22:10:23 +0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 25, 2024 17:10:23.873852015 CEST	49706	587	192.168.2.9	163.44.198.71	EHLO 376483
Sep 25, 2024 17:10:24.222423077 CEST	587	49706	163.44.198.71	192.168.2.9	250-cpanel16wh.bkk1.cloud.z.com Hello 376483 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Sep 25, 2024 17:10:24.226977110 CEST	49706	587	192.168.2.9	163.44.198.71	STARTTLS
Sep 25, 2024 17:10:24.574682951 CEST	587	49706	163.44.198.71	192.168.2.9	220 TLS go ahead
Sep 25, 2024 17:10:32.961317062 CEST	587	49708	163.44.198.71	192.168.2.9	220-cpanel16wh.bkk1.cloud.z.com ESMTP Exim 4.96.2 #2 Wed, 25 Sep 2024 22:10:32 +0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 25, 2024 17:10:32.961564064 CEST	49708	587	192.168.2.9	163.44.198.71	EHLO 376483
Sep 25, 2024 17:10:33.306761026 CEST	587	49708	163.44.198.71	192.168.2.9	250-cpanel16wh.bkk1.cloud.z.com Hello 376483 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Sep 25, 2024 17:10:33.307060003 CEST	49708	587	192.168.2.9	163.44.198.71	STARTTLS
Sep 25, 2024 17:10:33.670084000 CEST	587	49708	163.44.198.71	192.168.2.9	220 TLS go ahead
Sep 25, 2024 17:10:42.316292048 CEST	587	49715	163.44.198.71	192.168.2.9	220-cpanel16wh.bkk1.cloud.z.com ESMTP Exim 4.96.2 #2 Wed, 25 Sep 2024 22:10:42 +0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 25, 2024 17:10:42.316519976 CEST	49715	587	192.168.2.9	163.44.198.71	EHLO 376483
Sep 25, 2024 17:10:42.663503885 CEST	587	49715	163.44.198.71	192.168.2.9	250-cpanel16wh.bkk1.cloud.z.com Hello 376483 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Sep 25, 2024 17:10:42.664007902 CEST	49715	587	192.168.2.9	163.44.198.71	STARTTLS
Sep 25, 2024 17:10:43.014631987 CEST	587	49715	163.44.198.71	192.168.2.9	220 TLS go ahead

Target ID:	0
Start time:	11:10:15
Start date:	25/09/2024
Path:	C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nDHL_AWB_6078538091_scr.exe"
Imagebase:	0xbd0000
File size:	2'324'480 bytes
MD5 hash:	CB44C4A51AAE324C4E6B46A35A0A74D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1496540734.0000000005F90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1468627740.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1478653873.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:10:17
Start date:	25/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x8b0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1570629164.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1570629164.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1570629164.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1570629164.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1570629164.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1570629164.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:10:26
Start date:	25/09/2024
Path:	C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe"
Imagebase:	0x930000
File size:	2'324'480 bytes
MD5 hash:	CB44C4A51AAE324C4E6B46A35A0A74D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.1568824306.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 45%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:10:28
Start date:	25/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x190000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1664483302.000000000256C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.1664483302.000000000256C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.1664483302.00000000025F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1664483302.0000000002597000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.1664483302.0000000002597000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.1664483302.00000000025CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:10:35
Start date:	25/09/2024
Path:	C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe"
Imagebase:	0xdb0000
File size:	2'324'480 bytes
MD5 hash:	CB44C4A51AAE324C4E6B46A35A0A74D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000006.00000002.1664175759.000000000340C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:10:36
Start date:	25/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x970000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2700048230.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2700048230.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2700048230.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2700048230.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2700048230.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	97%
Signature Coverage:	7.9%
Total number of Nodes:	203
Total number of Limit Nodes:	19

Executed Functions

Function 05EE0048 Relevance: 3.0, Strings: 1, Instructions: 1779COMMON

Download Yara Rule

Strings

U, xrefs: 05EE08B4

Memory Dump Source

Source File: 00000000.00000002.1490481238.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 03d860796023a3c3ff6b463efedb6b973e31742be0bfa40c6b670c183208100b
Instruction ID: b3f53872b13c49c26654bce22d50440167ca4ccab94117f619f63ae077953460
Opcode Fuzzy Hash: 03d860796023a3c3ff6b463efedb6b973e31742be0bfa40c6b670c183208100b
Instruction Fuzzy Hash: 67F29370919388DFEB1ACBB4C859BAE7F75BF06304F19409AE181DB2A2C7785845CB61

Function 05EE0002 Relevance: 2.5, Strings: 1, Instructions: 1278COMMON

Download Yara Rule

Strings

U, xrefs: 05EE08B4

Memory Dump Source

Source File: 00000000.00000002.1490481238.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: b4aa568f8aa84dfb30c11ce10621771e604b77114a803937227bcc26d6d918f7
Instruction ID: 01d786838464825944ea4f24d4af6d6d4ee815a31042d0c5175cbe0c88670c35
Opcode Fuzzy Hash: b4aa568f8aa84dfb30c11ce10621771e604b77114a803937227bcc26d6d918f7
Instruction Fuzzy Hash: 7AB24D7195D3C49FE71B8B748C59BAA3F75AB13305F1904DAE1859B2E3C2B84848CB62

Function 060507CF Relevance: 2.4, Strings: 1, Instructions: 1100COMMON

Download Yara Rule

Strings

4, xrefs: 060511B5

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 58baae9c016bd31dc5e3eb48436c7a4869ff008ae9cc3dda0aa859d1e00ef7d4
Instruction ID: d219b8ce89ef1be7dc8702034904e4e9daa2c4766ebcc12a1180502dbc97ea83
Opcode Fuzzy Hash: 58baae9c016bd31dc5e3eb48436c7a4869ff008ae9cc3dda0aa859d1e00ef7d4
Instruction Fuzzy Hash: 22B2FA34A40219CFDB54CF95C994BAEBBB6FF48300F158599E906AB2A5CB70ED81CF50

Function 06069C90 Relevance: 1.8, Strings: 1, Instructions: 544
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 06069D9C

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: b0c8e25a21c77fe49be3248bc8b1bade42a24621f8fe97f516876ac99ef66220
Instruction ID: 05fb4a2951f11016bc46bcc28c3a22b99e3e597f28e58c28c063c1d488d8c21f
Opcode Fuzzy Hash: b0c8e25a21c77fe49be3248bc8b1bade42a24621f8fe97f516876ac99ef66220
Instruction Fuzzy Hash: F142C271D006298BDB64DF69C854BD9BBB2BF89310F1486EAD50DB7250DB30AE85CF90

Function 06050B07 Relevance: 1.7, Strings: 1, Instructions: 495COMMON

Download Yara Rule

Strings

4, xrefs: 060511B5

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: c274d01350781468abec298cb2ed9e608cd1e0401478dfa937e4079eb53b260d
Instruction ID: 249b0e52a4bdf4ec15ab89b76be20df06a194bd94a348266ef622058197613d0
Opcode Fuzzy Hash: c274d01350781468abec298cb2ed9e608cd1e0401478dfa937e4079eb53b260d
Instruction Fuzzy Hash: E3220C34A40219CFDBA4CF95C994BADBBB2FF48300F1584D9D909AB2A5DB71AD81CF50

Function 0606CED0 Relevance: 1.6, APIs: 1, Instructions: 107
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 0606CF8D

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 46824641189a0e9d6d4124f919e66b837fcea751cd691d743dce67593ec1fc94
Instruction ID: d72f76079dff4a78e19517e38938c7bc5fb34a31c688c3ea3bd8f578815d7b69
Opcode Fuzzy Hash: 46824641189a0e9d6d4124f919e66b837fcea751cd691d743dce67593ec1fc94
Instruction Fuzzy Hash: 664198B4D00258DFDF10CFAAD880AEEFBB1BB09310F14902AE858B7200C735A941CF64

Function 0606CED8 Relevance: 1.6, APIs: 1, Instructions: 105
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 0606CF8D

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: c0741b95ab8acafa01d4f81b8f99a600e8bcdabdbf9437d8f16eb83086cee970
Instruction ID: e55e2b83830997fe2f565a11d9ef73685584cfa72a9f881fa23ebda716a94213
Opcode Fuzzy Hash: c0741b95ab8acafa01d4f81b8f99a600e8bcdabdbf9437d8f16eb83086cee970
Instruction Fuzzy Hash: FF4197B5D04258DFDF10CFAAD880AEEFBB1BB09310F14902AE819B7210D775A945CF68

Function 0606E409 Relevance: 1.6, APIs: 1, Instructions: 84nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 0606E49E

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 698717315c7899e826823d42704c28cdd8985832ae02735db22266ca56626c5b
Instruction ID: e4ec20743823e2bbb974c2686496c54962e89a76940bc2caa2115c4720809e5c
Opcode Fuzzy Hash: 698717315c7899e826823d42704c28cdd8985832ae02735db22266ca56626c5b
Instruction Fuzzy Hash: 0831CAB8D052189FDF10CFAAD884AEEFBF1BB49310F14842AE854B7240C775A945CFA4

Function 0606E410 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 0606E49E

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 65f83fc4c123da2e2897f7f0d8224fecfe088b21ac0f988f3ea562b83eb20e83
Instruction ID: a716b14b824c9bbedd2ac76ddd17119969015f9bc33ea810e91de2b5960ac5ee
Opcode Fuzzy Hash: 65f83fc4c123da2e2897f7f0d8224fecfe088b21ac0f988f3ea562b83eb20e83
Instruction Fuzzy Hash: 7431A9B9D052189FDF10CFAAD884AAEFBF5FB49310F14942AE814B7240C775A945CFA4

Function 060898F3 Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

L~S, xrefs: 06089CBF

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: L~S
API String ID: 0-2828360707
Opcode ID: f79195e5625e90181d66885dd017fe03ecb447dc8c11a27c15a384249256cd0f
Instruction ID: fc4c4ce7c012862508a76abddd2ef6c5d3d27f321c76310df6014591d08d3960
Opcode Fuzzy Hash: f79195e5625e90181d66885dd017fe03ecb447dc8c11a27c15a384249256cd0f
Instruction Fuzzy Hash: 8FD11470E45218CFEB94EFA9D984BADBBF1FB49300F10806AD859A7354DB385985CF80

Function 06089900 Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

L~S, xrefs: 06089CBF

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: L~S
API String ID: 0-2828360707
Opcode ID: 95ff5cb5de878858b4ba52c68033cc97955b4c4843d7b38047143175ffd3c1a8
Instruction ID: 04a482c2859e1d9145eff55d8b3ee2d039777a5569517fea79b8c4482d047d51
Opcode Fuzzy Hash: 95ff5cb5de878858b4ba52c68033cc97955b4c4843d7b38047143175ffd3c1a8
Instruction Fuzzy Hash: 7DD11470E45218CFEB94EFA9D884BADBBF5FB49300F109069D859A7354DB385985CF80

Function 0608D5D0 Relevance: 1.5, Strings: 1, Instructions: 286COMMON

Download Yara Rule

Strings

C}J, xrefs: 0608D832

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: C}J
API String ID: 0-2552927176
Opcode ID: 5ba789fb7a1ace8043cf780da60f08160d7301564f38c2381ac2b5664d3d00ab
Instruction ID: f28ec70ddfd1bfe30a391a2e57d632a4034d10e5280e21bf947bf6b49ceb491f
Opcode Fuzzy Hash: 5ba789fb7a1ace8043cf780da60f08160d7301564f38c2381ac2b5664d3d00ab
Instruction Fuzzy Hash: 1DC14670E4520CCFEB98EFA5D484BADBBB2EF49300F20916AD459A7395DB345985CF40

Function 0608D591 Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

C}J, xrefs: 0608D832

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: C}J
API String ID: 0-2552927176
Opcode ID: b6a36e993c9d8049949c9de168193bad80753e89e08da2cbdb2e0b1d2cb5a9cb
Instruction ID: 060672488c29083e92c04c69bc1d478ee3de3d3fc2281bd46ce3e21acfc9459f
Opcode Fuzzy Hash: b6a36e993c9d8049949c9de168193bad80753e89e08da2cbdb2e0b1d2cb5a9cb
Instruction Fuzzy Hash: 2EC12670E4520CCFEB98EF65D484BADBBB2EF49300F10916AD459A73A5DB345985CF40

Function 06069C80 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

h, xrefs: 06069D90

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: e4fa28e8e2bce43369193fb7e537ca1289380b323fc42f3f6e01665b38770d53
Instruction ID: b66889a5d07832191dfd050a8c6cccf3cf21afe8379d0caf890599513dc5b485
Opcode Fuzzy Hash: e4fa28e8e2bce43369193fb7e537ca1289380b323fc42f3f6e01665b38770d53
Instruction Fuzzy Hash: 1961C171D006298BEB64DF6AC854BD9BBB2FF89310F14C2AAD50DA7254EB305A85CF50

Function 02F698B8 Relevance: 1.0, Instructions: 983COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 438198932ce46ae8dc89bf13826053df77a6c284f0b440dc05aee320851277d3
Instruction ID: 983c9550ca13eccaade8d9444ef85f91ef75f4784b146aedf5f3d675e93cd8e1
Opcode Fuzzy Hash: 438198932ce46ae8dc89bf13826053df77a6c284f0b440dc05aee320851277d3
Instruction Fuzzy Hash: 3CA2B375A00228DFDB65CF69C984AD9BBB2FF89304F1581E9D509AB325DB319E81CF40

Function 06053E88 Relevance: .6, Instructions: 552COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b21837e657d817c3cd9437454f05dbda93034bef759914828c3aedd3ee7666bd
Instruction ID: 6c7bfc738d4c82401ca4de15a9820f2cfe762640a923cef3351b4b058837614b
Opcode Fuzzy Hash: b21837e657d817c3cd9437454f05dbda93034bef759914828c3aedd3ee7666bd
Instruction Fuzzy Hash: E9222934B40205CFDB94DF69C984AAA7BF2FF89310B1684A9E905DB361DB31EC81CB51

Function 06087E27 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c5a4381974b11f8367627294df1daba141a7ad8b93161bb8efe9936356fa0d
Instruction ID: e6e48e8efa42ef84153b902ac46cad4a4808a423cb30865bfce71adcfac35f78
Opcode Fuzzy Hash: c5c5a4381974b11f8367627294df1daba141a7ad8b93161bb8efe9936356fa0d
Instruction Fuzzy Hash: 7DC11570E45248CFEB94DFA5D884BADBFB2EF49300F20806AD859AB399D7745985CF40

Function 06066128 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608d741ceecc8cc5b3882f579197ee4c833b339b9a6559c48c12de4501654694
Instruction ID: 3aa1ab7f02f05537edf5a8e21d303a1aa78c1bafad18e68028edbb6097cde524
Opcode Fuzzy Hash: 608d741ceecc8cc5b3882f579197ee4c833b339b9a6559c48c12de4501654694
Instruction Fuzzy Hash: BEC1F470D55218CFEBA4CFAAD488BADBBF1BF49304F108069E409AB255CB7659C4CF42

Function 06066118 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5c5a8835aaea5fde1697c738317c92ee907387abd1c8a28c811139c2e812c56
Instruction ID: 888ebd5d970b7c51a2137eaa97aae4a6da704baa8566dfe39d921c356b3f9351
Opcode Fuzzy Hash: d5c5a8835aaea5fde1697c738317c92ee907387abd1c8a28c811139c2e812c56
Instruction Fuzzy Hash: 24C10470D55218CFEBA4CFA6D888BADBBF1BF49304F148069E409AB255CB7559C4CF42

Function 06088DF3 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54f3f6a6bd123a6d39536a1462556314d55ae5957d3b02f3fa939d6c58288169
Instruction ID: 14a4efa22cca9e6ac9f35a5da3307b71120ef16700d2e7936b7742345afb8ca6
Opcode Fuzzy Hash: 54f3f6a6bd123a6d39536a1462556314d55ae5957d3b02f3fa939d6c58288169
Instruction Fuzzy Hash: 8EB1F370E46208CFEB94EF69D984BADBBB6FB89300F1090A9D459A7354DB345E85CF40

Function 06088E00 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e23142b1d93cb48faa9e5a6324aa2f64ac8ac227c6c8f05cac707b8ebe754a5
Instruction ID: 714d13b29f6fc89e183cffaaa641aae93c82662debb804f2f72d5de2569339e0
Opcode Fuzzy Hash: 7e23142b1d93cb48faa9e5a6324aa2f64ac8ac227c6c8f05cac707b8ebe754a5
Instruction Fuzzy Hash: 02B1F370E4520CCFEB94EF69D984BADBBB6FB89300F1090A9D459A7254DB345E89CF40

Function 06080218 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c47769a2cae55463fa235ecc65a167fd2e59b7f6a2d80a9546eae305d9d168
Instruction ID: a0f90d52d67d3876808fbb799f167fde7f7d2926d7260ab5923e92d8ae741593
Opcode Fuzzy Hash: c0c47769a2cae55463fa235ecc65a167fd2e59b7f6a2d80a9546eae305d9d168
Instruction Fuzzy Hash: 17B1F370E45218DFEB94DFA5D944BACBBF6BF49300F0050A9D44AAB291DB745E89CF01

Function 06086B81 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63852ed8bd66169a4252512e2bd3146bd0337983022f0e48b771c4f7927affc8
Instruction ID: 7f5178289f16b81b1e9d9c260e07e833902a035d8306135a90cfe12b390068df
Opcode Fuzzy Hash: 63852ed8bd66169a4252512e2bd3146bd0337983022f0e48b771c4f7927affc8
Instruction Fuzzy Hash: 81B120B0D54208CFEB58DFA9D994BADBBF2FF49300F10946AE418AB265DB355884CF00

Function 06086B90 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2d064df4965655fdf75a53a4d57c5831f28d7ec18f2ac5c49fe6a80753b08e
Instruction ID: 2e64a046151fc7bdbeb06d0fa9ed66a6e49e2fe3be22c27a2856300da37889b9
Opcode Fuzzy Hash: 5a2d064df4965655fdf75a53a4d57c5831f28d7ec18f2ac5c49fe6a80753b08e
Instruction Fuzzy Hash: D9B13170D54208CFEB54DFAAD994BADBBF2FF49300F119469E458AB265DB355884CF00

Function 05F866F0 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b35d1047dcb4921759440955b4b4302396333895e1bcc8c1b8a35c13df78d48
Instruction ID: daf5bf1a47a550f9eaf7b0b75ea5146f1f3583884d776b99259180ef44e9ba9f
Opcode Fuzzy Hash: 3b35d1047dcb4921759440955b4b4302396333895e1bcc8c1b8a35c13df78d48
Instruction Fuzzy Hash: 7DA1E274E05218CFEB14EFA9D884BADBBB6FF49300F209469D419EB255DB385985CF00

Function 05F866E1 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f703ebe85f5cef6dec881f748b4f76c72baace1ff097b26d26a748d2f0865864
Instruction ID: 83dd45e2aec6e510a54f2ad22c62d1a63fcb726ca575fc34a92aa5ccf74e7002
Opcode Fuzzy Hash: f703ebe85f5cef6dec881f748b4f76c72baace1ff097b26d26a748d2f0865864
Instruction Fuzzy Hash: CCA1E374E05218CFEB54EFA9D884BADBBB6FF49300F20946AD419EB255DB385985CF00

Function 02F65780 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227b05fa5572c7633067701a47758df81bb91fb71384e63d67c8f528cfc8a59e
Instruction ID: e83a6c38e8315a04b15c23a69bdfaabb480d274b31379e427e5252ffb5a165d3
Opcode Fuzzy Hash: 227b05fa5572c7633067701a47758df81bb91fb71384e63d67c8f528cfc8a59e
Instruction Fuzzy Hash: DC711CB1A00609CFEB48DFBBE95469EBBF2FB84300F14C129C418AB268EB755945CF41

Function 02F65790 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444f809888c234822d2d42338f3b75b931223f0c1e2714114d81653187949914
Instruction ID: dff3f3ee6f3ae4772d5ee6700b362dfed884eee8f84a65d3b18b13b61f3eb2ff
Opcode Fuzzy Hash: 444f809888c234822d2d42338f3b75b931223f0c1e2714114d81653187949914
Instruction Fuzzy Hash: 5F712DB0A00609CFEB48DFABE95469EBBF3FB84300F14C129C418AB268EB7559458F51

Function 06084758 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5593f037d88616440503f0d9d5b7f8cf2f63176f4fadfa94270368b209d56ea
Instruction ID: b7da2060cbf1bd9fd05d4b4c502fef33d71f9e092a13b5cd344bb2d5fb629c32
Opcode Fuzzy Hash: b5593f037d88616440503f0d9d5b7f8cf2f63176f4fadfa94270368b209d56ea
Instruction Fuzzy Hash: 7D411A70E45259CFEBA8DF6AC8407DDBBF6FB8A300F1090AAC449A7254DB744985CF40

Function 0608AE72 Relevance: 2.5, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1, xrefs: 0608AEA5
/, xrefs: 0608AE7C

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: /$1
API String ID: 0-1818638675
Opcode ID: e198f31ac9b83bc6c1b7611a17e78945e276680d43e7494d17342605dd7aa54f
Instruction ID: fed4f0575df07a5914ebf22f406cf2b96485ae7d7b84166b8031653a47392e67
Opcode Fuzzy Hash: e198f31ac9b83bc6c1b7611a17e78945e276680d43e7494d17342605dd7aa54f
Instruction Fuzzy Hash: DE1190B4A45268DFEB61DF59C884B9CBBB1BB48300F1080DAD589A7250D7769EC1CF14

Function 05F808C8 Relevance: 2.5, Strings: 2, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\, xrefs: 05F80CD7
l, xrefs: 05F80C95

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: \$l
API String ID: 0-789299731
Opcode ID: b8c4465f426dff31d0c3453516000b9d27a3208f1cd13207e108425a51a70ac4
Instruction ID: 3867272e46d94d68131baff82e8d54842d8fc1ba4d97032ef9ef912a2ba05c5b
Opcode Fuzzy Hash: b8c4465f426dff31d0c3453516000b9d27a3208f1cd13207e108425a51a70ac4
Instruction Fuzzy Hash: A1F0DF3480A61CCFDF64EF10C84CBB9BABABB09315F806289C40932294CB381A88CF04

Function 0606D775 Relevance: 1.8, APIs: 1, Instructions: 266
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0606D9E7

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f3a667cc7ea9d53fb1d26cb17073ba150a1eb91e8f9fa58fb2e8632f6feb6f47
Instruction ID: 47f648251b4ef0fff853a842cfbe78599100b2f754c8af3bdd348e5185b94aa4
Opcode Fuzzy Hash: f3a667cc7ea9d53fb1d26cb17073ba150a1eb91e8f9fa58fb2e8632f6feb6f47
Instruction Fuzzy Hash: BCA10274E04218CFDBA0CFAAC8857EDBBF1BF09304F10916AE858A7290DB748985CF55

Function 0606D780 Relevance: 1.8, APIs: 1, Instructions: 261
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0606D9E7

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cbba953d081da8185b7d2c416e6c000a8e1a301606bce4162fe67a96f3701fe9
Instruction ID: 3e50abcb4a2473e57acd82524da8d9a9c52fb09c446f6d9910fd49349e838d47
Opcode Fuzzy Hash: cbba953d081da8185b7d2c416e6c000a8e1a301606bce4162fe67a96f3701fe9
Instruction Fuzzy Hash: D9A1F174E04218CFDBA0CFAAC8857ADBBF1BF09304F14916AE858A7290DB749985CF55

Function 0606E1F1 Relevance: 1.6, APIs: 1, Instructions: 120
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0606E2CB

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 41714b03d9d70fb8489ca4ad8ece18fe234a92e45b6c4809ece53761f095978e
Instruction ID: c0df9d4d3511d9aee996ba1182b606616508c4d9d2540d0ee4cde206e1ebda4e
Opcode Fuzzy Hash: 41714b03d9d70fb8489ca4ad8ece18fe234a92e45b6c4809ece53761f095978e
Instruction Fuzzy Hash: DA41B9B5D052589FDF00CFAAD984AEEFBF1BB09310F14902AE858B7250C375AA41CF64

Function 0606E1F8 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0606E2CB

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 527296ebd35d93d6bbe38348dd6ac668e9d5eb7aa1e4d612a307512e1c0aca55
Instruction ID: 2fe5fbed8f87224c924bdc1549d5baf741878c19fe750d12e8320c2baeb083b7
Opcode Fuzzy Hash: 527296ebd35d93d6bbe38348dd6ac668e9d5eb7aa1e4d612a307512e1c0aca55
Instruction Fuzzy Hash: 4941BAB5D052599FDF00CFAAD984AEEFBF1BB09310F14902AE818B7250C375AA45CF64

Function 0606E090 Relevance: 1.6, APIs: 1, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0606E142

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d09b9dbaf397ca07fed7bdbbaf35076fc816136ac8ce62d1b8b8bc9a1492de2b
Instruction ID: bddd5e2fad65a2bb1eb6a9fff8fdce0185295c1164444a3a7a86efd77ed65532
Opcode Fuzzy Hash: d09b9dbaf397ca07fed7bdbbaf35076fc816136ac8ce62d1b8b8bc9a1492de2b
Instruction Fuzzy Hash: 4641A7B9D04248DFCF10CFA9D880AEEBBB1BB09310F10942AE815BB200D735A941CF64

Function 0606E098 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0606E142

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1ce7681feadc4a8a7ea9989657897ab3929b13c4db43e05e78a4c401767bb865
Instruction ID: 972b9d87b25cab8c5db0f181b390b4f928b60dbe36402d2525be2183a680501e
Opcode Fuzzy Hash: 1ce7681feadc4a8a7ea9989657897ab3929b13c4db43e05e78a4c401767bb865
Instruction Fuzzy Hash: 093197B9D04258DFCF10CFAAD880A9EFBB1BB49310F14942AE814BB210D775A941CF68

Function 0606E6E1 Relevance: 1.6, APIs: 1, Instructions: 99
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0606E78C

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a4e37523aca8cfe41ccd572751894aef5c0eec4fb3458d6126df71847fc5c522
Instruction ID: 740f1c783dd12d068bc2e2172aca52a9f07be5d78ccafde66f7fca4cc6bb379f
Opcode Fuzzy Hash: a4e37523aca8cfe41ccd572751894aef5c0eec4fb3458d6126df71847fc5c522
Instruction Fuzzy Hash: 0731B9B9D042589FDF10CFAAD884AEEFBB1AB09310F14942AE815B7210D775A945CF94

Function 0606E6E8 Relevance: 1.6, APIs: 1, Instructions: 98
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0606E78C

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9f6804a04551db6d16722b5056f47a6b15ef5547b9ef93e2fff66a66ce60236d
Instruction ID: 7375674987acfc899b29e0d1f14c46183cb9e347bbda73788c0c1b7cf7ff7f42
Opcode Fuzzy Hash: 9f6804a04551db6d16722b5056f47a6b15ef5547b9ef93e2fff66a66ce60236d
Instruction Fuzzy Hash: 5C31C9B9D04258DFDF10CFAAD884AEEFBB1BB09310F14902AE814B7210D775A945CFA4

Function 0606DB30 Relevance: 1.6, APIs: 1, Instructions: 98
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0606DBE7

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: cdafaa81bd1f287f05275d49311548cb366670ffce2c1d8eaaf8f57d0f62816f
Instruction ID: 4c6b430beda9befcc5dcc2a2cc7c3fed0d0e934b9067c2b9ad05733e69b14c73
Opcode Fuzzy Hash: cdafaa81bd1f287f05275d49311548cb366670ffce2c1d8eaaf8f57d0f62816f
Instruction Fuzzy Hash: CA41BCB5D00218DFDB10CFAAD885AEEBBF1BF49310F14802AE415B7240D779A985CFA4

Function 0603D980 Relevance: 1.6, APIs: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0603DA24

Memory Dump Source

Source File: 00000000.00000002.1496992514.0000000006030000.00000040.00000800.00020000.00000000.sdmp, Offset: 06030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6030000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8ce3674ec0a3e40c5c470a1b5774e9803d4a08f5c92baaa27de129beea1d9346
Instruction ID: 7e88f45565ef9cdd8f4922ec298f93ea3078f4c144474f1714fce93dedafc01f
Opcode Fuzzy Hash: 8ce3674ec0a3e40c5c470a1b5774e9803d4a08f5c92baaa27de129beea1d9346
Instruction Fuzzy Hash: 7231A7B8D052189FDF10CFA9D980AAEFBB5BF09310F14942AE814B7250D775A945CFA4

Function 0606DB38 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0606DBE7

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 91b089455833c45319406c4f77274e75f4f1fa7df0fab6fa328a443a8a2fbfb2
Instruction ID: aeb930195a24e9feb68558dce5ac2b88cfc352a03edc7e74c08217a3a83a67df
Opcode Fuzzy Hash: 91b089455833c45319406c4f77274e75f4f1fa7df0fab6fa328a443a8a2fbfb2
Instruction Fuzzy Hash: 6531BBB5D00258DFDB10CFAAD885AEEBBF1BF49310F14802AE415B7240C779A985CF54

Function 060560D8 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

d, xrefs: 06056339

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 36e74054460d5cb8f73e29b969268f0c2c92e5b89aef4ea81759d2b36853f048
Instruction ID: bfce91567a71796f9210b82382b47cfbfb87d383c40703f4c4ac48c9d77cb1fe
Opcode Fuzzy Hash: 36e74054460d5cb8f73e29b969268f0c2c92e5b89aef4ea81759d2b36853f048
Instruction Fuzzy Hash: C1D15B34610A06CFCB54DF18C494A6ABBF2FF88310B568969D85A9B361DB31FC46CB90

Function 0603EB48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 0603EBE7

Memory Dump Source

Source File: 00000000.00000002.1496992514.0000000006030000.00000040.00000800.00020000.00000000.sdmp, Offset: 06030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6030000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a64c7235e8f633c53fc765a297bbf409f1ad3a3a1fb4028f5e2ea89174366fdd
Instruction ID: 5ed5d550e23a60887d438e855da9b52d1254023e5a6964e354fe80c56f365caa
Opcode Fuzzy Hash: a64c7235e8f633c53fc765a297bbf409f1ad3a3a1fb4028f5e2ea89174366fdd
Instruction Fuzzy Hash: CE31B8B8D00218DFDF10CFA9D880AEEFBB5AB49310F14942AE815B7210C775A945CF98

Function 0608AA59 Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

), xrefs: 0608AAB5

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: 8e88f193cd6a8291083a1abd67ad5248418e4d84709b51a087f3f49c8e0d1acb
Instruction ID: df6eb3b6e68df7e4e1d40111f4f17ba7f7a2f76792136e644168791fb1f48f89
Opcode Fuzzy Hash: 8e88f193cd6a8291083a1abd67ad5248418e4d84709b51a087f3f49c8e0d1acb
Instruction Fuzzy Hash: A9119D74D40228DFDB60CF65C948B9DBBB1AB48304F1085DA945AA2200DB755E81DF50

Function 0608AB61 Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

#, xrefs: 0608B1E6

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 99a6aebc442d779b7eba8ca6986ca4547ab39a219f0979588c5eeb3a828fd80e
Instruction ID: 99c03510ed1da8863d1cac2787d03afc1a0b5a644bb5be1108afe23512b4261d
Opcode Fuzzy Hash: 99a6aebc442d779b7eba8ca6986ca4547ab39a219f0979588c5eeb3a828fd80e
Instruction Fuzzy Hash: 4111AE74A012288FDBA0DF64C988BDCBBB1AB4D304F1041DAD949A7251C7759E95CF40

Function 0608B05A Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

2, xrefs: 0608B0CE

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: ba196bc3dc99a7623c192f8987a8ce8f7783c6ef1bf143a14e4bf3a14d400a5d
Instruction ID: 249f0543d00917ebea0377ea31f9dec165fe30a46e71683187b873fdb14cc7c7
Opcode Fuzzy Hash: ba196bc3dc99a7623c192f8987a8ce8f7783c6ef1bf143a14e4bf3a14d400a5d
Instruction Fuzzy Hash: A2117BB4A40228CFEB61DF65C988BDCBBB1BB49305F1084DAD809B7280D7769E85CF50

Function 0608A250 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

*, xrefs: 0608A25E

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: 09555999616fb6f56867a2b02b67f7b5d5753471bf887e87438d150536c1e244
Instruction ID: e6f16362b8e5004e649af8c443298b7470906313957255d6cf81335e4ba6a5d9
Opcode Fuzzy Hash: 09555999616fb6f56867a2b02b67f7b5d5753471bf887e87438d150536c1e244
Instruction Fuzzy Hash: 6D014DB4A45228DFEB61DF58C984BDCBBB1BB59304F10809AD989AB290D7B55E81CF40

Function 0608A6D6 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

8, xrefs: 0608A722

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 6d1d11386d0e441392821136f74d37050810d5a0f1f50ed0d76dee4d3323b17a
Instruction ID: e296c768da666a9a0bade5c7991a43da181090c5b07873ad47f8375f91dcb7ae
Opcode Fuzzy Hash: 6d1d11386d0e441392821136f74d37050810d5a0f1f50ed0d76dee4d3323b17a
Instruction Fuzzy Hash: 6FF0F23190161A9ADF129F54C800AEABB35FF56300F10C686E95973610DB32AAD9CF80

Function 0608A372 Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

", xrefs: 0608AE63

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 50b26671737d7fd9c0743e4508ea2784f2072dad27c82cccd26656b23d5d46a2
Instruction ID: d52a976bb1aed16ff2e53f2f39fd0b441ea153fa9a1871a916ea3bbbd80917eb
Opcode Fuzzy Hash: 50b26671737d7fd9c0743e4508ea2784f2072dad27c82cccd26656b23d5d46a2
Instruction Fuzzy Hash: 99F0C274A40218CFDB54CF49D980ADDBBF5FB48304F10859AC55AA7301D736AE82CF51

Function 0608A313 Relevance: 1.3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

Strings

;, xrefs: 0608A344

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: 8f93d9c0026d679415108cb7ffa76d0f21795882395cdded3c3188f8bf9851e2
Instruction ID: 7741f3d43eb9cfbc469ff1e228ae2625fb2e85284f294cc919d2271c8c29fc5b
Opcode Fuzzy Hash: 8f93d9c0026d679415108cb7ffa76d0f21795882395cdded3c3188f8bf9851e2
Instruction Fuzzy Hash: 3CE0B63894121ACFDB25DF21CA44BADBBB1EB44348F1480EAC819A3351D33A9F86DF00

Function 05F80324 Relevance: 1.3, Strings: 1, Instructions: 10COMMON

Download Yara Rule

Strings

D, xrefs: 05F8034D

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 36f93ba91aeb4ef5ae2901ae5395346d023bf364b31c098ff07b337f3519ad05
Instruction ID: 8dae5a3167b20b23629e1df75325b1696c13631bb0f3764e47e91d37691cae08
Opcode Fuzzy Hash: 36f93ba91aeb4ef5ae2901ae5395346d023bf364b31c098ff07b337f3519ad05
Instruction Fuzzy Hash: 8DD092B491022C8BEBA0DF10D988B9CBBB5AB05304F1052DAC50CB7260DB346E81CF08

Function 0608A9CE Relevance: 1.3, Strings: 1, Instructions: 9COMMON

Download Yara Rule

Strings

&, xrefs: 0608A9F1

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: 1bce7b852e85894fdaf910ad633b5ec758c1c2dc5aa1c06b9471ac5e4880c9fe
Instruction ID: aa8fd1c7a0292a61003bad3977e54a334ac7deef023cef47ec5b39f1d7e71a2e
Opcode Fuzzy Hash: 1bce7b852e85894fdaf910ad633b5ec758c1c2dc5aa1c06b9471ac5e4880c9fe
Instruction Fuzzy Hash: ABD09274944169CADB60EF65C84878DBBB1AB44300F1082C5840DB2304C7351E848F41

Function 06059338 Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e46d823686d234040d8c687c4b9b64e329003303178b62c45337549cf10680
Instruction ID: 35b53bb67b8f2daed568c731421158aa9e627a9663d53ca0c58eda631cbfa9b2
Opcode Fuzzy Hash: e0e46d823686d234040d8c687c4b9b64e329003303178b62c45337549cf10680
Instruction Fuzzy Hash: AE52F975A00228DFDB64DF69C981BEDBBF6BB88300F1541D9E909A7351DA309E81CF61

Function 06053700 Relevance: .5, Instructions: 534COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591033845f6574cecc0562a6134c1f039d0c7cadd97349a6405dd4ba503d0b54
Instruction ID: 2a0ed7c3eaa48099f7311edb799a0fc18099cb232d5c313ab1f0e7d87ae40b21
Opcode Fuzzy Hash: 591033845f6574cecc0562a6134c1f039d0c7cadd97349a6405dd4ba503d0b54
Instruction Fuzzy Hash: 37226C75A40204DFDB58DF98D490A6EBBF6FF88340F158059E906EB361DA75ED80CB90

Function 06056620 Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e5261318f30716c9928808e944fbaf97349de3ca5c4d708831521d31a2509d
Instruction ID: 0ddb202f52054381519c9e839183ed25602a6273332015207b056b6ad7329094
Opcode Fuzzy Hash: f8e5261318f30716c9928808e944fbaf97349de3ca5c4d708831521d31a2509d
Instruction Fuzzy Hash: B5129D70A40205DFDBA4DFA4C9806AEBBF6FF84300B55852DD9069B360DB76EC45CB91

Function 0605C348 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9f53454758ad8fdd167e10900c784927baa4c86846d5e8f10f2a58fc0fa6c6
Instruction ID: 1de2c26202a028a3ae35f8d497e91d3a480eed1b6497f7dfcfb4c7d6cac104d6
Opcode Fuzzy Hash: 8b9f53454758ad8fdd167e10900c784927baa4c86846d5e8f10f2a58fc0fa6c6
Instruction Fuzzy Hash: CE12FC34A402188FDB54EF64C894A9EBBB2FF89300F5185A8D94AAB355DF70ED85CF50

Function 06057A60 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93857bd97e0a54baba3c485014641f53a2a8587cefa0ef1314d604d2f68d7601
Instruction ID: 13d858591a1af18502d4cd4c8f33be35342f4ffc6826730561a2167e0f3c563d
Opcode Fuzzy Hash: 93857bd97e0a54baba3c485014641f53a2a8587cefa0ef1314d604d2f68d7601
Instruction Fuzzy Hash: 6DD16132A00214DFDB55DFA5C950E9ABBB2FF4C310F0644A8DA096B231DB32ED55DB90

Function 06058458 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b8d239f864414880d68296f71665db18fce85b54beef3834f914f40f4ed0bc7
Instruction ID: 63f47d9af1435945e52ecc9c3561a27994264c5af7e96776c63685da3eb3ec9b
Opcode Fuzzy Hash: 0b8d239f864414880d68296f71665db18fce85b54beef3834f914f40f4ed0bc7
Instruction Fuzzy Hash: 87F1EB34B40218CFDB58DFA4D994A9EBBB2FF88301F158159E905AB365DB71EC42CB41

Function 05EE18C0 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1490481238.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3e4243cbe66613d603949a5477b0c65cbcc88c8baa0dc968667132781c594b
Instruction ID: dbe0e5bac8563c3a995806052846547a27f94d779aa71ce4639321381221fdd6
Opcode Fuzzy Hash: fe3e4243cbe66613d603949a5477b0c65cbcc88c8baa0dc968667132781c594b
Instruction Fuzzy Hash: E4F1E334D11208DFDB28DFA8E4886ECBBB6FF49319F20502AE45AA7354DB359985CF01

Function 0605CA40 Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90ce1a72098cd947563d7de9605f2da2051189c7b0c5d356121c8087bf4b305
Instruction ID: f918b7d2192153c49a4d3fbad9e3689186b86b797dbe1c9f31f073a2fae6d6d1
Opcode Fuzzy Hash: b90ce1a72098cd947563d7de9605f2da2051189c7b0c5d356121c8087bf4b305
Instruction Fuzzy Hash: F0E14234A40209DFDB58EFA4D49499EBBB2FF89310F118569E805AB364DF30ED85CB91

Function 06087B2D Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6750409aab0ad86a9486050368e49c2555143c407e4f9dc43be7d2e72ae17c38
Instruction ID: 319a8f186d74bcadcf6083a5cd1ce7e1432e9e4dfd01c07473e5dba41c7b391e
Opcode Fuzzy Hash: 6750409aab0ad86a9486050368e49c2555143c407e4f9dc43be7d2e72ae17c38
Instruction Fuzzy Hash: 5CF0583094A284DFCB0ADBA4D8909ACBF70EF47200F2841DEC8465B356D6356A56CB50

Function 06088509 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78a89fd771211714778674418ab3765f4363cd1603d541f83c54ab07701e5b5
Instruction ID: 82075bed7c661d8ac7f328e82266913d9cd87f374bf53abb444b306aaa1f7f57
Opcode Fuzzy Hash: f78a89fd771211714778674418ab3765f4363cd1603d541f83c54ab07701e5b5
Instruction Fuzzy Hash: 05E13770E45218CFEB94EF69D840B9DBBB2FB89300F5081A9D819A7764DB345E89CF41

Function 06088518 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8d14e84cfafc1c0deafa0402fdd14d9eceed9d2bbe64bcbef80d03430c2b8f
Instruction ID: 8a03916a0a0c60d8a134778b2ad77a2a86c7344a170cc71bbf86831ed3e55d86
Opcode Fuzzy Hash: 1a8d14e84cfafc1c0deafa0402fdd14d9eceed9d2bbe64bcbef80d03430c2b8f
Instruction Fuzzy Hash: 47D13870E45218CFEB94EF69D840B9DBBB2FB49300F5080A9D81AA7764DB345E88CF41

Function 06088A76 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc41ebb9e6c2fec8aed2aeba691f6773393b8c805d58c7657ceebde0416bc35
Instruction ID: d9b15bb6dd65f9c91c002dfdbc6e8a3fa775e228e475dc2f8e5b92e3f8e8555c
Opcode Fuzzy Hash: 6dc41ebb9e6c2fec8aed2aeba691f6773393b8c805d58c7657ceebde0416bc35
Instruction Fuzzy Hash: 38D12674E45218CFEB94EF69D880B9DBBB2FB49300F5080A9D819A7764DB345E88CF01

Function 06084FBF Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f6245586ff432dc84db52748048b00bdba884a8a28ac42b542e330415037ce0
Instruction ID: 38ed91e88fefeed96f421ba5e3f6135f34bde7e69318583583d0420e84e294bb
Opcode Fuzzy Hash: 2f6245586ff432dc84db52748048b00bdba884a8a28ac42b542e330415037ce0
Instruction Fuzzy Hash: 5EC1E270949218CFEBA5DF28DD58BE9BBB1BB4A300F1051EAD949A7254CB745EC4CF40

Function 060886AE Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f7ae04227deff1ab903c17058acf145744549ec6b7bbe3d65633bca3edb2d7
Instruction ID: 76976c6b5c02c86a28a59a0b0c06eae6ce9c0c4434651e95c920412c30afc52d
Opcode Fuzzy Hash: 44f7ae04227deff1ab903c17058acf145744549ec6b7bbe3d65633bca3edb2d7
Instruction Fuzzy Hash: 2CC13870E41219CFEB94EF69D880B9DBBB2FB49300F5080A9D819A7764DB345E88CF41

Function 063AF898 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498043539.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6390000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed64e62f13e0f53856572414ccd2d554b5d920451c5308f8c59d8c405e94aae9
Instruction ID: 7f5ac8d7b0e6aed36c87307d1d1d365236b1683dc5dc3770a62d1a2747d9d77a
Opcode Fuzzy Hash: ed64e62f13e0f53856572414ccd2d554b5d920451c5308f8c59d8c405e94aae9
Instruction Fuzzy Hash: 72A1AA35B013059FDB54CFA5E954AADBBB2EF88310F14806AE912EB391CB35DD81CB90

Function 0608883C Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e19fdd1a347a850073fd646d9376151d0f5fdcc1c8d0b754ee16229a3a84fd05
Instruction ID: 3780faabc6199de27d9a3ab67f36b5d0ee887ea3da1315000e6e140e40fa2f07
Opcode Fuzzy Hash: e19fdd1a347a850073fd646d9376151d0f5fdcc1c8d0b754ee16229a3a84fd05
Instruction Fuzzy Hash: 37C13674E41219CFEB94EF69D880B9DBBB2FB49300F5080A9D819A7764DB345E89CF41

Function 06088853 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b5cf681bb12c56bf2ad321cb4831792bec293da9a9951e774f8cf0d69af25f
Instruction ID: 854909fcf767774b4a1e2c3f968bc4e5e5772112f4370ee61a7dca8c8c4c624d
Opcode Fuzzy Hash: 44b5cf681bb12c56bf2ad321cb4831792bec293da9a9951e774f8cf0d69af25f
Instruction Fuzzy Hash: 52C13874E45219CFEB94EF69D880B9DBBB2FB49300F5080A9D819A7764DB345E88CF01

Function 06088EE3 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f5ab07698a21ee6dbc22802edc5b865d60893d14798193fd9fa1cad46fdab5
Instruction ID: c6c46f36c0ab68ba876dc1feee3ca2d567bfc703b4778b7b0a7295453955305c
Opcode Fuzzy Hash: b6f5ab07698a21ee6dbc22802edc5b865d60893d14798193fd9fa1cad46fdab5
Instruction Fuzzy Hash: FBB10270E8620CCFEB94EF69D984BADBBB2FB49300F1090A9D449A7254DB345E84CF40

Function 05EE1598 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1490481238.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e389849f0eb03f476511be002835dc22c3cef92fac1d6320767068d0b104743
Instruction ID: 21e040bf3f369bcc68180bf2dceb047fc74897e1aad9562051893df1740d776c
Opcode Fuzzy Hash: 0e389849f0eb03f476511be002835dc22c3cef92fac1d6320767068d0b104743
Instruction Fuzzy Hash: B4A11534E20209CFDB18DFA5D448AEEBBB2FF4A305F109029D856A7354DB349986CF51

Function 0605844B Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b531b4f322cab3896da7184eb7c51f839f6d15a8543a313b37d00a61b1b93f63
Instruction ID: 4e9bc3df031304faad9a6849cece372ebde5df4bc27b1435c33b4f88bfe0a23f
Opcode Fuzzy Hash: b531b4f322cab3896da7184eb7c51f839f6d15a8543a313b37d00a61b1b93f63
Instruction Fuzzy Hash: 54A1FC34A50218DFCB58EFA4D99499EBBB2FF88300F158159E905AB365DB70EC46CF41

Function 0605D2F0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd62ee97f7cea0e2454f09635f65160450d593c9f3bd841c006ffb3e98cdff5
Instruction ID: db534a57fc363e164603a2fd5a5d00773c0957a6f0f509d18ba7231af2d972fb
Opcode Fuzzy Hash: 4dd62ee97f7cea0e2454f09635f65160450d593c9f3bd841c006ffb3e98cdff5
Instruction Fuzzy Hash: 86814E74B50214DFCB98EF68D494AAEBBB6EF48710F154069E906DB3A1CB34EC41CB91

Function 05F825F0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e764bbcdd42b5dc1d0016c15c983b2dcb94e00a8317a2c22fd97b24f298a18
Instruction ID: ce2605531867e453fc01c85dcc0eaa0a7ebf6b2705ce905b4861c87aaebb0ccb
Opcode Fuzzy Hash: 27e764bbcdd42b5dc1d0016c15c983b2dcb94e00a8317a2c22fd97b24f298a18
Instruction Fuzzy Hash: EB910678E06208DFDB04EFA9E654ABDBBB6FF49300F204129E416A7244DB386E45CF51

Function 06054FE8 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ca4fe2081847068cd114614a08df6d09f64da74c0553c70c21ee143f4ae8e9
Instruction ID: 0919af5e08e7ba0dbfdb40ab8afbedcf249d0e180d61081e3ecb6d0f0a8e3266
Opcode Fuzzy Hash: 88ca4fe2081847068cd114614a08df6d09f64da74c0553c70c21ee143f4ae8e9
Instruction Fuzzy Hash: 91814D35A40218CFDB55DFA8C884A9EBBF5FF89310B168469E816DB320DB70ED41CB90

Function 05F825E0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00a0a6a0f6893f8667de682bd5a1f3edad29b827dcc8c9e815f65be998bc58fd
Instruction ID: c8f8e7597bcfef45bdf00e2540f7421ec872d8f37498d2de3615224a941b6d06
Opcode Fuzzy Hash: 00a0a6a0f6893f8667de682bd5a1f3edad29b827dcc8c9e815f65be998bc58fd
Instruction Fuzzy Hash: BF811978D0A208DFDB15EFA9E554ABDBBB6FF49300F20402AE416AB254D7386E45CF11

Function 06054708 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b871191392cfc301bd5f4f44d1e1b1d2a971b901d9f55f85e9624a489a751896
Instruction ID: f9f9e0fd2d5d0c14ccc06088ed72160dafca47adcf32d9855f580714facc44ad
Opcode Fuzzy Hash: b871191392cfc301bd5f4f44d1e1b1d2a971b901d9f55f85e9624a489a751896
Instruction Fuzzy Hash: C061FD317002099FEB56DF68C894BAE3BE2EF84314F158169E905CB291CB75DC96CBD2

Function 05F826A4 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bce5f233950eaeee455e6e6f25a818e1aba65dc9797d0eee7a3ffa92a130280
Instruction ID: f46efe99a721b16b2cd18dae5181b72edcc43c09b727b4707218754947a3b000
Opcode Fuzzy Hash: 2bce5f233950eaeee455e6e6f25a818e1aba65dc9797d0eee7a3ffa92a130280
Instruction Fuzzy Hash: 58810778D06209DFDB04EFA9E594ABDBBB6FF49310F20402AE416AB254D7386E45CF11

Function 06085342 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c50c40c260033274b32af47adfd6318e5f9cc7ac77e676e312ced8c66248f54
Instruction ID: 97c00eae9368f9353f1c249b24426f9336b1f76b1be7946e5d6312dbf078d5c4
Opcode Fuzzy Hash: 3c50c40c260033274b32af47adfd6318e5f9cc7ac77e676e312ced8c66248f54
Instruction Fuzzy Hash: 03810570945218CFEBA5DF29DD48BE9BBB2BB49300F1080EAD949A7264DB755EC4CF40

Function 060803C2 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d518236fa63c5c90d2aa941f0b60b92cda1c82daf83df4eed03e4d843e4acf4c
Instruction ID: be4e28db21acfa85a6d2caa97de270a6d748348e4bb5147abb5b729c7d0171be
Opcode Fuzzy Hash: d518236fa63c5c90d2aa941f0b60b92cda1c82daf83df4eed03e4d843e4acf4c
Instruction Fuzzy Hash: E381CE7494531CDFEB94DFA5D948BACBBF6BB49300F0051A9D44AAB251CB385E88CF01

Function 06052160 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a276811b7634b53c9e1d6e1943ebebafa848f650d3c040df87ed9b00657898e
Instruction ID: 9ff57a055b27ab9ddc2ab31aef3b935d0058e071fe310031e45bb8ed22ae715b
Opcode Fuzzy Hash: 2a276811b7634b53c9e1d6e1943ebebafa848f650d3c040df87ed9b00657898e
Instruction Fuzzy Hash: 4051AD34B002069FE769AF68C85466E7BA7BFC5200B11446CDA069B3A0DF35DD46CB91

Function 060870B1 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3eb9b519a8a9160f4e4335f20ea3978f5d3f91329005447e8b2d4f2961e7eab
Instruction ID: 6b193a271278e099e941b15d3b96db419df7230f851917b47c48a0930297c177
Opcode Fuzzy Hash: c3eb9b519a8a9160f4e4335f20ea3978f5d3f91329005447e8b2d4f2961e7eab
Instruction Fuzzy Hash: 0C6143B0D49208CFEB90DFA9C8507ECBFF2EB49300F24516AD459AB669D7750985CF80

Function 05F860E1 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58fc35dc37538b1b2549fa0a1b2de51497f2f2043152d7cd2dfbbfad80b1834a
Instruction ID: 8e36d6128dd918a95f2c5cc57752a1669272dec692fc4b2ff140e975fd8b789c
Opcode Fuzzy Hash: 58fc35dc37538b1b2549fa0a1b2de51497f2f2043152d7cd2dfbbfad80b1834a
Instruction Fuzzy Hash: 9E6101B1E05608DFDF04EFA9D944ABEBBB6FF48700F10802AD415A7256DB786A45CF50

Function 0605D2E4 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5178d77f8b44d2db65b50266a62756f4a0c61d13955eabcdd4fcbc91c9660623
Instruction ID: ee8f9da7f52909e086f7ef9b9a224f5e08ccf9fdbb263bb331234e323bc982fa
Opcode Fuzzy Hash: 5178d77f8b44d2db65b50266a62756f4a0c61d13955eabcdd4fcbc91c9660623
Instruction Fuzzy Hash: 6D611C74B50614DFCB94DF68C894AAEBBB6FF88710F158169E9159B3A1CB30EC41CB90

Function 060853A8 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f70caf16c198edb50cbdc735682d3bbc6aaf735b0ac82df56e8636f67c10c33b
Instruction ID: 362880f74a75a39d3c907d5ba28c76060079f78596a0fe9d813bdd3dfd7f0848
Opcode Fuzzy Hash: f70caf16c198edb50cbdc735682d3bbc6aaf735b0ac82df56e8636f67c10c33b
Instruction Fuzzy Hash: 0671F474949218CFEBA5DF25DD48BE9BBB2BB4A300F1080EAD949A7254CB755EC4CF40

Function 05F85BCE Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e341658e72312e4380462fc3303eca9999dd593afb5a63effcb3312445ed6ae3
Instruction ID: a61488b5eeea4de4d2e51f6bb605abc80306f59d8d9db6cd352c47c6ddf1347b
Opcode Fuzzy Hash: e341658e72312e4380462fc3303eca9999dd593afb5a63effcb3312445ed6ae3
Instruction Fuzzy Hash: B261E5B0D0A218EFEB24EFA9C544BBDBBB6FB49304F2440A9D409AB255D7785985CF01

Function 063AF528 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498043539.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6390000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6751ea12084baf553bf9c0f2e7c6e0f596d18a3f89d5ee690f5b38f18b8dceca
Instruction ID: 49b226b43dc5de50e6a4f903ab65f6d50b9db3de56973fd294975b0eee0b2818
Opcode Fuzzy Hash: 6751ea12084baf553bf9c0f2e7c6e0f596d18a3f89d5ee690f5b38f18b8dceca
Instruction Fuzzy Hash: F251E231A007168FDB10DF68C484A6AFBB1FF86324F1586A9E9299B391D730EC55CBC0

Function 063A8968 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498043539.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6390000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77170933e4a5968883225ffa2348ac4f479631207d8551aeca7662df534e4da
Instruction ID: 3603a491761d6e4683ecb0ce7f2087dd922a294ab6495d336c2c9ce2beefa580
Opcode Fuzzy Hash: e77170933e4a5968883225ffa2348ac4f479631207d8551aeca7662df534e4da
Instruction Fuzzy Hash: FC51DC74D01218CFDB88DFA9D9486EEBBB6FF89300F10852AD415B7250DB745985DF82

Function 0608717D Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd92d445b1b846679d21a049b46b4d26e583bef6c41b8a3a92e2ea8a043527d
Instruction ID: 17ffb93a43367bdeaa95495ef072169685c4d6a44e006f76b26a14e20dbc9ab1
Opcode Fuzzy Hash: ebd92d445b1b846679d21a049b46b4d26e583bef6c41b8a3a92e2ea8a043527d
Instruction Fuzzy Hash: 77511FB0D49208CFEB94DFA9D8947ACBFB2BB49300F20502AD459AB668D7754885CF80

Function 06058028 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4693e85c39144e6bd0cd7de502da1f5168ff2a75b3142741a45ae4880a62cc82
Instruction ID: 4d870494e36a31d80662ee0f2241347c0c36d45572eb9de6fb9d8a2466d4007f
Opcode Fuzzy Hash: 4693e85c39144e6bd0cd7de502da1f5168ff2a75b3142741a45ae4880a62cc82
Instruction Fuzzy Hash: 3951A174B40619DFCB18DF65E458AAEBBB6FF88701F008019E90297364DF34A906CB81

Function 0605C0F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8065f9b329536bfe60b1fccef6958bcc4272a9ca22885844be227bcbc2dd29bd
Instruction ID: 426221672e2ea86111ee0c774b68d38fd6f5230e70b0fcdf9c889fdfe47a081c
Opcode Fuzzy Hash: 8065f9b329536bfe60b1fccef6958bcc4272a9ca22885844be227bcbc2dd29bd
Instruction Fuzzy Hash: B0417630B506148FDB94EB68C894AAFBBB7AFC9700F51442DD802A7394CF749D46DB91

Function 06085A7E Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8711effb59b70ca29cc51f7b8691a62e13568d49e976c8a7b7c669b643aa488b
Instruction ID: 8ecfdff52495ccd39a43e93c0df8774592abfd174723568e238e9f5124a6fb9a
Opcode Fuzzy Hash: 8711effb59b70ca29cc51f7b8691a62e13568d49e976c8a7b7c669b643aa488b
Instruction Fuzzy Hash: 50610774905159CFEBA4EF29D984B9CBBF1FB49300F5081A9C549A3354DB349E85CF40

Function 05F82DB0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5a0b3d51197ebaf6aaef6d0bf1ef4f81e8847909ddedc91a57014113a1c8799
Instruction ID: b8152e4b8c72b7896d5d628a6cef65dd611c046a58ef2adab63cb895ce2640d2
Opcode Fuzzy Hash: e5a0b3d51197ebaf6aaef6d0bf1ef4f81e8847909ddedc91a57014113a1c8799
Instruction Fuzzy Hash: 17519E79E05249DFCB04EFA8D5946ADBBBAFB48300F10442AE416BB354DB386945CB50

Function 05F82DA1 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9046297e4dccd454e47433d5266aa8f1e27937bae74370a2f76384bf6d5d97
Instruction ID: ec4832adc53c2fa73a0679291d408cc562d8ce902da87594b73913b62d959a93
Opcode Fuzzy Hash: ee9046297e4dccd454e47433d5266aa8f1e27937bae74370a2f76384bf6d5d97
Instruction Fuzzy Hash: CB519E79E05249DFCB04EFA8D5946ACBBFAFF48310F10446AE416BB354DB386945CB50

Function 02F6CDE8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce64bf74d153cafc4f6834b5af92921eefe41a61f0a72b237ae48245eaacfdd
Instruction ID: 3b10e8a29501e5b31f76fff6d05e1c1bce353e121fa3c96f0232adaa4d1e5754
Opcode Fuzzy Hash: 8ce64bf74d153cafc4f6834b5af92921eefe41a61f0a72b237ae48245eaacfdd
Instruction Fuzzy Hash: 075113B8E01208DFCB04DFA9E588AADBBB6FF48300F10946AE955A3364DB346945CF14

Function 05F8FBE8 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a718b1bc655b8b2e2f19db4e9467e62bc6f4f842e574767156553c573d4b32
Instruction ID: b19b9ddf91c2bc6ba6df9b681ae2a0c54330b28af868681827c644039b5cc026
Opcode Fuzzy Hash: d1a718b1bc655b8b2e2f19db4e9467e62bc6f4f842e574767156553c573d4b32
Instruction Fuzzy Hash: 7B419D75B00209DFDB24EB64D854B6ABBF6FB89300F10C469E916AB350DF34EA41CB50

Function 05F86430 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13244b32cba42e42b2075001df00fc216faa48c0b0fd4495ccabb071f5b4205d
Instruction ID: baed8061a73712e9d1c59058a5069df3e4ef070c229ab05250189e8dee53c55a
Opcode Fuzzy Hash: 13244b32cba42e42b2075001df00fc216faa48c0b0fd4495ccabb071f5b4205d
Instruction Fuzzy Hash: E651D1B0E01208DFDB18DFB9D594AADBBB2BF89700F20812ED416AB364DB359945CF50

Function 06057A53 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8744e7f60e08af6a2ffb68af2f8ce71682824505bdeb41667e6562e91edb9732
Instruction ID: 9985b1a13906260f545916a59adc2dc6a508e384bf3b863a6e29a854bd898c25
Opcode Fuzzy Hash: 8744e7f60e08af6a2ffb68af2f8ce71682824505bdeb41667e6562e91edb9732
Instruction Fuzzy Hash: A941B370A00305DFE754EBA9C8507AFBBE6FF84300F148829C84A97251DF75A945C7A1

Function 02F60868 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37225b01962615e6814ea6fe04d881c996b844e0fd639bc64dde1255834f936
Instruction ID: 875d2994971578c81f49463fa21dce277355f3625d3d0792905abdb18c473b34
Opcode Fuzzy Hash: f37225b01962615e6814ea6fe04d881c996b844e0fd639bc64dde1255834f936
Instruction Fuzzy Hash: 7041E635A00609CFDB04DBA9C558AADBBF2FF89311F2580AAD519EB361DB359C41CF90

Function 0605BB03 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7b6421ea81f9ecf20606857592a4d92bf51814fc661733027d8bd39a27deab
Instruction ID: e52ff121e54c0448fbbb7ddf759f815b7c5d8c0c94a59811b8301a392b84e9b6
Opcode Fuzzy Hash: ca7b6421ea81f9ecf20606857592a4d92bf51814fc661733027d8bd39a27deab
Instruction Fuzzy Hash: 7D316F753406109FE358EB65C9A4B6B7BE6AFC9700F118468E6068F3A1CF75EC41C791

Function 0605BB10 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f57f3ef774bd7f45d32cb88e30797776a716f03e2655fa344f708eeed14a8a
Instruction ID: ee79a143759b5481d433b96c0324d54cf4baab0cfa6a04462971e6c22e3431d9
Opcode Fuzzy Hash: f9f57f3ef774bd7f45d32cb88e30797776a716f03e2655fa344f708eeed14a8a
Instruction Fuzzy Hash: 86315C757406109FE358EB69C9A4B6B7BE6ABC8700F214468E6068B3A1CF75EC42C791

Function 05F86421 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed413269955602f9e7ddc28f2487371feb46183aa065f24166140fd87bdde5ef
Instruction ID: f52c1f60b7d76d777dbf54d9b3d63cd8c8f2954577c77caa41fcfc8f0509f084
Opcode Fuzzy Hash: ed413269955602f9e7ddc28f2487371feb46183aa065f24166140fd87bdde5ef
Instruction Fuzzy Hash: 1741F3B1D01208CFDB28DFB9D594AADBBB2BF89700F20812ED416AB364DB359945CF50

Function 0605AC10 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccbd1b50e4b30eefcb39b44d022740cd96a940d9dc44d94f0bd7dd749979d2a6
Instruction ID: f04e57b89f5a0b9ea7f41a8e37839de1d0bcbdd20b6588f6e34876a37245977c
Opcode Fuzzy Hash: ccbd1b50e4b30eefcb39b44d022740cd96a940d9dc44d94f0bd7dd749979d2a6
Instruction Fuzzy Hash: C731F9366501049FCB49CF59D988E99BBB2FF48320F1640A8EA099F372C735EC55DB40

Function 06084747 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 434e55cea742fb27bb010a90ba5523d9b1995ab3b0a72421612c9b965b9c7813
Instruction ID: 68305fffe2ece4f53070b58c0ec87ed12e5fc272907fbd850a7bfbb499ed65cb
Opcode Fuzzy Hash: 434e55cea742fb27bb010a90ba5523d9b1995ab3b0a72421612c9b965b9c7813
Instruction Fuzzy Hash: A2411A74E452198FEBA8DF6AD8447DDBBF2FF8A300F1081AAD849A7254DB744985CF40

Function 06085641 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc216a2294fcb5fd2cf1ea4ec1120e89710968e635566b9ed36bb6e62446b5f
Instruction ID: 514e822fd2eb8465c6095aeef393f908efc390b7dc7f0ade64c3065c65d24a63
Opcode Fuzzy Hash: cfc216a2294fcb5fd2cf1ea4ec1120e89710968e635566b9ed36bb6e62446b5f
Instruction Fuzzy Hash: C041B170A45128CFEBA5DF25D949BE9BBB1BB49300F1090E9D949A7254DB745EC0CF80

Function 0605D5F8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da276fae7ed2d388ae7e8d25d4a079aeb5937ae0bd83c6777340b264daf56d16
Instruction ID: 21d40ed8548e1b9cce4edc411e4f09ff98175c16cc932c4d8c63c34a304128f7
Opcode Fuzzy Hash: da276fae7ed2d388ae7e8d25d4a079aeb5937ae0bd83c6777340b264daf56d16
Instruction Fuzzy Hash: 7B315C35A401199BDB54DFA4D854AEEBBB2FF88311F108026E811B73A0DB359D05CFA0

Function 060578C8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 011020a2cb67093f5f055bfef1a7787d4b609c55b22185e289055c7258010ea7
Instruction ID: 236a4413195cd0b81516ecea691977aaa31606839887b5832feae1ee5015281c
Opcode Fuzzy Hash: 011020a2cb67093f5f055bfef1a7787d4b609c55b22185e289055c7258010ea7
Instruction Fuzzy Hash: 0E318F75780205DFCB599FA5D854A5E7FB3EF88310B0540A9EA0AAB3A1CA31DC52CB91

Function 05F8EAA0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae1ce107c5996e55111fa5889f52e097da79cce28f08e9b2547bf0049e53bf0
Instruction ID: 08e6826f33da5c384043fb0409986fca5d3a2d87610a156850944fe4d44ddeaa
Opcode Fuzzy Hash: bae1ce107c5996e55111fa5889f52e097da79cce28f08e9b2547bf0049e53bf0
Instruction Fuzzy Hash: 3D311774E04209DFDB04DFAAD4447EEBBFAFB89300F148065D919A7254D77859498F50

Function 05F8DD60 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a926b4b46cf6f6d1fed933d39fecb69b740cf021e0189b362b97e800ee4d2a
Instruction ID: 035a85b5cf83987d94bb260ed36c6aee2979e33fccf80ada713a29e260aa20eb
Opcode Fuzzy Hash: f3a926b4b46cf6f6d1fed933d39fecb69b740cf021e0189b362b97e800ee4d2a
Instruction Fuzzy Hash: C83118B0D05208DFEB58EF69D8847ADBBB6FF89300F1094A9D509E7294DB785A85CF01

Function 05F8D630 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8013e903e52b10a037a68191daff43ddfacf95bbd9bd13eff3900fa94c63e59f
Instruction ID: d2b563f3f9a61d0b151ff68746ed0b256c13145a4a63eb592dc6411447f5ff00
Opcode Fuzzy Hash: 8013e903e52b10a037a68191daff43ddfacf95bbd9bd13eff3900fa94c63e59f
Instruction Fuzzy Hash: F731DEB1E0520D9FDB04DFA9D844BAEBBF6BF89300F109129E419B72A5D7785A448F50

Function 06052150 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a9956623db97836bf9a310a6514539f4c44af8b3900a8014a2a11fca5efa62
Instruction ID: e1db138f1a32ec9a87997a6d2f87e79a5177d96360d3ee389ad9e40c577baf97
Opcode Fuzzy Hash: 91a9956623db97836bf9a310a6514539f4c44af8b3900a8014a2a11fca5efa62
Instruction Fuzzy Hash: 23319E38740705DFD769AF60D85456BBBB2FF95305B10486CD9428B3A0DB36ED46CB90

Function 06058DC8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4d7b96789c6545a3f0ea6081bb7304314c9f4b071c6e06bef0fc9ab688fcfd
Instruction ID: 527bd1ee06da22660f1e036ec645aa95b4ac29bd0078c0bb0f96067a9df7aa21
Opcode Fuzzy Hash: cd4d7b96789c6545a3f0ea6081bb7304314c9f4b071c6e06bef0fc9ab688fcfd
Instruction Fuzzy Hash: 2D21C1313442108FD7B49B69E844B1BBBE5EF80361B1AC47AE94EC7651DB30EC02C750

Function 02F65A37 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee7640aeda60dc3e4abab4c817e1344428dd339232ec0d91ebcbf166b4bec0c9
Instruction ID: 361434119f43ae5ef7638975a64ff5b6e68b6c6f646a1f7b081f6ee13b587f47
Opcode Fuzzy Hash: ee7640aeda60dc3e4abab4c817e1344428dd339232ec0d91ebcbf166b4bec0c9
Instruction Fuzzy Hash: 5E3156B4E01209CFCB04CFA5C8886ADBBF1FF89341F1484AAD515E7265D7759A48CF10

Function 060851DE Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e916705d7b7dea65767e150d7b57a6bc155fca048bf3fbb415f681b494ef7bc
Instruction ID: d894a2fa8b411ae4269b6c02df320ad7b037e5163fed0367bb3d95e45597f370
Opcode Fuzzy Hash: 0e916705d7b7dea65767e150d7b57a6bc155fca048bf3fbb415f681b494ef7bc
Instruction Fuzzy Hash: E6312770E41119CFEBA4DF29D98479CBBF1FB89300F6080AAD949A7655DB349E89CF40

Function 02F60858 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e05af06ffc84502051ad7e29059a47207864676e5f919b8f2f2ee7a70322ce
Instruction ID: cb7ba5ae2deb5e3b980e62d1ae0f7e86ddc56ed3d43335f0ca9a8ecd529c2c4d
Opcode Fuzzy Hash: 34e05af06ffc84502051ad7e29059a47207864676e5f919b8f2f2ee7a70322ce
Instruction Fuzzy Hash: B731BF75A00609CFDB44CFA9C588AADBBF2FF48300B2584A9D609AB361D7349D41CF90

Function 02F65A48 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84a0dcc5c1b42e10ce045b30614935dc3c71e59863a6407060c66753a659beb
Instruction ID: 870e7de653010538594f1425acd246ab393888a1de1be13e975272a601e378fc
Opcode Fuzzy Hash: a84a0dcc5c1b42e10ce045b30614935dc3c71e59863a6407060c66753a659beb
Instruction Fuzzy Hash: FE3134B4E01209CFCB04DFA5C5886ADBBF1FF49340F548469D515B7225DB769A88CF50

Function 0605E3C0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba2381a71a2b4782eeac9798d7de336314d050ae8a08ea669aa1fc7db0687ab
Instruction ID: d58b2f9474fb5b9841d9f4ca6d5dfca4fe404c464cbd02a5c23457b48b9a0542
Opcode Fuzzy Hash: 1ba2381a71a2b4782eeac9798d7de336314d050ae8a08ea669aa1fc7db0687ab
Instruction Fuzzy Hash: 2921AB74B00A19CFCB40EF68C54459EBBF5FF89300B10816AD91597360EF309A46CB91

Function 06051EA0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28772b79d419b3b8fa8b22e04bc1fa65a86ffb118aa4d02905487b8738348c09
Instruction ID: c47692d7707a8fa5bcf44a751013c7b3af8f3a62dcb97e8d2364a758d0b9c109
Opcode Fuzzy Hash: 28772b79d419b3b8fa8b22e04bc1fa65a86ffb118aa4d02905487b8738348c09
Instruction Fuzzy Hash: DC213A71E80209DFEB90DBB8C844BAFBFF5AB04340F5280A6D919D7290E734DA50DB91

Function 06085AD5 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fa24ac50b5979caa9da3cbe2dad8d39ff125854acab69656a32b7181167efe0
Instruction ID: c817c2a03f8ab53b886d480a624097aa19e202a1028a13a15fcc4dc204a63855
Opcode Fuzzy Hash: 5fa24ac50b5979caa9da3cbe2dad8d39ff125854acab69656a32b7181167efe0
Instruction Fuzzy Hash: 12315670D45219CFEBA4DF69C884B9CBBF1FF46310F2081AAD598A7295DB348988CF40

Function 02F60A8F Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c916cebd4122373b72f9dc94a84a31096ebc0306f873c45b140efa32aa5422
Instruction ID: 524b0492ab274060b1a01b01431348a02e25315eee1f3e6721e8856366df1711
Opcode Fuzzy Hash: 32c916cebd4122373b72f9dc94a84a31096ebc0306f873c45b140efa32aa5422
Instruction Fuzzy Hash: E5216831E00218DFDB04DBA9D454AEDBBF2FF88714F208469E405BB2A0DB718900CBA5

Function 0187D01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1463191288.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187d000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cffc0b3c039c1c5445f01e87f92cce51c38baf9b03e497c8c749a9b624447a1
Instruction ID: a6891d75bbfd163fa958dabd370218927b8e19bb503985ed1fce8ddac825e467
Opcode Fuzzy Hash: 9cffc0b3c039c1c5445f01e87f92cce51c38baf9b03e497c8c749a9b624447a1
Instruction Fuzzy Hash: 2C214272104204DFDB12DF84D9C4B26BF65FF88318F20C669E8098B242C336C51ACBA2

Function 060848BE Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e093adbaa4757b793540f326478213453c68c6e84bdf8e9bfae4a33e744d14d
Instruction ID: 2ab4f275bbbc1fd9dd345076771f2e6b784714b847d1e954ff3d4521cc6151e5
Opcode Fuzzy Hash: 8e093adbaa4757b793540f326478213453c68c6e84bdf8e9bfae4a33e744d14d
Instruction Fuzzy Hash: 32311370E41259CFEBA4DF69D880B9CBBF1FB49300F2080AAD548A3250DB348E88CF40

Function 06052A60 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a6f032461efc8751ddd274578197f8862eb56a478350e441d8d939c6a17d74
Instruction ID: df048a04aeaf64cbd1a5a59da1d67470dc79ad343a19a3657712ce2f24aefc6f
Opcode Fuzzy Hash: f9a6f032461efc8751ddd274578197f8862eb56a478350e441d8d939c6a17d74
Instruction Fuzzy Hash: 6F216A703401459FDB51CF2AC844AAB7FEAAF8D300F0A4495FD45CB260CA31DD90CB20

Function 06052A4F Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80155ce0b0baf098f104dd57dec41ea52ead010845aec12b76cbb804c390e257
Instruction ID: b769c44a1738cccf8596ef4e86ea65defc7d9a3abda84ea7e18a3b32202a59ed
Opcode Fuzzy Hash: 80155ce0b0baf098f104dd57dec41ea52ead010845aec12b76cbb804c390e257
Instruction Fuzzy Hash: C82168703402859FDB55CF2AC984AAA3FEAAF8A210F094495FD55CB2A0CB31DD50CB20

Function 02F65B89 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a33cf66f8f5af1d07778bae6e5e43e175339fd4c379b6dbcb5d1c72983580189
Instruction ID: 67c29fa2f75ad6642a1bd7d42cdefd5ffea2e5f40a1bf6b79bba83173dcf909d
Opcode Fuzzy Hash: a33cf66f8f5af1d07778bae6e5e43e175339fd4c379b6dbcb5d1c72983580189
Instruction Fuzzy Hash: B021F0B294E3C49FE752CB70A8093A93FB1EB13345F19419AC544E7297EAB58A48CB11

Function 060564F0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f059c6ddadd0230aaff55d91bc6e066ca2bc73aa04baea1756cee25cf206664
Instruction ID: 0fc5be56624fd131a8fa67dfb7525990628894c34d4d0a88bc29b21dc8413ec3
Opcode Fuzzy Hash: 0f059c6ddadd0230aaff55d91bc6e066ca2bc73aa04baea1756cee25cf206664
Instruction Fuzzy Hash: 82211975A90209CFDB54DF94C540ADEB7F2FF88301F5141A4E945BB265CB36AE44CBA0

Function 02F6EB88 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9f3050136dd69f8bf3c87a5003ba02f01aec262d05edfa2ded4f98a2325b02
Instruction ID: 1894a1b607bbd732e3e834af4a1f622d48dcf88a8929b1ffd33e08fb8e34ac59
Opcode Fuzzy Hash: 4f9f3050136dd69f8bf3c87a5003ba02f01aec262d05edfa2ded4f98a2325b02
Instruction Fuzzy Hash: B6213A7AE0521ACFEB04DFA9D408AFEBBF5FB89305F14842AC516B3244DB745A44CB91

Function 02F65671 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f8f4c480d16426eac15c0fb17fbed36db63f929a9461c705cdb1f77569b198
Instruction ID: e1f9997ea4ad45e471469327b21018ba2d520647cf5bd7025462f68104d568a0
Opcode Fuzzy Hash: 71f8f4c480d16426eac15c0fb17fbed36db63f929a9461c705cdb1f77569b198
Instruction Fuzzy Hash: BA2189B0D05249DFEB01DFA4C4887ADBFF1EB06305F9081AAD515AB291D7790A88CF01

Function 060857FB Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe4188a2de698fb388725a460926a602cae7abbcaf878fea23ca365c0ee2fa4
Instruction ID: cde6ce1546ac1d7c95140779bf4b59efcce8ff38244ab5fb08e367f094159f71
Opcode Fuzzy Hash: abe4188a2de698fb388725a460926a602cae7abbcaf878fea23ca365c0ee2fa4
Instruction Fuzzy Hash: AA31FD74A061598FDB94EF28D998B9DBBB1FB88300F5081D9C80DA3358DB359E85CF40

Function 05F86B98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9079c89871e74cffdf645287edb9d9396b7007c80ccee6205516cafdffd4350
Instruction ID: 356d6a9f1bb66de66ec91aa3fc2f6a7e5be1d13b6897151b346e4710ba4cc3a1
Opcode Fuzzy Hash: c9079c89871e74cffdf645287edb9d9396b7007c80ccee6205516cafdffd4350
Instruction Fuzzy Hash: BC2139B0E04209DFDB18EFA9C5446BEBBB6FF59305F148169C815E7254D7389981CF90

Function 06051DDF Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9b55df9ae5736c04f496bb2c03f3381b1fe5a8f49bdfdb83608ca23a73510c
Instruction ID: 21004dad64f2cf19b94130aab1c3d6a65d7392e253438abe5e92752750297abf
Opcode Fuzzy Hash: ca9b55df9ae5736c04f496bb2c03f3381b1fe5a8f49bdfdb83608ca23a73510c
Instruction Fuzzy Hash: 5E11DEA649EBCA1EDB2383348A09395BF50AF63524F8947DFDCE2868E3C30C0547C252

Function 0605E3B3 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5131a8bc39f266767fc65fab8147565ca07e1e11061e49c71d3f832f24acbd30
Instruction ID: 09ce6950e803b7a531f35725a6bb7a39d2a30fa9791dadf3e99b08b43c5d28e2
Opcode Fuzzy Hash: 5131a8bc39f266767fc65fab8147565ca07e1e11061e49c71d3f832f24acbd30
Instruction Fuzzy Hash: 88219974B40A19CFCB40EF64C55469FBBF5EF89300F10416AD91597360EB749A45CBA1

Function 060564E1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ee7b69ff4e1976b222e9abe356b81ac76e1c0e304eed4fcf87681e65e800d31
Instruction ID: 6c478862e595db5198e34294a6fc992a549f8a3f066edfa84aaf9504a0efeb65
Opcode Fuzzy Hash: 0ee7b69ff4e1976b222e9abe356b81ac76e1c0e304eed4fcf87681e65e800d31
Instruction Fuzzy Hash: 7C216D70A90209CFDB55CFA4C950ADE7BF2BF48304F5142A8E941BB2A6CB769D45CB90

Function 02F65680 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef23ed804f96e8080872bdeff49f39da7b39efe0e1cdc2f54d22e35e1f457b5
Instruction ID: d58638fcd2eb538f9709dec1ea7c939558823581e2c5a7357fe8c8b2e26414df
Opcode Fuzzy Hash: 1ef23ed804f96e8080872bdeff49f39da7b39efe0e1cdc2f54d22e35e1f457b5
Instruction Fuzzy Hash: 832149B4D0520CDFEB00EFA8D0487ADBBF1FB0A305F9094A9D619A7644D7754A88CF01

Function 0605CF10 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40a8a4d170fb59d5309cd307a8f294b505f1e0d32ce2cf1bc445e104d926bbbd
Instruction ID: a1b085d014867f71c2a3159e136b6d5bfa14404b3bba9a95e80ce7758ce032f2
Opcode Fuzzy Hash: 40a8a4d170fb59d5309cd307a8f294b505f1e0d32ce2cf1bc445e104d926bbbd
Instruction Fuzzy Hash: 08219D34B506048FCB54EF68D984AAEBBF2EF89310F148569E911973A0DB30ED05CB91

Function 06088BF9 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1920dd7aac6a7fd581f8dd17c03184e9da2072c02f81cbf5a781caea7fdefcc7
Instruction ID: 87e0863a1e2f346a2d733d14164b6ed51cc242d10677866bd4141300ffc2fbe5
Opcode Fuzzy Hash: 1920dd7aac6a7fd581f8dd17c03184e9da2072c02f81cbf5a781caea7fdefcc7
Instruction Fuzzy Hash: FD214470D4520DCFEB40DFA9C8587AEBBF0FB4A300F908969C418A7285D7785A89CF91

Function 06084896 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37fefffb30bab87576efb9f99dcbedbcbaf22b9f4b65650a5df0e5f9d0db6ce
Instruction ID: aafb4ff1e8c79b1023500092c325929be2eb9f38df8f6196b257dcb75dfafedc
Opcode Fuzzy Hash: b37fefffb30bab87576efb9f99dcbedbcbaf22b9f4b65650a5df0e5f9d0db6ce
Instruction Fuzzy Hash: 28210374D05119CFEBA4DF69D98079CBBF1FB4A310F6080AAD548A3654DB349E89CF40

Function 02F6AA98 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67700a0ca1da6082093a5c3fc5978dc82680651e8be6724439d8a82d1b9c1b52
Instruction ID: 6c5663b2272dd5a90d9e35bd6d396705dd4245f12f5fb47076a3aab0ae9e3fd8
Opcode Fuzzy Hash: 67700a0ca1da6082093a5c3fc5978dc82680651e8be6724439d8a82d1b9c1b52
Instruction Fuzzy Hash: D91132B1E0421ACFDB08DFA9C9486FEBBB6FB88340F04942AD615B3240D7755A45CBA4

Function 06088C08 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f355160eafb3b844b0a5cb3a54149f5f34ece62934dc6bbe2ebcea9e8c47f14
Instruction ID: c820a0b898da3534f117a76a900639c10d249e69c030f109f3b6f69c84c5d07f
Opcode Fuzzy Hash: 1f355160eafb3b844b0a5cb3a54149f5f34ece62934dc6bbe2ebcea9e8c47f14
Instruction Fuzzy Hash: FB212470D45209CFDB84DFA9D8587EEBBF4FB49300F908929C418A3245D7785A88CF91

Function 06391EB2 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498043539.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6390000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f3f998527988c6d0f4e3a99379098a3cd34fddc5198f573ce23159de497c1e7
Instruction ID: 6f9bb552ffa795eafbb1c2ead4168add996dc4d4c79413baa70437351e88ce23
Opcode Fuzzy Hash: 5f3f998527988c6d0f4e3a99379098a3cd34fddc5198f573ce23159de497c1e7
Instruction Fuzzy Hash: BD316C78A016288FDB64CF68D884A9ABBB5FB49316F1041D9E80CA7351D734AEC0CF41

Function 0187D017 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1463191288.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187d000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 431be758374cf1af245169d91a8a8b8cd7c64089fd189ad9aebbdd78084517fe
Instruction ID: b31668877298490a17416ed2267f7bd662ab2889a099eb4e8f75cdbb3e2d300a
Opcode Fuzzy Hash: 431be758374cf1af245169d91a8a8b8cd7c64089fd189ad9aebbdd78084517fe
Instruction Fuzzy Hash: B411BE76504280CFCB12CF54D9C4B16BF72FB84314F24C6A9D8494B656C33AD55ACBA2

Function 05F85D29 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 974516672f86f7462e002f0929eb69d8d7df425ba66b808da7e41e1de6c52c9e
Instruction ID: 3475dbb1515038979d6d114d46b79eaa072045d6d9557c022978b2de16db26a6
Opcode Fuzzy Hash: 974516672f86f7462e002f0929eb69d8d7df425ba66b808da7e41e1de6c52c9e
Instruction Fuzzy Hash: 8E21DEB0D05218EFEB58DF5AD8C4BA8B7F2FF49300F0491A5E419A3265E7384985CF00

Function 063AF320 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498043539.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6390000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95e03587ab46e6946bfdc20eb78c3f9a962702b382e1a675990f3e993e79fdc
Instruction ID: 7ca4c5f9329f4bd3c756cd39b8ab5958895826eac92915a8d06a5d6c98d273b8
Opcode Fuzzy Hash: c95e03587ab46e6946bfdc20eb78c3f9a962702b382e1a675990f3e993e79fdc
Instruction Fuzzy Hash: 4B01AC36340319AFDB148F59DC85F9F77A9FB88720F104026FA15CB290CAB1DD008790

Function 06085AC4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781677ce843f3062dfec43095a2df3ff9d71aac52eed8392069900b2214cf6dd
Instruction ID: d83c360a0c50d969be1690353d6cd4229331c7a8b0a87a97f88b0669801fe7b6
Opcode Fuzzy Hash: 781677ce843f3062dfec43095a2df3ff9d71aac52eed8392069900b2214cf6dd
Instruction Fuzzy Hash: 8D110770A4611CCFEBA8DF25E945BA9BBF1FB49300F0080E5D949E7255DA345E80CF50

Function 05F85B83 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b39bdffb224c046b85bac51a92d873e2dc23c8ce5768abb6dac717f033d11e5
Instruction ID: 881d9939a65d2e07d324e13e111a62694a906651baa3b6727bce2d65d0965f3f
Opcode Fuzzy Hash: 1b39bdffb224c046b85bac51a92d873e2dc23c8ce5768abb6dac717f033d11e5
Instruction Fuzzy Hash: 58219AB0D05218EFEB58DF9AD8C4BA9B7F2FF49304F0490A5E419A7265E7385985CF01

Function 0605D738 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd41c9e9d037c11f3366ad27375772de86023b4b1a2f49e336d2342fd40b5a9
Instruction ID: ef20f177cf6e0ea6d19a0d7b828dbca50c9324c5400cfdc81739ba3d9b9e75de
Opcode Fuzzy Hash: edd41c9e9d037c11f3366ad27375772de86023b4b1a2f49e336d2342fd40b5a9
Instruction Fuzzy Hash: 0701D2357407048FD7699B20D854BAB3BA2EFC5325F158A69D9124B3E0DB76EC82CB80

Function 063ADDC8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498043539.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6390000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c31652858edc2392f378ae7c91cfb61bb62ccaa4c42e17b4e78385c0769071
Instruction ID: 153529d86ca0f00be95bd288910976b0ac08a5b2afc9479493ac0e86a809b03f
Opcode Fuzzy Hash: 38c31652858edc2392f378ae7c91cfb61bb62ccaa4c42e17b4e78385c0769071
Instruction Fuzzy Hash: FE11E5B0E0020ADFDB44DFE9C9457BEBBF5FF89300F10846A9418A7354DA355A418F91

Function 02F60B66 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b1eb8aeacaeade4d5b2d5bcd0098f1d64d2c50b7b2c73dd5b386df6e6ca559
Instruction ID: 2cb9685b1c18e0d5eefcee6ba229c487547339cdce7958f084da5cd61e403c08
Opcode Fuzzy Hash: 05b1eb8aeacaeade4d5b2d5bcd0098f1d64d2c50b7b2c73dd5b386df6e6ca559
Instruction Fuzzy Hash: 20115731E01219DBDB14CBA8D995BEDBBF2FF88354F60806AD411BB290DB759D40DB60

Function 0605D748 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b266dc5d849bc7fd767d3864e3ab2b14610831783475ce26c1b6537be274175
Instruction ID: 0a195a6c79a67a2c3b032a92e9d7b32eaa664256ac5a99666c3317b121210562
Opcode Fuzzy Hash: 6b266dc5d849bc7fd767d3864e3ab2b14610831783475ce26c1b6537be274175
Instruction Fuzzy Hash: C701D4357407048FD7A49B24D454A7B7BA2EFC9320F11866DD9524B790DF75EC82CB80

Function 05F86B88 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4690da7abd7fe76b141b692fde82a036a545886e35809c3e23a774eb4112a71
Instruction ID: 07f9e089b2af2885dc2d9db3cdf5509b48393b4ea0a41dea553e703ce5de1374
Opcode Fuzzy Hash: a4690da7abd7fe76b141b692fde82a036a545886e35809c3e23a774eb4112a71
Instruction Fuzzy Hash: C60129B1D04209CFDB54EFB9C9412BDBBF2FF59314F188269C418E2255E7384685CB90

Function 0605B643 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 164bba17038e9a126a29ade73771fbe2730189bf3496fb450df611eaa8a473af
Instruction ID: 98558dfdea3a3bf66fd5cb92827c6a884cbf711191d7a84298a59bbf0dac4707
Opcode Fuzzy Hash: 164bba17038e9a126a29ade73771fbe2730189bf3496fb450df611eaa8a473af
Instruction Fuzzy Hash: C801A239340610DFC3599B25E514A5EB7A3EFCC721B208668E91AC73A0DF35EC42CB90

Function 06057291 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea2173ae175ded3ed3ad00fa58516850b122aaada2987425e86f13964b14bff
Instruction ID: ef5aaf5f614e060e1d7237de8aeb7bcb7bc8ddc18df7852dd0581aae43d649ae
Opcode Fuzzy Hash: 1ea2173ae175ded3ed3ad00fa58516850b122aaada2987425e86f13964b14bff
Instruction Fuzzy Hash: A9F0E294789B994BE3B5466C6C54356AFC0AF5AA24F0542AEFDC9C32C1C7284C868355

Function 05F884CB Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742d69d8badcc35199d2a3c32a077e5322439a520991cd792849fa83c9c1e919
Instruction ID: c269e6be61caeb88280b55b87c43a408de80bed9552e690f06b438bfb1a8f2f7
Opcode Fuzzy Hash: 742d69d8badcc35199d2a3c32a077e5322439a520991cd792849fa83c9c1e919
Instruction Fuzzy Hash: 0211A274904629DFCBA5DF24CC54AAAB7F9BF48311F0091E9E41AA7261DB315E85CF40

Function 063AA408 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498043539.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6390000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38943f418800f00bcd7a3ec6f24909e3a3aa2a31d9d615a19d580a5579723da4
Instruction ID: b75f40114cd6d469b340cc9d2f61e0a4d6f58961534a7dc4fe9371219b4edd7a
Opcode Fuzzy Hash: 38943f418800f00bcd7a3ec6f24909e3a3aa2a31d9d615a19d580a5579723da4
Instruction Fuzzy Hash: 34F01971D463089FDB88EFBAC9482ADB7F9FB49600F4094A9D419E3714EA344A44DF80

Function 0605B650 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4b00fd72db368cb451d16036b172dd594e5514742ba053c974d8e67b0ce9a5
Instruction ID: dbd4b5308600cb0b5d864b71c9a95b01f8a3f43425c836c2e5d3806e82ddb460
Opcode Fuzzy Hash: 8d4b00fd72db368cb451d16036b172dd594e5514742ba053c974d8e67b0ce9a5
Instruction Fuzzy Hash: 2D01A439340610DFC3599B25E51495EB7A3EFDC711B208568E90A87390CF35EC52CBC0

Function 0605801B Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 030e94f2056d93d3d3809cd52bc85db6a556a3be53cf6a9690b0fb7c862da28d
Instruction ID: 525bf792c5be148e04f76903d6f6f5617c8f00084893cf8d069a90fdcb8da633
Opcode Fuzzy Hash: 030e94f2056d93d3d3809cd52bc85db6a556a3be53cf6a9690b0fb7c862da28d
Instruction Fuzzy Hash: F7F02B367105085BCB689629D844A6BBBAAEF84320F048026ED15D7360DF719C06C780

Function 05F86670 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b65ade79b321fdae56375adba6c448b17758595cb71cbd5eaad843b6ae24187
Instruction ID: 6d8b1d2a96f8774b70d1924cf5d11b74e0fc54a524da7f3cb7cb95f25701c803
Opcode Fuzzy Hash: 4b65ade79b321fdae56375adba6c448b17758595cb71cbd5eaad843b6ae24187
Instruction Fuzzy Hash: 60014B71D0524CDFDB54EFB8D9056BDBBF4FB09205F2444AA9809E7391E7384A40CB51

Function 06057300 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e234eb28658d6f0dbde6ceb802a86067f0c17cda4236ebc74975dd19446594
Instruction ID: ddfc607285584a070ec6b08bab0fa481326945305ddd93712a772eb90208ab98
Opcode Fuzzy Hash: 98e234eb28658d6f0dbde6ceb802a86067f0c17cda4236ebc74975dd19446594
Instruction Fuzzy Hash: 07F05CE1B8E1645FD7F1156E6C5012BAF95EF86500746017EFC0ACB210E5108D47D391

Function 0605B3C8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442f5fdadd84581ae760c52767d33c8314d4906a205f37d006423f726c32bec9
Instruction ID: f399d858de6e414bf4954f58cf2e344d5cbdc76634bf9153829aa6c61ba7d7db
Opcode Fuzzy Hash: 442f5fdadd84581ae760c52767d33c8314d4906a205f37d006423f726c32bec9
Instruction Fuzzy Hash: 84F062793442009FC369DB25D898D2A7BA6FF89711B1540AEF986CB371CA75EC02CB51

Function 0605DE18 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7abbafa7770ed3d7d90fd9bdc721c6bc47a9e4aa35b9497b5240173431b70b9
Instruction ID: cb6ae18826ca8f82e61e56a8019575742e0ae0ac5ba421b8f744bf390e653443
Opcode Fuzzy Hash: b7abbafa7770ed3d7d90fd9bdc721c6bc47a9e4aa35b9497b5240173431b70b9
Instruction Fuzzy Hash: 5DF0BE32B813019FEBF526248C1175ABBA9DFA1641F1644AAD9029B2C0FBB1D801C796

Function 0608B608 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31667de31a274dcbbb8dac059158b150f926c3060c45a1300822f2f881d588fc
Instruction ID: 518ca340a37c3a3b35ff2b913aa395679559859d8ddcf3dd9d7360672386a104
Opcode Fuzzy Hash: 31667de31a274dcbbb8dac059158b150f926c3060c45a1300822f2f881d588fc
Instruction Fuzzy Hash: 5D014B31C0024ADFCF11DFA4C8009EEBB71FF8A314F04C559E99967251D73695A6DB90

Function 0605DE28 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f82dba58760c74bf5d10c2884124caf2df71cb63af392256f694b7e56d9882f
Instruction ID: 4b9d5924e5307fc03f4c33d62f9f75e6e13f9dfb1817989c2444f44149cb5982
Opcode Fuzzy Hash: 5f82dba58760c74bf5d10c2884124caf2df71cb63af392256f694b7e56d9882f
Instruction Fuzzy Hash: 6DF08C727C03019BE7B87A74AC1076ABB9ADFA1551F11847ADA06AB2C0EE72D801C785

Function 06086165 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15873e2cdcf38ee3ed62264b9b4ede6d1cb9613cb7a98e0a640118c421beb772
Instruction ID: c19e95d94271e97c6fb8ce0c32a3bd463b74155000104271ec61ede6b1fad104
Opcode Fuzzy Hash: 15873e2cdcf38ee3ed62264b9b4ede6d1cb9613cb7a98e0a640118c421beb772
Instruction Fuzzy Hash: FF11A274D042688FDBA4DF68D844BDDBBB2FB48300F1080A9D509A7758DB345E85CF52

Function 0605B3D8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94f79af5c5bab542eb701703651ec050c3a9abcdff7f43501995467fe33bc91
Instruction ID: 9116ad8515667dd1ddb62c7494ae9d538c792291df6d780848d58104cbefe916
Opcode Fuzzy Hash: a94f79af5c5bab542eb701703651ec050c3a9abcdff7f43501995467fe33bc91
Instruction Fuzzy Hash: C9F0FE793406109FC728DB19D858D2A77AAFFC9721B158469FA568B360CA71EC42CB90

Function 0608B618 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5633d5ea96573c4dfbdb9eb18300db38662e97620540f0ca648a06624406e22
Instruction ID: 1bab78cc12be1775a6d5a6eeb4aa0a9941098dc3140fea946eb7877611ee9775
Opcode Fuzzy Hash: c5633d5ea96573c4dfbdb9eb18300db38662e97620540f0ca648a06624406e22
Instruction Fuzzy Hash: 47F0EC31C0021ADFCF05EF95D8009EDBB75FF89324F14C519E95827210D775A5A5DB90

Function 0608A031 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde20899f0202ffbfbf91a6b84a4f4bfce6ce823be799c2b641e66bb7033cc32
Instruction ID: 61edbd33f4189ea1758f9fb62dedf990ad66dc2cd3e8be54db9ea599b3eba48e
Opcode Fuzzy Hash: cde20899f0202ffbfbf91a6b84a4f4bfce6ce823be799c2b641e66bb7033cc32
Instruction Fuzzy Hash: 47F0BE30946288AFCB49EFF4C914ABDBFB0DF47200F1401DAD84897221EA354B10DF51

Function 0608A078 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1f50a149b4f1388bc3546e0ab5a66438c718fcc2032078ae49bce8917ea362c
Instruction ID: cad0c7fcaaa33e8bec3b6723822d79f31de7757c18b2cc482f303b44020738cd
Opcode Fuzzy Hash: b1f50a149b4f1388bc3546e0ab5a66438c718fcc2032078ae49bce8917ea362c
Instruction Fuzzy Hash: D6F09A30805208EFCF15DFA0D9819ECBF71EF0A300F14829AEC4057221C7325A62EF61

Function 060808F8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fbd9d187eeda541f25ad64c1ccdc61f4c2bb5f04790abe33b5f426b42f31e03
Instruction ID: f1af2150ab03e7eddc817e7bf71e075a548cf959f0328f7c8e1412e898f0ff74
Opcode Fuzzy Hash: 3fbd9d187eeda541f25ad64c1ccdc61f4c2bb5f04790abe33b5f426b42f31e03
Instruction Fuzzy Hash: 91F0B870D05208AFCB94CBB8E880AECBFB0EB4A200F24829AC848D7311C6354A46CF90

Function 0608CDF1 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5484b17f1929598e28f481d2ef9df54135c4665a7ffec09ea2f88b89988f00e
Instruction ID: e22b6670c5491f80430bc54456bfe2929eb598666895772fd3188b3476854d84
Opcode Fuzzy Hash: e5484b17f1929598e28f481d2ef9df54135c4665a7ffec09ea2f88b89988f00e
Instruction Fuzzy Hash: 22F0EC34808288AFCB02CFA0C4415ACBFB0EF46210F1881EAD88587352DA314A22DB91

Function 05F82581 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b076d6368dd191eff99804c8b61f2a7c950825a369589a0074011e736d001bec
Instruction ID: 8af945471182aa67be7fbc908925a4a44527f0c9e30444a87ba2a65572064cf9
Opcode Fuzzy Hash: b076d6368dd191eff99804c8b61f2a7c950825a369589a0074011e736d001bec
Instruction Fuzzy Hash: C0F09A75D04288AFCB84DFA8C801BADBBF9AB09300F18C09EA858D7341C3399A05DF50

Function 06394915 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498043539.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6390000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51d6d7b988a8e815453106cc70fcfa29637fe9f5d76bb1b77fac56360b137a0
Instruction ID: ac8a3e83b624a17a432f05588790e95f0dbf20725be858c624e4d4c8e0be552e
Opcode Fuzzy Hash: f51d6d7b988a8e815453106cc70fcfa29637fe9f5d76bb1b77fac56360b137a0
Instruction Fuzzy Hash: 3501E5B8905218CFEBA4DF18D894A89BBB5FB49300F1040D9D90DE3354DB389E85CF48

Function 060506D0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9487f0d3b5345ce6c79b301afe766adf770ad0b42b1886b154f80eb2d07530
Instruction ID: dadcb4efdbb8fbb5bfa46faae4f70a0bb09c8eba745066f10c05abf46495ba75
Opcode Fuzzy Hash: dd9487f0d3b5345ce6c79b301afe766adf770ad0b42b1886b154f80eb2d07530
Instruction Fuzzy Hash: F0F0E274E0460DAFFB1ACB58D45879E7FE6EB81318F048198E84697190DB740B80CF80

Function 0608C1A0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5e5f4dc4410dc4a21008024c186537f588e0fecdd7a2dfd38db68dc124ddbbf
Instruction ID: 13d9bb4fe4278baa53e40a9af673b476b63b836a67b25d61599713456cda3ee0
Opcode Fuzzy Hash: f5e5f4dc4410dc4a21008024c186537f588e0fecdd7a2dfd38db68dc124ddbbf
Instruction Fuzzy Hash: D6F05435849248FFCB45DFA4D9419ACBF71EF4A300F14C1DAE85456255C6354A52DF90

Function 06057879 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0dec166f2b249f6cd9dc3062adb5fc98ad28ae1aff345bb32f020198228cd8b
Instruction ID: ee312b98c320aad5c038e363041db0ec6ea7dc46c7221a40fc7fc6eb703e712e
Opcode Fuzzy Hash: e0dec166f2b249f6cd9dc3062adb5fc98ad28ae1aff345bb32f020198228cd8b
Instruction Fuzzy Hash: FBE0E5B1304305DBD718DB2AEC84D4BF79AEFD0260700C53AE10A87122DE74EC56CB90

Function 060898A3 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53773d1b980989b120a88195d322e789f50c0497b99cb4472671afacee0940b8
Instruction ID: 6b456b1fc97b5c58a5200843a2604f88a5a9c53321899da924dceb9f6193a9db
Opcode Fuzzy Hash: 53773d1b980989b120a88195d322e789f50c0497b99cb4472671afacee0940b8
Instruction Fuzzy Hash: 2DF05830819248EFCF56EFB4D8009ADBF71EF4A300F18809EE84457262C7728A61EB61

Function 0608A8DC Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dccd1eb09d80f0032ba19064cde1b166d6d916b88d067109bd7de418f78ed345
Instruction ID: 03617c27913c35c67583e413e7aa799f8f2fef81c9a8d3e3bb63146cca792177
Opcode Fuzzy Hash: dccd1eb09d80f0032ba19064cde1b166d6d916b88d067109bd7de418f78ed345
Instruction Fuzzy Hash: 66013E74A002289FDBA5DF54CC90B9CBBB1BB58300F1080D9D549A7250DB716EC5CF54

Function 05F82D48 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8be478c15f099e77938bf9bf55cc20a11db3a128331619aed39cd533b5097e
Instruction ID: f55937d875b0c4a40435baaf271fd774f59da7099f2f43cb74c418e5be9abc29
Opcode Fuzzy Hash: bd8be478c15f099e77938bf9bf55cc20a11db3a128331619aed39cd533b5097e
Instruction Fuzzy Hash: DBF030B6D44208AFD784DFA8C8457BCBBF5EB49301F14C1A9A858D7341D639AB41DF44

Function 02F60A2F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa43183595ae8ba712460ee3c6908a00074c9795a62037669e4203488482cfc
Instruction ID: b9662bb94f702e6231c307175970b994a5028888b2503de44a57a8f8e19a73ed
Opcode Fuzzy Hash: 9fa43183595ae8ba712460ee3c6908a00074c9795a62037669e4203488482cfc
Instruction Fuzzy Hash: C6F0A030B40A05CFD745DBB9E504BA9B3E4FF88761B408069D916C7320DB799C92CF81

Function 06089FB1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7865c429a2c10f4566f283722dee5b85985944f0f29e2fa1bba936ef7f1e25e
Instruction ID: 328ecc17f0dcbd7738b5f7270bc8c60871646ee72a29863107a927da43a3b8bf
Opcode Fuzzy Hash: c7865c429a2c10f4566f283722dee5b85985944f0f29e2fa1bba936ef7f1e25e
Instruction Fuzzy Hash: DBF08C30C49288AFCB59EFB8C5905BCBFB0EF4A200F2481DEE84497342D6354A91CF51

Function 06081490 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc7b9a14cfc9e69f3ceebaf30f11ad0979af2de3bc1b1a41bc3220839aa271ea
Instruction ID: 918f1659097689d464b134e525eaea80783a733a688a67f9ad3534c427dfc8f5
Opcode Fuzzy Hash: fc7b9a14cfc9e69f3ceebaf30f11ad0979af2de3bc1b1a41bc3220839aa271ea
Instruction Fuzzy Hash: 13F0E53084D244DFCB45DBA4D8519ECBF70EF83319F24A2DDD8445B342C6364A02CB91

Function 06088DA9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e13559bbfcdffc944d55dc0752e29666b76bec1a51dae55e53bd3a8250bad198
Instruction ID: 8cad6f9876811670b2077cc36fe8a026d51c7f5396d2952a0f3eedaa77f353cc
Opcode Fuzzy Hash: e13559bbfcdffc944d55dc0752e29666b76bec1a51dae55e53bd3a8250bad198
Instruction Fuzzy Hash: E2F06530955254EFCB85DB74C8816ECBFB0DB4A200F14C1EEC808D7362D6324A46CB41

Function 060801CA Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b651527d1c3839f9048cd86b19c6d492e5c2dd35d38bc05215ecfdb2c12bcd4
Instruction ID: 687e132a206ce5130bf7f3a7782c737691cfa7af4d35f2a7cbcef1ac6f02513a
Opcode Fuzzy Hash: 3b651527d1c3839f9048cd86b19c6d492e5c2dd35d38bc05215ecfdb2c12bcd4
Instruction Fuzzy Hash: D4F0A03484A2449FCB48DB60D8415ACBF70EB42324F14419DD84557302CA351A45CB91

Function 06088D19 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 259c837ee5e0c629cf0490ab3eb6e803a7bd3ce493996adb1dba49c41d74b5eb
Instruction ID: 39fb2e9c37f0aff871a6c58e9eb9f41c0a7412f7ddebf0817a3a062bc1c2e859
Opcode Fuzzy Hash: 259c837ee5e0c629cf0490ab3eb6e803a7bd3ce493996adb1dba49c41d74b5eb
Instruction Fuzzy Hash: F8F03934C4A358EFCB46DFB8C5459ACBFB4EF4A200F1481EAD8449B361C6359A44DF85

Function 06086A63 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7193e4810a170cb140a7b2ec75396002aa19c00774e27902c8bd7ef83e6e8a13
Instruction ID: 9f5bfd3aa110e319a5ce864254a831ccfc63358ed44d3df20832579a89fdfa69
Opcode Fuzzy Hash: 7193e4810a170cb140a7b2ec75396002aa19c00774e27902c8bd7ef83e6e8a13
Instruction Fuzzy Hash: DCF08C30E492489FCB95DFB8C8516ACBFB0EB4A200F14C1EAC858D7352D2354A42CF90

Function 06082270 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d170c5fff4fe628a373751531b6124f2d6c7a6f8bae64af6191eaa4d49ff47ce
Instruction ID: 9c0bd9077f153e874af893f4b18b2f882f70030facc840fddab38bc7833a7f78
Opcode Fuzzy Hash: d170c5fff4fe628a373751531b6124f2d6c7a6f8bae64af6191eaa4d49ff47ce
Instruction Fuzzy Hash: 91F0A93080A342EFDB05EF64D900AA9BFB0EF07200F2442EEEC8487212C7354E56DB91

Function 06082BD1 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a480f19efb003104295fb1439221ccc044644cce5cc375c2d79c09793accae55
Instruction ID: a903d68b81aeee3d0dc6d4a940c70aad8b008d9d2e4f598853f8d6faf16c9369
Opcode Fuzzy Hash: a480f19efb003104295fb1439221ccc044644cce5cc375c2d79c09793accae55
Instruction Fuzzy Hash: 8CF0A93480A284AFCB19DFA0D990AACBF70AF4B301F2881DAD88457302D6350A62DF90

Function 05F82590 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee01f0d913c04f040f11a9be04f571489a6ae716dc2db785295c9e127498359
Instruction ID: 6c752d3fbc0d6652964f05099b8b12b0001d577150fa4d61bdd32672bdc27fcf
Opcode Fuzzy Hash: 3ee01f0d913c04f040f11a9be04f571489a6ae716dc2db785295c9e127498359
Instruction Fuzzy Hash: E4F05874D04248AFCB84DFA8C800AADBBF9AB49200F14C09AA858D7240C2399A11DF50

Function 05F86B37 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56122ddb7b8d2a25eafada4fd679c1fda15755be5f5dcdba5b5918eeaea73aa4
Instruction ID: e4e2317757ff67a7a0b0e66d5eef8adead0a00f4f551b823369573bc07968e20
Opcode Fuzzy Hash: 56122ddb7b8d2a25eafada4fd679c1fda15755be5f5dcdba5b5918eeaea73aa4
Instruction Fuzzy Hash: 54F0F274D05208DFDB54DFA8D485BACBBB0EF4A304F2881A9D805D7315C2389A12CF50

Function 060506E0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfbafd722e7163721133c73fecd1d4e74b2eebb711e34d8858a73f0301b5f003
Instruction ID: 0ae9e745c85648608067c296fecb708ebf4f665d03a3865f52758c3b59bcd178
Opcode Fuzzy Hash: bfbafd722e7163721133c73fecd1d4e74b2eebb711e34d8858a73f0301b5f003
Instruction Fuzzy Hash: D5F06D35E0421CAFEB59DB98D4586DDBFF6EB84310F058099E40697290DB745BC1CB84

Function 06080E5A Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7887a9c7de059a1932fbfbddb43bdfcdfb39f78e9f0f09e647a273a7076deb2
Instruction ID: 9e40476982992da8af85aeb7298e4ed017e75e7742b8728acec85d0cc41e639d
Opcode Fuzzy Hash: a7887a9c7de059a1932fbfbddb43bdfcdfb39f78e9f0f09e647a273a7076deb2
Instruction Fuzzy Hash: 2BE02230949344EFDB19DF60D8008BABFB0AB47201F1880EED88697242CA320A09CB91

Function 060877D1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e2e1be1843af256539977cf65e42c82cfe35e3477bdf0ea04b42ba7247a906e
Instruction ID: 16975dddad14056252aac13f4f9048e458f9cb2da05b0ba70c01e1c3dfa3c52f
Opcode Fuzzy Hash: 7e2e1be1843af256539977cf65e42c82cfe35e3477bdf0ea04b42ba7247a906e
Instruction Fuzzy Hash: 73E0923094E2989FDB16DB74D5506EEBFB49F47200F2482EAD88467156CA300EA8DB65

Function 0608B833 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f1f746e230cd3695a26130a39037982002b96f9566d80fa365026b105f3edc1
Instruction ID: 22574012ca79c1e23ee9efc715238a6d3262c3804c0c8e97fc979be729768548
Opcode Fuzzy Hash: 0f1f746e230cd3695a26130a39037982002b96f9566d80fa365026b105f3edc1
Instruction Fuzzy Hash: 02F0B7B294021E9FDB60CF54CD40FE9B7B9BB08304F1081A6A519A7251D7319B85DF50

Function 05F82168 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc566ed5a7912fa3ef39c5c3849d220c5925cfa5d95da9e8ac50f6032fecd8f
Instruction ID: 30feaf90b2db76cbd67cc1576390a8a34de05201f183e275e99cc09bb1a836dd
Opcode Fuzzy Hash: 6fc566ed5a7912fa3ef39c5c3849d220c5925cfa5d95da9e8ac50f6032fecd8f
Instruction Fuzzy Hash: 93F0A074D0A308EFCB04EFB4C8046ADBFB4AF06301F5480AAC804A7352D2399A05CF40

Function 06057888 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec0627f5b9bd56ac6d0fb4185c9cd778b000513f938d74242355b26228006368
Instruction ID: b427a9e99db674112fb1c4d5ace8dba655f783c7cb7b4d7596a42f5d94ef4b9e
Opcode Fuzzy Hash: ec0627f5b9bd56ac6d0fb4185c9cd778b000513f938d74242355b26228006368
Instruction Fuzzy Hash: C7E048B13043059BD7189A57EC84C4BF79BDFD4264710D539E10E87225DE74ED55C790

Function 0608768B Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3b5e6fae05e6ca3e4ba6e158241f99a6fa7ba31fd3db20d7916901039daa58
Instruction ID: d3f80111cf3195daff8d852e145a48534c156db346b553419ff80b8163665db4
Opcode Fuzzy Hash: ef3b5e6fae05e6ca3e4ba6e158241f99a6fa7ba31fd3db20d7916901039daa58
Instruction Fuzzy Hash: B9E0223080A244DFCB45EF74C8006ADBFB0FF07301F20419AE84097222D3340AA4DBA4

Function 0608577A Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61198bc439bbbcbe8e74a7c10198be4dd923dbbce14b9a6a4bb17c65fba638d6
Instruction ID: 85d2d2bd99c17ef2d6b8f4a6d3a366bd81f3efaaf3b6d45adfb91a757d7cae87
Opcode Fuzzy Hash: 61198bc439bbbcbe8e74a7c10198be4dd923dbbce14b9a6a4bb17c65fba638d6
Instruction Fuzzy Hash: 93F01D70A05258CFEB64DF24C841BA9B7B1FB48300F0040EAD90DAB3A6DA355E818F10

Function 0608A79C Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc660869948cf29c681f0054033583a0049e89876e2316dcdd6a4478a6b8abce
Instruction ID: 7cd069511e937670bf306d39538d5c4015e1dc12779984dc15f9e9f311506535
Opcode Fuzzy Hash: cc660869948cf29c681f0054033583a0049e89876e2316dcdd6a4478a6b8abce
Instruction Fuzzy Hash: 4AF0CF74A402A9CFDB24DF2AD844B9CBBF2AB88304F0484E6D409A6220D3399EC5CF00

Function 060884C8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80cb7659b4b57e27d3e6c45897e4b5e3b03e7610741b87974491c4d329421a0d
Instruction ID: fe7703bb0817841894b1945844a473bc2b87ba9b4a599e7de689397d970fa190
Opcode Fuzzy Hash: 80cb7659b4b57e27d3e6c45897e4b5e3b03e7610741b87974491c4d329421a0d
Instruction Fuzzy Hash: 47E09A35C88214DFCB54DFB4E4856ECBFB4EB87200F24919DC80867391CA314A86CB44

Function 06083DD1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b3a802497006a64fbf738e3e8150fa4eb89d66a28ae8b6e9cf3ac846054ddc
Instruction ID: 9becabcf4ec4d12a99ceec157aca404a3cedb091b65c9da5809ea4703a480ae5
Opcode Fuzzy Hash: 08b3a802497006a64fbf738e3e8150fa4eb89d66a28ae8b6e9cf3ac846054ddc
Instruction Fuzzy Hash: 77E06D30949244DFCB08DBA4E9819ACBF70EF86304F248199D80557351CA715A55CB50

Function 02F6A890 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890260e9962848bf257da0b18954889320c25cfcfc2788e2f0649b32ae850a16
Instruction ID: 832093636fb6b7e398ae22d0e65ad1319cf1679bb1dc6a5ac7b61f3f95d7bbe4
Opcode Fuzzy Hash: 890260e9962848bf257da0b18954889320c25cfcfc2788e2f0649b32ae850a16
Instruction Fuzzy Hash: DDF01534E04208EFCB84DFA8C444AACBBF4EB49300F10C0AA9C18A3310E7359A52DF80

Function 0608369A Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb62db8d69e50a7a0dfcca7cbcda1013bc63a553b3bc0a9f85f5d2ffe94645b
Instruction ID: 0494b9e1a41a6bdf4a5cdff467e6b61562681d4bc9784399186eebeeacf92562
Opcode Fuzzy Hash: 1eb62db8d69e50a7a0dfcca7cbcda1013bc63a553b3bc0a9f85f5d2ffe94645b
Instruction Fuzzy Hash: 94E06D3090A244DFCB18EFB4D9515ADBF70EF87600F24D1DEC8445B365C6314A5ACB51

Function 0608DF30 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a1d3e7513ac277aeefcf8a662020e9c2e863ebb87424d5c62bee16e013ab3a7
Instruction ID: fd2cbde57a13a6fb0ace9b6e71a7e4737f13b5eb7acee4fe0577ead32a71f2d5
Opcode Fuzzy Hash: 6a1d3e7513ac277aeefcf8a662020e9c2e863ebb87424d5c62bee16e013ab3a7
Instruction Fuzzy Hash: 4BE04F3048F398DFD756DB74A854AA97F7CDF03101F1501EDD4488B2E2CA758A14D7A1

Function 06085DAB Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02d57f32e15a340cb67e7c328b91341e959f7355182c6feaa604c19de6b18941
Instruction ID: 7149242d9d97996a70e3d88323e90e622b9a67e12a6f944d97ad1356d78799fe
Opcode Fuzzy Hash: 02d57f32e15a340cb67e7c328b91341e959f7355182c6feaa604c19de6b18941
Instruction Fuzzy Hash: 04E0923084E3849FCB96DBB499592E8BFB49F07201F2840DBDC8487292D6354B55CB51

Function 0608DB69 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2998e1fcbd9e427a24bfc53b2c1f266e3fd316c5bbcaa937b887267e4ebce64b
Instruction ID: 53bf5c6058048b13b983b1b09e9124db4411f61ec9d98a562f4e3eecbfded600
Opcode Fuzzy Hash: 2998e1fcbd9e427a24bfc53b2c1f266e3fd316c5bbcaa937b887267e4ebce64b
Instruction Fuzzy Hash: C8E0863044A2A8DFC745DAA0D8126A47B74DF03214F1485DA940857692C6724E46C7D1

Function 06088BB8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c40b5c3a88f983f96dcecc7dddd563aff985990770c907365fa0634d3d4f55
Instruction ID: 05e3bd3d3d483f95608fba803c567a385de1e671741479bedfef13781e64482b
Opcode Fuzzy Hash: e9c40b5c3a88f983f96dcecc7dddd563aff985990770c907365fa0634d3d4f55
Instruction Fuzzy Hash: C2E0923088E394DFCB85DBB499111ACBFB09F47200F2881EED88497352DA354A06DB22

Function 02F65C00 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68eb6f58feea821408736ae77cb1d29d0af7f94083f346ddde199d717d5d2116
Instruction ID: d2f93d8bda0b63d12073391435a2091ebb5b2d2fb2e970535d9d860e0322a869
Opcode Fuzzy Hash: 68eb6f58feea821408736ae77cb1d29d0af7f94083f346ddde199d717d5d2116
Instruction Fuzzy Hash: E7E0DF31D0A248DFEB64DBB4D40C3BC7BEAE703304F500498C909A3242DBB14A88DB56

Function 06393E11 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498043539.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6390000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac54e9150d8b4658000a999921890c36b2a56712d9400942d6ae0e62cd4ff3d
Instruction ID: fbea68fb37c44bab54fe7a3ad1eb0cc6bb7a8e00d8403b1e98bfaf7a50ed3072
Opcode Fuzzy Hash: fac54e9150d8b4658000a999921890c36b2a56712d9400942d6ae0e62cd4ff3d
Instruction Fuzzy Hash: 36F01774A00218AFDB50DF58CC889D9BBB5FB98300F140198A419E3354CB359E858F59

Function 063A4E90 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498043539.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6390000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1920c7a720b8c9a06bbe77b4ea12705eed3d088856956d0ee99f15aaec5f42
Instruction ID: a04e19b2ab32bd5832012918e034c61bcb2acfbceb23d6b4a08e4fbb1a170153
Opcode Fuzzy Hash: 7e1920c7a720b8c9a06bbe77b4ea12705eed3d088856956d0ee99f15aaec5f42
Instruction Fuzzy Hash: E3E0C274E05208EFCB94DFA8D544AADBBF4EB49300F24C0AA9818A3351D6759A56EF80

Function 063A92C8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498043539.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6390000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1920c7a720b8c9a06bbe77b4ea12705eed3d088856956d0ee99f15aaec5f42
Instruction ID: d2fbb8bf2a9494c1d1ba9cb8c4516b730a434b76dffbc506a237b9195cf8ed95
Opcode Fuzzy Hash: 7e1920c7a720b8c9a06bbe77b4ea12705eed3d088856956d0ee99f15aaec5f42
Instruction Fuzzy Hash: 51E0ED74D0420CEFCB84DFA8D544AACFBF4EB4D300F14C0A99808A3350D6359A55DF84

Function 063AADF8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498043539.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6390000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1920c7a720b8c9a06bbe77b4ea12705eed3d088856956d0ee99f15aaec5f42
Instruction ID: 33b143c6845c3f269ac6abc88f3f4eb0b859432d3b2206685cdff9d00120b10f
Opcode Fuzzy Hash: 7e1920c7a720b8c9a06bbe77b4ea12705eed3d088856956d0ee99f15aaec5f42
Instruction Fuzzy Hash: ACE0E575E04208EFCB84DFA8D544AADFBF4EB59300F14C0AE9808A3351D7359A65EF84

Function 06087031 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b80008972d7cf07031b87a8969e8faf84520247a96a0fd1118ca3cf660f7c3ce
Instruction ID: b421783945748334b1fc4c23dfe0db8eaf75978257f7120b914dc940e8a17e16
Opcode Fuzzy Hash: b80008972d7cf07031b87a8969e8faf84520247a96a0fd1118ca3cf660f7c3ce
Instruction Fuzzy Hash: D1E0923080E284DFCB46DBA8D51126CBFB49F07201F1840DED8889B296D6368F16EB91

Function 06087968 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb091f9718babd36b4a4335849688bd716bf8c828b4f122d1055332ab60a1196
Instruction ID: 115a7d79454c5b5af876199befa4b796fa24079f5093581928a1aae82d17225d
Opcode Fuzzy Hash: eb091f9718babd36b4a4335849688bd716bf8c828b4f122d1055332ab60a1196
Instruction Fuzzy Hash: C5E09A71886288DFDB61EFB4D914AEE7BB1DF07300F1445EAC04197221EA344A00DB82

Function 0608C1B0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42b18b03e5a0c9cce3a2b56760e8b5b953ab1b340792a9ef47a5a80ae07909d
Instruction ID: 9e597985614de0d896e557f0eecc5c230a09c92e111154bc54703c3b2fc107a6
Opcode Fuzzy Hash: e42b18b03e5a0c9cce3a2b56760e8b5b953ab1b340792a9ef47a5a80ae07909d
Instruction Fuzzy Hash: 69F03235C44208EFDF45EFA4C840AACBFB5EB4A300F14C0AAEC5856350C6329A61EF90

Function 05F86097 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47927057a8efda64402529426ead08de6173386571a416c752c7ccd80fae4f18
Instruction ID: 2c6cbddbfc645e9d799fe7995404bf3615bab16caf0a027006cac7ed7a134294
Opcode Fuzzy Hash: 47927057a8efda64402529426ead08de6173386571a416c752c7ccd80fae4f18
Instruction Fuzzy Hash: B0E01AB1D46248DFDB55EBB8D489BACBFB0EB1A202F2441ADC905D3355E7785A44CB40

Function 063948D7 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498043539.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6390000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c8479b31598d97b3386ceaad0592e216c6889148e1cabca79f6135dddbd8f7f
Instruction ID: 8e10ac8f8c3ca13e5a4e0ff2e028f4b6d1b853018110cba862281b068e5fe4b3
Opcode Fuzzy Hash: 6c8479b31598d97b3386ceaad0592e216c6889148e1cabca79f6135dddbd8f7f
Instruction Fuzzy Hash: 7EF0D0B4905258DFDB91DF24D888698FBB4FB49308F1040D9C94AE7249D77D8E89CF64

Function 063A8918 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498043539.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6390000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a442e999c589899a8aacf41ff5a17fbfff12bd891308708775bfa2495818893
Instruction ID: 08385b32730c14c6f239f01e1eab82267875ba0ac24f6e9f2546dec1ca824515
Opcode Fuzzy Hash: 4a442e999c589899a8aacf41ff5a17fbfff12bd891308708775bfa2495818893
Instruction Fuzzy Hash: 8DE01A74E04208EFCB84DFA8D5446ACFBF4EB49304F14C0ADC80893340D6359A06DF81

Function 06086A70 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ffed3b19a7b41312700672eb38946130d9b571193e69e8083ad6e5092ff1ee8
Instruction ID: f44af7aded005da35766e55d47c443374415caa213ee3980fef70af32d438f12
Opcode Fuzzy Hash: 9ffed3b19a7b41312700672eb38946130d9b571193e69e8083ad6e5092ff1ee8
Instruction Fuzzy Hash: 24E01A74E44208EFCB84EFA8D5456ACFBF4EB49300F24C0AD885893340E636AE41CF80

Function 05F82178 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c29318782e85a12ed5f17b6ff2d9a4df969184648a2a7c52b090a5a264faa0
Instruction ID: 040a566eb6c6c1fbb3cacfa19330131ea1c41d263916000580a35f502aaff57f
Opcode Fuzzy Hash: 34c29318782e85a12ed5f17b6ff2d9a4df969184648a2a7c52b090a5a264faa0
Instruction Fuzzy Hash: 38E0E578D05208EFCB58EFA8D4046ADBBB5AB49301F6080AAD808A2310D639AA55DF84

Function 05F8D558 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c29318782e85a12ed5f17b6ff2d9a4df969184648a2a7c52b090a5a264faa0
Instruction ID: c21b2d78ae9cd8251ea4b7a33513076fa0a4a7736ebf5bc962d49fae1423cd85
Opcode Fuzzy Hash: 34c29318782e85a12ed5f17b6ff2d9a4df969184648a2a7c52b090a5a264faa0
Instruction Fuzzy Hash: 06E0E5B0D05208EFCB54EFB9D4046ADBBB5AF49301F2080AAD808A6350D6399A54DF84

Function 05F8FAC8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883017b6a8e8ecf2468f3be52a9684531be2db5044fda58d9a23e21c68b1cad9
Instruction ID: 94a8d9e1ec9b5e223223e7962ce3e1281c3906a030a14a69659e14289f56f16b
Opcode Fuzzy Hash: 883017b6a8e8ecf2468f3be52a9684531be2db5044fda58d9a23e21c68b1cad9
Instruction Fuzzy Hash: C4E0E574E04208EFCB44EFA8D5446ADBBF4EB49210F14C0E9881993340D6359A06CF40

Function 02F65B58 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57781afce6c651c1926c35d5d8752dfcd5e1329413216aab4ea3e5af0908b029
Instruction ID: 16c648e74a65b879810f78b2eeab535f70ea613a6902f92238bbc063007a579b
Opcode Fuzzy Hash: 57781afce6c651c1926c35d5d8752dfcd5e1329413216aab4ea3e5af0908b029
Instruction Fuzzy Hash: 19D05BB14C93819ED71512615C1E3793F34D7037D7F152446D545991F687950044C742

Function 063AEAD8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498043539.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6390000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e054bbdaaf0968d1110e5bad1cf2104cd241dcd91dbfab9d3513bbd9e6105275
Instruction ID: 48fdd9d6006fc5476bd5b2a1ae6348d83dfb2945496b2bc50064031bafe8785b
Opcode Fuzzy Hash: e054bbdaaf0968d1110e5bad1cf2104cd241dcd91dbfab9d3513bbd9e6105275
Instruction Fuzzy Hash: FDE02674808218EFC704DFA8D54097CBBB8EF46300F14C09DD80457340C6719E41EBD0

Function 06052350 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f95424b4cbb86b6ebe55d0d89458a74423f28a427413d0e35626eba67c1c39
Instruction ID: a9acaa5cfb21c1a0a008266df026464967d3a8a2501c10ec7165e264bcec159f
Opcode Fuzzy Hash: a3f95424b4cbb86b6ebe55d0d89458a74423f28a427413d0e35626eba67c1c39
Instruction Fuzzy Hash: 85E08673AC031196EBF4AB608D417662B845F41685F57485ADE156F1D0D7B29841C641

Function 0608CE00 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c4356fb9533ed5e3e2ebcdd81ebe6b6637665b23c005b3aa616d62f76f252c
Instruction ID: f3efa116cc51b6587124112c7f77a836a64ac87c4e3c318cea06e14cd7e98ad4
Opcode Fuzzy Hash: a2c4356fb9533ed5e3e2ebcdd81ebe6b6637665b23c005b3aa616d62f76f252c
Instruction Fuzzy Hash: F2E06534C04208AFDB44DFA4C401AACBBB4AB49201F18C0AA988453341D6319A61DF90

Function 05F8D270 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be32c3d930e9cff37b9b0721a2f8f07a9f2c803062440e883d0eed84744d049
Instruction ID: 13665b9842a4a614a147dd6ca9b375f2011df31cd6fff7a7b3202049b7500fa5
Opcode Fuzzy Hash: 4be32c3d930e9cff37b9b0721a2f8f07a9f2c803062440e883d0eed84744d049
Instruction Fuzzy Hash: EFE01A70D49208EFCB94EFB8D4046ACBBB9AF4A301F1080A9881893340D7389A40CF80

Function 02F6FF10 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa35ca653d2dbec52f972ed41aba3391e1e6fb4265f43fe4c646fa108064ad9
Instruction ID: 4c922864641700a3ad2af2f978b844d0f36e5e35724eca56f746dd7dc1cc1edd
Opcode Fuzzy Hash: baa35ca653d2dbec52f972ed41aba3391e1e6fb4265f43fe4c646fa108064ad9
Instruction Fuzzy Hash: B2E04F74908208EFCB04DFA4E54496CBBB5EB46300F148299D80557350C6319A51DB84

Function 063A7AD8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498043539.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6390000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 026bfb3173349d8592e85d44674f5a6982c8055be432e7d7d9285a485848c6a1
Instruction ID: ea9e1cd2443a54e630604c557581ec8d63b55a437273abd23b8d69ccfbc2813e
Opcode Fuzzy Hash: 026bfb3173349d8592e85d44674f5a6982c8055be432e7d7d9285a485848c6a1
Instruction Fuzzy Hash: 11E01A34D04248EFCB44DFA8D5816ACBBB9EF4A200F1480AD880857341D6759B46DB85

Function 0605A215 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45773cbdd4b6f69def62db8bc552bef677e358b94ca4a1a7c558ecc81aae73c2
Instruction ID: 982150b773301132a3d0c33d6723df4a22b2e9f6f37dc91f6ce86a002050389f
Opcode Fuzzy Hash: 45773cbdd4b6f69def62db8bc552bef677e358b94ca4a1a7c558ecc81aae73c2
Instruction Fuzzy Hash: EBE02C3AB000089F9F84DE2CE4804DEBBA6EB883217408225EA81C3202C6300A1B87E1

Function 06052360 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb48c6e72271e873bb040d55a29957248e12f86c2b7861d9dca7d8f8547ba4e
Instruction ID: 3e1538ee9cac0fab02492cf8fea5b824791a691692ae634ef661b4a4d5034de9
Opcode Fuzzy Hash: 5cb48c6e72271e873bb040d55a29957248e12f86c2b7861d9dca7d8f8547ba4e
Instruction Fuzzy Hash: DAD02B327C03019BDBF46A608C0076737CC9F82650F520869EF055F180C9F2E881C392

Function 06087698 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5927140337701b3f1c90e436c47b4b42d94d2194e29f17d25f7befb3ec2f9838
Instruction ID: 13389695d4d63006b10137d4db0fe405fdf34534e7fb1f8b26fb06f91d069eab
Opcode Fuzzy Hash: 5927140337701b3f1c90e436c47b4b42d94d2194e29f17d25f7befb3ec2f9838
Instruction Fuzzy Hash: A0E08C30C45208EFDB48EFB4D8049ADBFB9FB06311F2080ACD84427214C7358AA4EFA4

Function 060877E0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca3e225a00b28e20b6d88bfbd67618b987fa5a894ceb47b13c5423381528bec
Instruction ID: 31616059fa11dfd098cc1374d16acd81131ca90e090497e9cc1ea270b4778bfd
Opcode Fuzzy Hash: aca3e225a00b28e20b6d88bfbd67618b987fa5a894ceb47b13c5423381528bec
Instruction Fuzzy Hash: 04E0C270C8A108AFD744EBB8D500ABDBFB89B47301F2090A9D84423254CA304A90EBA5

Function 02F6EB48 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c7667bc942287130a077f406dbadba7536c0746e6619ee3f481779280e2385
Instruction ID: ff10d771254e6743e6d78ed6a14a1e3f135ec04040144cf09f3f3823f46ee674
Opcode Fuzzy Hash: 22c7667bc942287130a077f406dbadba7536c0746e6619ee3f481779280e2385
Instruction Fuzzy Hash: 70E0C239D09208DFCB08DFA4D54497CBBB8EB46304F24809CC80927341CB319E02DB88

Function 02F609EF Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a9c64fc5714df7a5701571e44ef50c0e4990331db1fad2280e9f487d1e7926d
Instruction ID: f8645b38fbe0e4d770d186afde2f101a4be4e476a92c82eb0a38988e6299bd25
Opcode Fuzzy Hash: 2a9c64fc5714df7a5701571e44ef50c0e4990331db1fad2280e9f487d1e7926d
Instruction Fuzzy Hash: 7DE08634244644DFD745DB71E514A6077E5FF4821172080E8ED09CB335EA36EC51CF91

Function 02F69868 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f1e71c2c4114076a932d445e47d523f32557e8369000f0ab77c951422ed6cb7
Instruction ID: 868bf9b500260de3bcfc17c84fee5715e9bb77c858b4ecc58879c7b316ff68e4
Opcode Fuzzy Hash: 3f1e71c2c4114076a932d445e47d523f32557e8369000f0ab77c951422ed6cb7
Instruction Fuzzy Hash: 25E0C231881248DFDB44EFF0C90869E77F8EF07202F1000A9C20597110EE714A04DBD2

Function 063ACCE0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498043539.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6390000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f88549848406dbaa40bc8723f486f26b15eb1397c0126fff1fda6e51442af81
Instruction ID: 1c1f0d6556cfba6e4d52ba03f9e3ae83cf69c7b213a40bd888c5abfa5470adf7
Opcode Fuzzy Hash: 5f88549848406dbaa40bc8723f486f26b15eb1397c0126fff1fda6e51442af81
Instruction Fuzzy Hash: 6EE08C34D08308DFCB08DFA4D54066CBBB8EB46300F24909D8C0927344C6319E46DBC0

Function 06080E68 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da8a1395821ab5bf564578615c05c1aec85e5b5d1bf7761128ae942c0c61dd0
Instruction ID: 321b0a1ad0c74019e9e3b1c259a8b40801e2bf5fba99807a8a746e1079591062
Opcode Fuzzy Hash: 5da8a1395821ab5bf564578615c05c1aec85e5b5d1bf7761128ae942c0c61dd0
Instruction Fuzzy Hash: 37E0C234D48208EFCB48EFA4D54056DBBB8EB46301F24C0ACC80917341DB329E46CB80

Function 060836A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da8a1395821ab5bf564578615c05c1aec85e5b5d1bf7761128ae942c0c61dd0
Instruction ID: 7c170b5a1df080cb03b8b12bee12e74edf86717addac21d04bf2d5d059ffcb2c
Opcode Fuzzy Hash: 5da8a1395821ab5bf564578615c05c1aec85e5b5d1bf7761128ae942c0c61dd0
Instruction Fuzzy Hash: 2AE08C34948208DFCB48EFA8D94056CBBB8AB86304F2490AC884817350CA319E52CB80

Function 060814A0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da8a1395821ab5bf564578615c05c1aec85e5b5d1bf7761128ae942c0c61dd0
Instruction ID: 6e74831941a119a71f1505cec8ad72df0e5faf2addeb24e6e4e6c279fd5af5e9
Opcode Fuzzy Hash: 5da8a1395821ab5bf564578615c05c1aec85e5b5d1bf7761128ae942c0c61dd0
Instruction Fuzzy Hash: F0E08C34948208DFCB48EBA4E54056CBBB4AF86318F2491DC880817340C6729E42CB80

Function 060884D8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da8a1395821ab5bf564578615c05c1aec85e5b5d1bf7761128ae942c0c61dd0
Instruction ID: f93dac37242c40b2c10663107c5e53f385c4f2865083007d50b5c57b1c3ae2d7
Opcode Fuzzy Hash: 5da8a1395821ab5bf564578615c05c1aec85e5b5d1bf7761128ae942c0c61dd0
Instruction Fuzzy Hash: A1E0C234D48208DFCB48EFA4E54196CBBB8EB86300F24D09CC80817340CA319E42CB85

Function 0608D5A0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da8a1395821ab5bf564578615c05c1aec85e5b5d1bf7761128ae942c0c61dd0
Instruction ID: db6255c7a9b01f73ebd5aabac662cc5a62f2a0c32d68b86d6638890d3a9d7f67
Opcode Fuzzy Hash: 5da8a1395821ab5bf564578615c05c1aec85e5b5d1bf7761128ae942c0c61dd0
Instruction Fuzzy Hash: B3E0C234D48208DFCB48EFA4D54056CBBB4EF46314F24819EC80817384C7719E42CB80

Function 06087DC8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da8a1395821ab5bf564578615c05c1aec85e5b5d1bf7761128ae942c0c61dd0
Instruction ID: 6cdb54361a5865b8046a6ddcc3aecd89613bd2e0d6592c1976dec7218464ceb7
Opcode Fuzzy Hash: 5da8a1395821ab5bf564578615c05c1aec85e5b5d1bf7761128ae942c0c61dd0
Instruction Fuzzy Hash: 5BE0C234D48208DFCB48EFA4D94067CBFB8EB46300F34809CC8081B344CA31AE42CB80

Function 06083DE0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da8a1395821ab5bf564578615c05c1aec85e5b5d1bf7761128ae942c0c61dd0
Instruction ID: 9cdd1e4859a8cd774f41d1e2b05bf0dc107264e6223514264e3bb77283e3efae
Opcode Fuzzy Hash: 5da8a1395821ab5bf564578615c05c1aec85e5b5d1bf7761128ae942c0c61dd0
Instruction Fuzzy Hash: D1E0C234D48208DFCB48EFE4E58156CBBB4EB86300F24809CC80917340CA719E42CB80

Function 06082280 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da8a1395821ab5bf564578615c05c1aec85e5b5d1bf7761128ae942c0c61dd0
Instruction ID: 1f4a702dda556fc55257cee56188f8afdab2abff4ba155e50ddf4a287c6a89b5
Opcode Fuzzy Hash: 5da8a1395821ab5bf564578615c05c1aec85e5b5d1bf7761128ae942c0c61dd0
Instruction Fuzzy Hash: 38E08C34D48208EFDB48EFA4D544AACBFB4AB46300F24919C880817341C6319E82DB80

Function 06082BE0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da8a1395821ab5bf564578615c05c1aec85e5b5d1bf7761128ae942c0c61dd0
Instruction ID: a7d153597bd130f35f9b26d89c3eb20e7a6f0e26734d8b52bd9dd58611a72a09
Opcode Fuzzy Hash: 5da8a1395821ab5bf564578615c05c1aec85e5b5d1bf7761128ae942c0c61dd0
Instruction Fuzzy Hash: 9EE0C234D49208DFCB48EFA4DA4066CBBB4EB46300F24809CC80817340CA319F42DBC0

Function 06087978 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c4516a4e547b26768c5b2e8a5b8cf725a180c6dd5d211b3a957ed1f65d962e
Instruction ID: 94657b44d814cb982606782d1e8fd36828304ce87ccf16cd0154a691e551a65f
Opcode Fuzzy Hash: a0c4516a4e547b26768c5b2e8a5b8cf725a180c6dd5d211b3a957ed1f65d962e
Instruction Fuzzy Hash: ADE0C23184224CDFDB40EFF0C9047EE77E9DB07200F1040A9C14493110EE714A00DB92

Function 060801D8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da8a1395821ab5bf564578615c05c1aec85e5b5d1bf7761128ae942c0c61dd0
Instruction ID: c5f479fee7a8a4c4302d8bf682b984c2a2ca47b359f57fdfff3a0afcece27b1b
Opcode Fuzzy Hash: 5da8a1395821ab5bf564578615c05c1aec85e5b5d1bf7761128ae942c0c61dd0
Instruction Fuzzy Hash: 62E0C234D88208DFCB48EFA4E94156CBBB8EB46314F24819CC80917341CA319E46CB81

Function 05F8F8E8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3ba2b24ae7dafafa29144233cba57383dfbe925236d6254675348c0ba77191
Instruction ID: 58217f522369f32c17707b32cd73a83db2e33ac036ceb5abd8c4fb8f02ab57eb
Opcode Fuzzy Hash: 7c3ba2b24ae7dafafa29144233cba57383dfbe925236d6254675348c0ba77191
Instruction Fuzzy Hash: E3E08C30908208EFCB08EFA4E948A6CBBB9AB4A301F204198D80817320D730DE04CB51

Function 05F860A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1826975a6edf016b7df6687da7f61d3c13616a32ea4d6296ebf32726c644fb71
Instruction ID: 77d01966df5cdbbfe8240029a2a2fe54d5ee306c1a9dd3344c59fc6acceb0844
Opcode Fuzzy Hash: 1826975a6edf016b7df6687da7f61d3c13616a32ea4d6296ebf32726c644fb71
Instruction Fuzzy Hash: 12E0EC70D45248EFCB44EFB8D5496ACBBB8AB09201F1041A98909D3255E6745A44CB55

Function 05F8D2F0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d40420ef6236b4567e5e2e2657b06c5d03aa0d9c9bd2968fba611b7dc2159855
Instruction ID: e054732ecc44ef3ca82724d6c938646f8ec44ea3c6ce912b20d296a5b6ac5009
Opcode Fuzzy Hash: d40420ef6236b4567e5e2e2657b06c5d03aa0d9c9bd2968fba611b7dc2159855
Instruction Fuzzy Hash: 70E0EC74D45208EFCB44EFB8D5496ADBBB8AB05201F1001A98809D3250E6745A44CB41

Function 06058EF0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b5357afa1e5ceddb15f546bc3a4c2762abae8bad3fb665a4c8a7f0f31be7d5
Instruction ID: 8d8463cc144a7411267f90e90febb57f62e9bb50d3922ee97ba2c9a2186e7556
Opcode Fuzzy Hash: 61b5357afa1e5ceddb15f546bc3a4c2762abae8bad3fb665a4c8a7f0f31be7d5
Instruction Fuzzy Hash: 9ED05B35798B5287D765C329BD143073BD29B84758F18835CDD95C7295DB24DC054BC8

Function 0608BCC6 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1de5e70af8b7d553c449a43678db3c339343d301bcd1d9b4be211dccf32e8a
Instruction ID: 1ec3dc410c1e3564db0e20d242925615e46e989631a11a8b48249af3aba67e05
Opcode Fuzzy Hash: 0b1de5e70af8b7d553c449a43678db3c339343d301bcd1d9b4be211dccf32e8a
Instruction Fuzzy Hash: 28E0E574A052589FEB90DF54D940FDEBBB8FB09300F104196E54EE7244DA749AC8CF54

Function 06085DB8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a46c9639c87530dd2c501b9a4d0e2006d8b55c6ecba7468b8f13d4e38270142
Instruction ID: 653b2248b55979c7215f1b137ec89cd63021270b0c5076cd50d42d3f3f497ae3
Opcode Fuzzy Hash: 1a46c9639c87530dd2c501b9a4d0e2006d8b55c6ecba7468b8f13d4e38270142
Instruction Fuzzy Hash: CAE08C30848248DFCB94EBA4C9042ACBFB4AB06201F24409D8C8857381D6359E41CB80

Function 06087040 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a46c9639c87530dd2c501b9a4d0e2006d8b55c6ecba7468b8f13d4e38270142
Instruction ID: 93724af52ff696461ed0800da8f441259787c651e9e7f2c81716cd964652ee23
Opcode Fuzzy Hash: 1a46c9639c87530dd2c501b9a4d0e2006d8b55c6ecba7468b8f13d4e38270142
Instruction Fuzzy Hash: A0E0C230C48208DFCB84EBA4C50027CBFF4DB06201F2880DDC84867341D6329E42EF80

Function 05F8C10D Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70efea45a4b4a32d6fbb75d47f43d8d744bf42591315d3830d64723a330ce398
Instruction ID: e18709f939cf22a7d6917c57020c2bdf0351314dcb369e6bd59dfcf7fb135e6c
Opcode Fuzzy Hash: 70efea45a4b4a32d6fbb75d47f43d8d744bf42591315d3830d64723a330ce398
Instruction Fuzzy Hash: F9F05A78D0166ACFCB64DF28DD58BADBBB1BB48301F0085EA990EA2655E7341E84DF00

Function 02F609B8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e37aa9da1cbba2f272d49203de4a7a0aa89139586e06945ac41f6a7c06e527
Instruction ID: f97c2b3767649c0c915c88aa79f588059896d1aaaa23aa79b486697e557abcc6
Opcode Fuzzy Hash: 48e37aa9da1cbba2f272d49203de4a7a0aa89139586e06945ac41f6a7c06e527
Instruction Fuzzy Hash: DBE0E270C0930AEFCB91EFB8844926ABBF4FF05211B1045BED909D6201FB798A12CF81

Function 02F6CDB0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8dc1239854733d8f6b35320156a0177593489ade06fc6aaa87565676b9e2cb
Instruction ID: f0237e7c373111f80ba9c03165ceb625f3982c1a3d0df14a90d1823576ca9fa2
Opcode Fuzzy Hash: 2a8dc1239854733d8f6b35320156a0177593489ade06fc6aaa87565676b9e2cb
Instruction Fuzzy Hash: C5D0A731909108DFC708DBA4D908A78F7BCDF47244F14509ECA5957351DB72AE02DB40

Function 06396ED6 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498043539.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6390000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11dcff9bb4ca62f24c35a245e9e93f5625b5ba6f2092fe95949e216dd525e14b
Instruction ID: 1e741b00d13413349f5f77c0d4164dde2569a8049e7bfce144a40c39bbc91914
Opcode Fuzzy Hash: 11dcff9bb4ca62f24c35a245e9e93f5625b5ba6f2092fe95949e216dd525e14b
Instruction Fuzzy Hash: 71E039B490021A8FDBA4DF18C888AAAB7B4FB48300F1000E89519A7350CB349EC48F19

Function 0605F480 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7cd53702b96dfc5f65db36adf4980e1052bbbfa9c7446048b256cb0acae5be
Instruction ID: 9f2dbdc94e5aebb874c65eab9e6356160e5907c65c43817419588bc0b08395fc
Opcode Fuzzy Hash: 9b7cd53702b96dfc5f65db36adf4980e1052bbbfa9c7446048b256cb0acae5be
Instruction Fuzzy Hash: 15E086B400CBC44BE3028768FE687413FE15B2721CF184295DD94861E3C32F4405C741

Function 0608DF40 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5a39a31d9781aa90f3a7d3b0f77b86de00113c973d79ee5ca8664a1fb4e1ca3
Instruction ID: 0e530c67f939fb66a0a4a4d4e842c8b3dbc789f7cf04348311131cf9a7f919dc
Opcode Fuzzy Hash: e5a39a31d9781aa90f3a7d3b0f77b86de00113c973d79ee5ca8664a1fb4e1ca3
Instruction Fuzzy Hash: 5CD0A7308C6248DFD798EB74A4006AC777CDF03101F10019CC41C122D1CA718A40E740

Function 0605DE80 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd258ddabe4b25c9313542b3fc0e6d861359e5cb81f6a75f04f6a9a64b9f7aa
Instruction ID: 16e889b1e0d2f6fa988e1b9f3e219b6cff150ade8525a201e5b2d459fef0675f
Opcode Fuzzy Hash: abd258ddabe4b25c9313542b3fc0e6d861359e5cb81f6a75f04f6a9a64b9f7aa
Instruction Fuzzy Hash: 92D0A97B1803408AE7682371A6083A83F00A7322FBF1807EAD580C00E2C72E8188C301

Function 02F60A00 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b2c383c12e8c8aa1e42b394ad1c70b2e1e984b0156b99b5b6094a09d12a06d
Instruction ID: e5a5af5cf29237e05562d26bc190b1d30907131ef3deceba936ce6f2ae5f8bcf
Opcode Fuzzy Hash: d0b2c383c12e8c8aa1e42b394ad1c70b2e1e984b0156b99b5b6094a09d12a06d
Instruction Fuzzy Hash: AED0C778750504CFD7449B75E64491537E6FB4C61131081E4ED09C7339EE35EC519F91

Function 0608525F Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae8e1d5c2ec0ae377acd66653df40c02ee00f070fad48a547755063bd691c260
Instruction ID: d31784572080e4ae77030c16e4aecbae2a730c8b6640c69a49e790d42c0de65f
Opcode Fuzzy Hash: ae8e1d5c2ec0ae377acd66653df40c02ee00f070fad48a547755063bd691c260
Instruction Fuzzy Hash: 47E017348092E98FDB529F25D8507ADBFB1FB12300F1444DAC585A3285DB380A88CF12

Function 02F60840 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63cc5f138a0a7cdf669fe1cbcbfc78880b7a3cc2feb498fee83dac68b8d3d7b8
Instruction ID: 5d70721b49a980921af004ce225cea7e8bc4a2bf65e363de3662c5613f889dfc
Opcode Fuzzy Hash: 63cc5f138a0a7cdf669fe1cbcbfc78880b7a3cc2feb498fee83dac68b8d3d7b8
Instruction Fuzzy Hash: E2C04C3150F3919FCF035BB0991A4D13BF0EE0339531614E6C144CF162DA2A4946DBF2

Function 063AD100 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498043539.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6390000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc3438220dbc7ebfc26fc808a2b3e570eba5e26c62c5941c0daae1033669b7cf
Instruction ID: a17f7caab6ee3c091b74482e794725c5380dc328d007403e9c3ef956d265e630
Opcode Fuzzy Hash: bc3438220dbc7ebfc26fc808a2b3e570eba5e26c62c5941c0daae1033669b7cf
Instruction Fuzzy Hash: 63C02B3008B7048FE7D822A0640D730739CCF03202F04241CA00C01C228AA44088D7E4

Function 0608C557 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eba452dfa8b46f4e87611faf756ba8e5c8765a6dfd51fdbd2b039dda905af18
Instruction ID: 40002d25f51f00d2930cf8f385ce85d69144fe094af2129ce6dfe60ad0747705
Opcode Fuzzy Hash: 6eba452dfa8b46f4e87611faf756ba8e5c8765a6dfd51fdbd2b039dda905af18
Instruction Fuzzy Hash: 30E0E270C80259CFEB64DF24C608B9EBBB0BB04311F0580A9D95AA7210D3308DC0CF04

Function 060848B8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3902b43fcb150a5a5f8c403ed780d8b1c7a087a62e7ab90af7683eeb505c4052
Instruction ID: 7d7e2b902771dc1cef395e4f05000c403eadbe9d783705ca3be509e0b9f216db
Opcode Fuzzy Hash: 3902b43fcb150a5a5f8c403ed780d8b1c7a087a62e7ab90af7683eeb505c4052
Instruction Fuzzy Hash: 61D017349041988FEB91ABB5E4547ACBEB1EB46304F10809AC58DA3784CA394AC89F51

Function 06084924 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592477ab78fdf40dfe1b5ed6a17eb91b00b264151a293d3f612a5707588232e7
Instruction ID: b72d17d7209a68969f39577b9c6d15725f62b85a02cdfb5b312c4dce71b29dd3
Opcode Fuzzy Hash: 592477ab78fdf40dfe1b5ed6a17eb91b00b264151a293d3f612a5707588232e7
Instruction Fuzzy Hash: DDD05E34C092A88FEB51EF25D8407AD7EB1FB11300F004099C485A3384CB780E88CF51

Function 05F86F28 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19fc14ae8f6d4fdf7d4afea9d50937ee8670980a6ddbd61ff96a2d68224b2537
Instruction ID: ae5fb8147a8f092cf78e87fa19199fa8e178b1a29bd1a2c45c1898808e580de3
Opcode Fuzzy Hash: 19fc14ae8f6d4fdf7d4afea9d50937ee8670980a6ddbd61ff96a2d68224b2537
Instruction Fuzzy Hash: 67D01775A9532ECBDB10EF71D614B6933FAFB44300F0096A48405A3358CB389E868F41

Function 02F69698 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0324f6a430cf7a7ab1a0c88bab6ca9ff431a5a471f6af546c2efe1be438be18a
Instruction ID: 8bdd17654530da572daaa57a779df086e23b7edba94d3d9c083d0c178c500b75
Opcode Fuzzy Hash: 0324f6a430cf7a7ab1a0c88bab6ca9ff431a5a471f6af546c2efe1be438be18a
Instruction Fuzzy Hash: 6EC08C300833448FD398BBB8AA0D3383B68DB0368BF180054D20D418648FBA8050CE7B

Function 0605B3A0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 725c533d1a80a095ba8ccc51721c7a46fa6786f781669cada6887a2649b75201
Instruction ID: 270eb365c0fb6d5a543bb25b5b5c1771b1bff7f3e4038ef0bbb62aa85bd4d251
Opcode Fuzzy Hash: 725c533d1a80a095ba8ccc51721c7a46fa6786f781669cada6887a2649b75201
Instruction Fuzzy Hash: 94D0C9790846889FC701DB24E848B417FA1EB1A379F148294E9A94A2F2C366C854DA40

Function 0605D2BB Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49cab46a9a02612d302baec524e7cb313168fefe65c54526441da3d238a52918
Instruction ID: 668323caa81c0237d4609990ea7c2bd9b1eb345c1a31e1b07aaf1d5b738a0f2a
Opcode Fuzzy Hash: 49cab46a9a02612d302baec524e7cb313168fefe65c54526441da3d238a52918
Instruction Fuzzy Hash: 37C012760806089FC300CF60E844B453B61FF1A366F094090E9544B262C736C8148A40

Function 05F8A08B Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02026832e11f20e9003229b09ac9008b717444e2f5085bfb07e63077eb508317
Instruction ID: de6055aa0f3c85d294c290dfa9dc85a3163558379dae1c31a48e5711137b1295
Opcode Fuzzy Hash: 02026832e11f20e9003229b09ac9008b717444e2f5085bfb07e63077eb508317
Instruction Fuzzy Hash: 01D0C971919229CFDB10EF20C848B9AB7B6FB09301F4096D98419A3299DB345E81CF41

Function 05F86626 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e9252b2b0b5b0dbb67dab5ca571f98fe8c855e3b78fea804baa28b74d5b48c5
Instruction ID: 1871f9312e900b19b04fb836af9725401c448e1b1190f2e51fb98ca40ed8d0fa
Opcode Fuzzy Hash: 5e9252b2b0b5b0dbb67dab5ca571f98fe8c855e3b78fea804baa28b74d5b48c5
Instruction Fuzzy Hash: 27C00276E1001A9A8B00DAD9E9508DCBB74EB94321F404026E215A7104D63015268B54

Function 0605D2C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8e06a732ca707132f27ef7a83e288a845aad2dfe2584e40d54ff240b01922d
Instruction ID: 2ad57114494cc740969b95bee8f444b209d5990da35e5c480c7824bf6c3857fe
Opcode Fuzzy Hash: af8e06a732ca707132f27ef7a83e288a845aad2dfe2584e40d54ff240b01922d
Instruction Fuzzy Hash: B7C09276140208EFC700DF69E844C45BBB8FF1976071180A1FA088B332C732E820DA94

Function 0605B3B0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 02F609E4 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f69887aaef7f599df809807ae69a4e5fcf7771f89cac60c24ef1f83de06f2ab
Instruction ID: 99439794c7de3ee66bf9be66cec00c4820c3c61d401fcc950803b8a45d12b896
Opcode Fuzzy Hash: 8f69887aaef7f599df809807ae69a4e5fcf7771f89cac60c24ef1f83de06f2ab
Instruction Fuzzy Hash: B7B0123224D10CC7B12409A1641D3383321E96114231006CA9A0E046008D12483086D3

Function 0605F4A8 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c238d7a979fdf2564948febc1a28abb6c0be72632788d9feaca464a6c85d461f
Instruction ID: 5cb28aa8e30278ba38600e818eed7ca5c13c27085b73fb1ed53e72a3f10f4c8f
Opcode Fuzzy Hash: c238d7a979fdf2564948febc1a28abb6c0be72632788d9feaca464a6c85d461f
Instruction Fuzzy Hash: 6CB09236000208AB87009E88E808859BB69AB59710700C025B6090A212CB32A922DB94

Function 06058ED3 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd3a6f603e3067ffc70be4f3448d2ceab6e936634e420f048e90ef8cd873854
Instruction ID: 8634452e4242aac19a8e5aea3bc7937df0a11dc11f4f24e44cb8336196c57802
Opcode Fuzzy Hash: 2bd3a6f603e3067ffc70be4f3448d2ceab6e936634e420f048e90ef8cd873854
Instruction Fuzzy Hash: A1A0022A092901C2E7D867B8C8A179BB798FFD0A28FC9186DD46580665CA1DA4178A25

Non-executed Functions

Function 063AD130 Relevance: 3.9, Strings: 3, Instructions: 114COMMON

Download Yara Rule

Strings

ADE64743610E91BB9662F882EAB90D5D48F093C6B04C6F320E96D059D44E807BC95C06EA90AAF628A5975C85D7DACE941538416912C9B0FA0C7C09CFBDDC2B1DD81B82E7A446878C44EA15EB6AADDE41CC3FC37BDC1AB31843960FD45F08382449467CBE4448574AA4FB31FA3AD000B79A77DF58AE17FA3825FF139228C5ABEF288F, xrefs: 063AD191
Zd,-, xrefs: 063AD19C
neaq, xrefs: 063AD1C5

Memory Dump Source

Source File: 00000000.00000002.1498043539.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6390000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: ADE64743610E91BB9662F882EAB90D5D48F093C6B04C6F320E96D059D44E807BC95C06EA90AAF628A5975C85D7DACE941538416912C9B0FA0C7C09CFBDDC2B1DD81B82E7A446878C44EA15EB6AADDE41CC3FC37BDC1AB31843960FD45F08382449467CBE4448574AA4FB31FA3AD000B79A77DF58AE17FA3825FF139228C5ABEF288F$Zd,-$neaq
API String ID: 0-3202364401
Opcode ID: 8a50f0cbe17f66c5a70c86df984b777c63ae3125e46a5cd31c355bb8523b09d5
Instruction ID: aedbd5840918e15c684cdc96d0856e870e4906409da60426aa7f8ee92d546404
Opcode Fuzzy Hash: 8a50f0cbe17f66c5a70c86df984b777c63ae3125e46a5cd31c355bb8523b09d5
Instruction Fuzzy Hash: 595157B4A05208CFEB94DF29C954BA9BBF1FF49300F1040A9D80AA7765DB399E84CF41

Function 05F80040 Relevance: 3.8, Strings: 3, Instructions: 93COMMON

Download Yara Rule

Strings

J, xrefs: 05F80603
,, xrefs: 05F8010F
#, xrefs: 05F805D7

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: #$,$J
API String ID: 0-967142412
Opcode ID: 75828443b44afeabc2b9bb1dfc2a8621aa5ef72d6a692aeaf8e382faf4a16673
Instruction ID: b3da30abb6969fbc4175c1aecf630ff253c6fb739d97b2a3f5d51b94c091c229
Opcode Fuzzy Hash: 75828443b44afeabc2b9bb1dfc2a8621aa5ef72d6a692aeaf8e382faf4a16673
Instruction Fuzzy Hash: B441AA71D056188BEB68DF67C8487AAFAF7AFC9310F54D1BAC40CA6224DB741A85CF00

Function 0608D5E0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

C}J, xrefs: 0608D832

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: C}J
API String ID: 0-2552927176
Opcode ID: 051064a31fd7cb404d7dee819fb867a22111d20ce8d2bb74058dca474019812c
Instruction ID: d350357db58c9d7caa88ce9d5c1f2f295863e0370817671441724b79038a5d0b
Opcode Fuzzy Hash: 051064a31fd7cb404d7dee819fb867a22111d20ce8d2bb74058dca474019812c
Instruction Fuzzy Hash: 37B12470E4520CCFEB98EFA6D484BADBBB2EF89300F109169D459A73A5DB345985CF40

Function 05F86C68 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

:, xrefs: 05F8C653

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: :
API String ID: 0-336475711
Opcode ID: 3659b76aeae750ba4fa8c43f21ebf7bbecb5bfc492a083b99b261c57ad3b46b2
Instruction ID: d359f9b3234566a0d0afefc838d6b9d2bad4b62497f059b058263634acff2ba3
Opcode Fuzzy Hash: 3659b76aeae750ba4fa8c43f21ebf7bbecb5bfc492a083b99b261c57ad3b46b2
Instruction Fuzzy Hash: 3C414572E04A588BEB1CDF6B9D4429EFBF7BFC9301F14D1BA841CAA259DB3405468E01

Function 05F80006 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

,, xrefs: 05F8010F

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 780943ff3448023ef4d801011b12087549f4f931bcb544d169061ddf05ea7d25
Instruction ID: 2505c18a7e956ec0afeb388f00734c5f2a5f82ff4b29fa81dbc22ee32920d686
Opcode Fuzzy Hash: 780943ff3448023ef4d801011b12087549f4f931bcb544d169061ddf05ea7d25
Instruction Fuzzy Hash: 94311271D056588FEB19DF278C0929AFBF7AFC5300F19C1FA844CAA265DA341986CF11

Function 06060878 Relevance: .6, Instructions: 595COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c00d49f380e109212ac968b7535fd8a535c7227452b54685b9f722b5645ea39
Instruction ID: 75e0bec87bd76f66eaec867bc6c52181ba6160e99004de41983fab9e1fb9d9b8
Opcode Fuzzy Hash: 8c00d49f380e109212ac968b7535fd8a535c7227452b54685b9f722b5645ea39
Instruction Fuzzy Hash: 47328970B402168FDB99DFAAC59476EFBF2FB88300F148529E55AD7390DB34A941CB81

Function 05F85268 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c47a1ca70b25837514a21baaa80839ef3412b4d4ac0e4de38b13e88dffe48d7a
Instruction ID: 4fa4b8b65046a359c58803433568978bc41636ddf62a850a368d6981c8404304
Opcode Fuzzy Hash: c47a1ca70b25837514a21baaa80839ef3412b4d4ac0e4de38b13e88dffe48d7a
Instruction Fuzzy Hash: 2912C271E046189FDB18DFAAC98069EFBF2BF88305F24C169D458AB219D734AD46CF50

Function 060519E8 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497179482.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f22c9a0c90c1cc79ca33d0c6e9dc4e7050ba575c7028f0b50d41a1f1939e2a6d
Instruction ID: 12166a7b79d1e5c9e2bdd69fd3e4aa3231c66a047e232be25be702a6ee179f02
Opcode Fuzzy Hash: f22c9a0c90c1cc79ca33d0c6e9dc4e7050ba575c7028f0b50d41a1f1939e2a6d
Instruction Fuzzy Hash: 6CD10A34A40605DFDB94DF69C584BAABBF2FF88310F168598E8159B361D735EC81CB60

Function 0603ECD0 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496992514.0000000006030000.00000040.00000800.00020000.00000000.sdmp, Offset: 06030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6030000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a6320cd9085047f5fc2546046691d9eb0d66741130f1c06997b87ee7360b4c
Instruction ID: 364a39f473d0aa9409f111d54f6c15fd0d88342b9d9a4469821c29de29bdfffc
Opcode Fuzzy Hash: 24a6320cd9085047f5fc2546046691d9eb0d66741130f1c06997b87ee7360b4c
Instruction Fuzzy Hash: 8EB12570E85228CFEBA4CF69D944B9DBBF6BF89301F1081AAD408AB355D7749985CF40

Function 06080E98 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25853ce8b39561c0f825544acee3a0e736c9984544e03606679241b5196c2e7b
Instruction ID: 9ad4153f1358e06d3770aee957c6e2cbc108c2d39744bc581201bdb1158a0053
Opcode Fuzzy Hash: 25853ce8b39561c0f825544acee3a0e736c9984544e03606679241b5196c2e7b
Instruction Fuzzy Hash: 26816770E49218CFEB94DFA9E844BADBBF2FF49300F109069D44AA7654DB349989CF44

Function 0608DBA0 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcf8e9ea5fe24cc3aa5334257c94b18473e7346a61cb7447775c5e4680bd47ed
Instruction ID: 32833e8ed30df6e49c95cf922776e43b2f002677766236466db0d3372bfe9f11
Opcode Fuzzy Hash: dcf8e9ea5fe24cc3aa5334257c94b18473e7346a61cb7447775c5e4680bd47ed
Instruction Fuzzy Hash: C2912670D45208CFEB48DFAAE488BADBBF1FF49304F109129E419AB2A5DB745985CF44

Function 0608DBB0 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d91e628a864070ac1423deb3ca87f88d9b96e85b87bc6fb5f43e6336a1bed22
Instruction ID: 46c2ae6128fe376ca6cd39b88d9a20ae92ef8e1be26813fc65b960fe797bfe5a
Opcode Fuzzy Hash: 0d91e628a864070ac1423deb3ca87f88d9b96e85b87bc6fb5f43e6336a1bed22
Instruction Fuzzy Hash: AA913670D44208CFEB44EFAAE488BADBBF1FF49304F109129E419AB295DB745989CF44

Function 06080EA8 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 967eb9a940ebf9bf1f7d57975558fc7aa981f7506e43fd23570bff2b6b3e8982
Instruction ID: 09218917d0081e2e0ed30d1f731a5b57b121d1b8a27996de0ec00b7db4287195
Opcode Fuzzy Hash: 967eb9a940ebf9bf1f7d57975558fc7aa981f7506e43fd23570bff2b6b3e8982
Instruction Fuzzy Hash: B7815770E48218CFEB94DFA9D8847ADBBF2FF49300F1090A9D44AA7654DB349989CF44

Function 06080F90 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497478909.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8b997f149fc179f6667aad8ba0dcb708d40327519f81b5ade713ec733de198
Instruction ID: 628c476df73a1b0dc3ed9d5da022a0763038e6e1fd6746f4635cc602657ac9d6
Opcode Fuzzy Hash: fd8b997f149fc179f6667aad8ba0dcb708d40327519f81b5ade713ec733de198
Instruction Fuzzy Hash: F1814670E88209CFEB94DFA9D8447ADBBF2FF49300F1090A9D45AA7654DB349989CF44

Function 060644B0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9294e07ec9a9803a5c7a16e420485bea976d79c3753603a55ca5ee595eade55d
Instruction ID: 9a1b8ff453ae39bc0e69021df9a3479498b541957b0355bc3e31d8d1d5daafd5
Opcode Fuzzy Hash: 9294e07ec9a9803a5c7a16e420485bea976d79c3753603a55ca5ee595eade55d
Instruction Fuzzy Hash: 00513474D4620CCFEB94CFAAE5847ECBBF2FB49300F20902AE409A7665D7745989CB41

Function 060644C0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6606717f2403917d015d519c94dff522814fd9da969f4a4956484197612421
Instruction ID: c96359e9694a4876bea2201cba3bfad620ccc376e92ae5b5d65bb1811065165f
Opcode Fuzzy Hash: de6606717f2403917d015d519c94dff522814fd9da969f4a4956484197612421
Instruction Fuzzy Hash: 23511370D4620CCFEB94CFAAD5447ECBBF2FB49300F20902AE409A7655D7785989CB41

Function 02F661CC Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb854383401dc9e290087e018ae664ce850a4c5d79e628b6f7157794f23bb51
Instruction ID: 414d3270a6259d2a20b92811b2b03c056eed8a55995fea315f7646d5acaaf73e
Opcode Fuzzy Hash: 9bb854383401dc9e290087e018ae664ce850a4c5d79e628b6f7157794f23bb51
Instruction Fuzzy Hash: F041B7B1D056188BEB68CF66C95979DFAF6FF89304F14C1A9C50CA7254DB780985CF00

Function 060319A7 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496992514.0000000006030000.00000040.00000800.00020000.00000000.sdmp, Offset: 06030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6030000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ed110c029f0ec937bd80b17c8b170f2edc78b2364728696aa756be44852e21
Instruction ID: 0301ed01cfed545fd39475a0cdeade3fa4da0976841eb8f63a69863fd39939b6
Opcode Fuzzy Hash: 80ed110c029f0ec937bd80b17c8b170f2edc78b2364728696aa756be44852e21
Instruction Fuzzy Hash: 7851B5B4E41228CFEBA4DF19C844799BBF6BB89302F1081E6C449B7254DB364AE5CF00

Function 05F85258 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f89ea93b0c894d67ec8a6d1a5219fd3dc811e34a0039fa76cf860841d6392d6
Instruction ID: d8eec088eca7113b742f30f7d33952968668735b694b664fe960fad06b56e154
Opcode Fuzzy Hash: 8f89ea93b0c894d67ec8a6d1a5219fd3dc811e34a0039fa76cf860841d6392d6
Instruction Fuzzy Hash: 8C4167B1E016199BEB08CFABC94059EFBF3BFC8200F14C06AD958AB224DB7459458F54

Function 06030040 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496992514.0000000006030000.00000040.00000800.00020000.00000000.sdmp, Offset: 06030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6030000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845715a866bfe5e4d069d8b34b31d566a4cc24975ca174689c7c0b9e1529633c
Instruction ID: 74175e2ed43319edfa35209ec47e7e6c980099ab3ee52d74c8a7abe693b40bb2
Opcode Fuzzy Hash: 845715a866bfe5e4d069d8b34b31d566a4cc24975ca174689c7c0b9e1529633c
Instruction Fuzzy Hash: 75515C71D056688BEB68CF2B8D443CAFAF7AFC9341F04C1FA944CA6258DB700AC58E41

Function 0603001E Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496992514.0000000006030000.00000040.00000800.00020000.00000000.sdmp, Offset: 06030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6030000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2812678d0d23f60653e5ea1bb2d125d296c32b7181032c38a02e4f8d0eaf739b
Instruction ID: d6f75dfba73c59ee061ee9ecf11fd46eecf829922e1a6644a6f7ee989f98031c
Opcode Fuzzy Hash: 2812678d0d23f60653e5ea1bb2d125d296c32b7181032c38a02e4f8d0eaf739b
Instruction Fuzzy Hash: F4515C71D056588BEB29CF2B8D516CAFAF3AFC9300F18C1FA844CA6265DB740A85CF01

Function 0603D7C8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496992514.0000000006030000.00000040.00000800.00020000.00000000.sdmp, Offset: 06030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6030000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 206bcb859f5373c94e43b3beda16992b2dda493be599ed99abd587db401ec279
Instruction ID: 5c7a3115b0cd0efc343c7f86233ace532cf5253ca68f1db0777fc99529f4c529
Opcode Fuzzy Hash: 206bcb859f5373c94e43b3beda16992b2dda493be599ed99abd587db401ec279
Instruction Fuzzy Hash: E641CCB4D40358DFDB54CFA9D885B9DBFF5AF09300F20902AE814AB290D774A885CF55

Function 0606FE02 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f45eda68eb4d12ac4450709b3994cb7691304d02369c6b47254779bf9c4f606b
Instruction ID: 6aee18083df2eaac894c1c0bc2f196c544222eda9bbc6c8b9b84319d4874fb17
Opcode Fuzzy Hash: f45eda68eb4d12ac4450709b3994cb7691304d02369c6b47254779bf9c4f606b
Instruction Fuzzy Hash: E041EDB5C052599FDB10CFAAD484AEEBBF1AB09310F14802AE455B7240C7789A85CF64

Function 0606FE08 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a83d900c163c98494525b7333fd37cc3ac74869d6134a60d5c0e00905325349
Instruction ID: 91a7db1c902f825f4e61ce17bb6cf618392936d07bf5f609917786ba9a736620
Opcode Fuzzy Hash: 9a83d900c163c98494525b7333fd37cc3ac74869d6134a60d5c0e00905325349
Instruction Fuzzy Hash: EF41DDB5C04259DFDB00CFAAD484AEEFBF1AB09310F14902AE455B7240C778AA85CFA4

Function 06390040 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498043539.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6390000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 769dd505ed485e86e138270986977503ccfcc009735aae79537a63c5fcf9148a
Instruction ID: 5c6dfdbf874cd3d79ffaebc8db4943fd8c7aa258927254b1c8f93abfb06a725e
Opcode Fuzzy Hash: 769dd505ed485e86e138270986977503ccfcc009735aae79537a63c5fcf9148a
Instruction Fuzzy Hash: 8141F870D04629CFEB68CF6ACC4479ABBF6AF89304F14C0EA840CA6664DB704A85CF51

Function 06390007 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498043539.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6390000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4adbc70ed29442e5f2d472437d720a743579b0bf6372e9bbf1e825410e40ff7
Instruction ID: d044827893d3e056645ca4f99df384fd8dceb1b903b21e090fd95b69a3460ab9
Opcode Fuzzy Hash: a4adbc70ed29442e5f2d472437d720a743579b0bf6372e9bbf1e825410e40ff7
Instruction Fuzzy Hash: 2B313271D057959FEB29CF6A8C44299BBF6AFC6300F05C0EAC48CAA266D7340A85CF51

Function 0606C010 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8518e72ba0ed3fa6c7460c44e0d5f9d941148e6e2f6269fca137bca50476816e
Instruction ID: 7597715ce250790bf7855ba9a551e5f65571f5a6887bd5ea59849699f63718cb
Opcode Fuzzy Hash: 8518e72ba0ed3fa6c7460c44e0d5f9d941148e6e2f6269fca137bca50476816e
Instruction Fuzzy Hash: 6831E5B0D44258CFFB68CFABC8447AEBAF6AF89304F10D46AD419A7252DB7409858F50

Function 05F859D1 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4164a6a63dcc05fcf04a1ad3a33271c4b1fe213372ea27aac0c1a94255d353
Instruction ID: 74f260fb0af8fd4b124b505619fc5b08c4f18e39a5d210ccb4ebd7cfdef0646c
Opcode Fuzzy Hash: 7f4164a6a63dcc05fcf04a1ad3a33271c4b1fe213372ea27aac0c1a94255d353
Instruction Fuzzy Hash: 8731BC71D04618EFEB18DF6AD884BA9BBF6BF89300F04D0A9D41DA7265EB745985CF00

Function 05F859E0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1496455328.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 535d7b284ab2027a42a92de6fdedc46aed68b38537cd333f6e2b4b6645d0f099
Instruction ID: f587a74e9a4b504ac6e6e2712d932e7adf47c69448ec56b5468a3e5b941ced69
Opcode Fuzzy Hash: 535d7b284ab2027a42a92de6fdedc46aed68b38537cd333f6e2b4b6645d0f099
Instruction Fuzzy Hash: 4831BB71D04618EFEB18DF6AD884BA9BAF6BF89300F04D0B9D41DA7265EB744985CF00

Function 0606B598 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0edc4c3d1f5da4b0730161e90c66762eded13b6572d5f32707dd449141602ed
Instruction ID: cf745c249a2b217ed0de0b743edc59fbce7d6fef1812e8eaf5ab51bc4fc1aa9f
Opcode Fuzzy Hash: b0edc4c3d1f5da4b0730161e90c66762eded13b6572d5f32707dd449141602ed
Instruction Fuzzy Hash: F921FEB5C002089FDB10CFAAD881AEEBBF4EB49310F14902AE819B7250C7356941CFA4

Function 02F6ED40 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1468075780.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ff4e56e134e823127840e82ae9f6aac25178cb6fff1b809278fd6dbb9343ad
Instruction ID: fc9d1ef155986674f45204902c3c6b7c53272792f02a9ae0061e795e6ae4e749
Opcode Fuzzy Hash: 16ff4e56e134e823127840e82ae9f6aac25178cb6fff1b809278fd6dbb9343ad
Instruction Fuzzy Hash: 3721C876D056688BEB18CF6ACD487DDBBF7BFC9300F04C1AA9909AA214DB340A45CF00

Function 0606B5A0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e29f23560d73aed7d828aa4a449b3982e22e8bb4a40f8d378a0a8205d3bcec7
Instruction ID: e3ea3f9e08005aeb4a02c08c03c86c54d1170b12f1353f5f9d08531cdc6307c1
Opcode Fuzzy Hash: 6e29f23560d73aed7d828aa4a449b3982e22e8bb4a40f8d378a0a8205d3bcec7
Instruction Fuzzy Hash: 1221DCB5C042089FDB10CFAAD881AEEBBF0AB49310F14902AE858B7250C775A941CFA4

Function 06067729 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24ca9edb633c1efc784ca864a1fdef8778b259bee37841ca2b7f49c7f8ba2f7
Instruction ID: dfd88ce826471a01f4ee943e7b5e19306a8653c1b9173636d27a4a03727c1720
Opcode Fuzzy Hash: a24ca9edb633c1efc784ca864a1fdef8778b259bee37841ca2b7f49c7f8ba2f7
Instruction Fuzzy Hash: D421E7B1D016189BEB58CF6BD9447DEFFF3AF89300F14C16AD409AA254EB7409858F51

Function 06067738 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1497251555.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6060000_nDHL_AWB_6078538091_scr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0903469bb5117f144f1aaf23d2907101107530a7d0c91d1e92b5fd5e705a71bc
Instruction ID: adda1ad55f1d059819f0785d86ae57458144be02dc143d0a4d4af5f9d39ea3f2
Opcode Fuzzy Hash: 0903469bb5117f144f1aaf23d2907101107530a7d0c91d1e92b5fd5e705a71bc
Instruction Fuzzy Hash: 8221D0B1D056188BEB58CFABC9447DEFAF7BF89304F14C16AD409AB254DB7409898F40

Analysis Process: InstallUtil.exePID: 2284, Parent PID: 3504COMMON

Executed Functions

Function 06370040 Relevance: 1.7, Instructions: 1713COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a83bb7bf2d27743e174b7a024a55a0f21fe4a085fca6f395b1d5e4437f24c21
Instruction ID: 9f0b76880445057716e1a5f79b3573470f1103766fc2b7ad0a4d5fc21ff4ed3a
Opcode Fuzzy Hash: 2a83bb7bf2d27743e174b7a024a55a0f21fe4a085fca6f395b1d5e4437f24c21
Instruction Fuzzy Hash: 8EF23774A102048FDB68DB68C894B9DB7F2FF89304F5485AAD44AAB351DB34ED85CF90

Function 063756C8 Relevance: 1.6, Strings: 1, Instructions: 359COMMON

Download Yara Rule

Strings

$, xrefs: 063756F3

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 8bbd22e8aee04a4e7982ace0a8f852413eb359f11168eb12fbf9a2c8c053e738
Instruction ID: 7630049f82474a51b935f6abff1e8c4bb188b887f145e407b81e4e377605990d
Opcode Fuzzy Hash: 8bbd22e8aee04a4e7982ace0a8f852413eb359f11168eb12fbf9a2c8c053e738
Instruction Fuzzy Hash: 0AD14075F002089FDB68DBA4C5546AEBBF6EF88320F204469D406EB354DF75AD45CBA0

Function 011096F8 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\VXm, xrefs: 01109943

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID: \VXm
API String ID: 0-2312107965
Opcode ID: 598590154b931b0c9c420c0f48ef4c97982b962352487ba5c40ec4c6dc41a267
Instruction ID: 3f287f7933aee0bb55b939b1c11ebca3e9700bce6488dd72baebd919ddac38a6
Opcode Fuzzy Hash: 598590154b931b0c9c420c0f48ef4c97982b962352487ba5c40ec4c6dc41a267
Instruction Fuzzy Hash: CC917E70E0020DCFDF19CFA9C89579EBBF2AF88318F148129D409A7395EBB59945CB81

Function 06377880 Relevance: .9, Instructions: 923COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc9b750e55f9aeb8f92712cd531d84296c7c1b8b328545dddb4d45778e1645a
Instruction ID: c710e5e0078deb729200d125fe1f5b785357db7403702ea02c2cd647a459bdd7
Opcode Fuzzy Hash: 8cc9b750e55f9aeb8f92712cd531d84296c7c1b8b328545dddb4d45778e1645a
Instruction Fuzzy Hash: 13729E34B002049FDBA8EB68D594BADB7F6EF88314F548469D406EB391DB39DC46CB90

Function 0637D920 Relevance: .8, Instructions: 834COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c7bbd48ac538b93de655899180761e5729d28df10feaccd5ea53a7f5b51342
Instruction ID: b81192d4dfc78eb128f3a2569e5ed47eea219a4c86be6c548846a9c1e1102f45
Opcode Fuzzy Hash: 92c7bbd48ac538b93de655899180761e5729d28df10feaccd5ea53a7f5b51342
Instruction Fuzzy Hash: 42626F70E102099BDBB4DBA8D4947ADB7F2EF49310F54886AE406EB381CB39DC45CB91

Function 0637EA00 Relevance: .8, Instructions: 798COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6d13ab0f4ee59c0734adaa67a1dc621f78663b77b7bb0373961192f7c1b03f
Instruction ID: 3d79f20e0fe185e37fe4d1277ec3c2d4e2988dfc5d8582bc9bfa797df1f43282
Opcode Fuzzy Hash: dc6d13ab0f4ee59c0734adaa67a1dc621f78663b77b7bb0373961192f7c1b03f
Instruction Fuzzy Hash: 0652A134B102058FDB98EB68D494BAE77F2FB88314F518469E406EB391DF34DC458BA1

Function 063795C8 Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 949a4c702891315a432b65243cd116c5552c4774e36530c6a36b3ed449ffa063
Instruction ID: 91cd4dc023bb86c9d34d47a3da20cf7aa39e6d352701495d99ce0364cc6d09e0
Opcode Fuzzy Hash: 949a4c702891315a432b65243cd116c5552c4774e36530c6a36b3ed449ffa063
Instruction Fuzzy Hash: 14129D34B002059FDB68EB78D494B6E77E2AF88304F158569D406EB395DF39DC46CBA0

Function 0637D2D8 Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88daa671ccd7af8707053b505a25dadff40f08d67d31963cf012d310d1dac82b
Instruction ID: 02889a1af88563045d8fb931e8143dfd9d8b312e9baa3d2bf6a469147471f178
Opcode Fuzzy Hash: 88daa671ccd7af8707053b505a25dadff40f08d67d31963cf012d310d1dac82b
Instruction Fuzzy Hash: E5F16F34F102058FDB69EBA8D49466EB7F2FF89204F50846AD406EB385DF389C46CB91

Function 0110E318 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26dcddab7f0b81900af893da713443dec395897520f2467e7e6e1b9763926169
Instruction ID: 5ddb0d14ce1ab0cdbe45e55ed1e20cc2b41c330a46310984e9026107b587fb4f
Opcode Fuzzy Hash: 26dcddab7f0b81900af893da713443dec395897520f2467e7e6e1b9763926169
Instruction Fuzzy Hash: D9E17D74E01241CFE71EEB66D454B6E37E2BF48308F158869D1029B3E6DBB59C82CB51

Function 0637D911 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf246f68891b68f4f3526dc0af87df0e6199c957708335efaa52faf8187e0ab0
Instruction ID: 01a5031caade0030481c6956295443d0da75663d110e6b4b458bbc2d0ef7fe5b
Opcode Fuzzy Hash: cf246f68891b68f4f3526dc0af87df0e6199c957708335efaa52faf8187e0ab0
Instruction Fuzzy Hash: EFC19774E002059FEBA4DBA8D494BAE77E6FF89310F548429D406EB385CA38DC45CBA1

Function 063772E0 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f859ef005d8f303316199f94d4070432f53bc4249875c1087681090a3e81595e
Instruction ID: 9ee5ae9d8426b3cf13455f72bd2ed9f86eba5eaf9f30a4bab4faca6e3e267b0b
Opcode Fuzzy Hash: f859ef005d8f303316199f94d4070432f53bc4249875c1087681090a3e81595e
Instruction Fuzzy Hash: E9812736847A46BAD3B19A609D54FF37FBEBB01250F444365FC119A642C328A54ADBF0

Function 0637ACF0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a0cd1af11ca3c128dcd40a7538d6306803a13874aa0d69dda6d9281536ea4e0
Instruction ID: 6d9066b82e80f8d3a972546f0de6269bd0f2de5e898fff2e1ddf6ce8214ecce6
Opcode Fuzzy Hash: 6a0cd1af11ca3c128dcd40a7538d6306803a13874aa0d69dda6d9281536ea4e0
Instruction Fuzzy Hash: 3BD1FD74E002199FDB68DF64D8A0BAEB7F1BF88304F5085AAD409AB351DB709D85CF91

Function 06335C62 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1591492283.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab920a3b48b6b6c2a8cc8c4bae5c78ac581c369efdc65e73a7c13417a192230
Instruction ID: 8167b9b23d0f135cf542dac65c097e1c1e0690efd332e3453d7df434bc1c7d08
Opcode Fuzzy Hash: aab920a3b48b6b6c2a8cc8c4bae5c78ac581c369efdc65e73a7c13417a192230
Instruction Fuzzy Hash: 8FB15C34B10214DFCB48DB68D599AAD7BF6AF88315F158469E806EB391CF34EC45CB90

Function 06377305 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a69ed6acecec282199ade88d8c033494cf339cef09f5a32c726547111711f1f
Instruction ID: bf7ad616aa5903a35d4bbf3e4a45edb0fed52bc1fd10b7fc7ab21a8204eabb7d
Opcode Fuzzy Hash: 3a69ed6acecec282199ade88d8c033494cf339cef09f5a32c726547111711f1f
Instruction Fuzzy Hash: 64715832447A0ABAD3B09A60DD44FE3BFBEBB01250F444265F8169B642D338A549DBF0

Function 01105BC0 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520b02726a9d13b30495e61b740ab182d78b2b32138afd74732cdd6b7ab6beb3
Instruction ID: 5dfbde764c6e873a8f00f66a99d5f27c33687dff695034611c8b6a3cb012d54c
Opcode Fuzzy Hash: 520b02726a9d13b30495e61b740ab182d78b2b32138afd74732cdd6b7ab6beb3
Instruction Fuzzy Hash: 0FB18071E041298BDB4ACBACC9806ADFBF2FB49304B28C669D455E7246D774ED42CF90

Function 0110A310 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a7b23ced7e860b6179e3b69c2c4c317b10bc54d1430c8c10d37c296719eced8
Instruction ID: a8163d667214884dd90634e1e58db4194a766dfb42ffe58021e2f9cbb922d2fd
Opcode Fuzzy Hash: 6a7b23ced7e860b6179e3b69c2c4c317b10bc54d1430c8c10d37c296719eced8
Instruction Fuzzy Hash: 1FB17170E00309CFDB19CFA9E88579EBBF2BF88314F198529D415E7294EBB59845CB81

Function 063726AB Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0f6ab43a23b5fd665134f9270bc4c481c5660945295d6f3dc4aba9c7b76a29
Instruction ID: 1438a4fe07c1a539a01b7328af2473f38959d70f2ddc5b3d77297baa19573c9f
Opcode Fuzzy Hash: 1d0f6ab43a23b5fd665134f9270bc4c481c5660945295d6f3dc4aba9c7b76a29
Instruction Fuzzy Hash: 09A16D34F002458FCB59DBB8C4A07AEB7F2AF89340F148469D40AEB395DF749D468B91

Function 01105B35 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df453561087da6c21a14c10900b06d16cb1022246eae3e037ffad4951b771440
Instruction ID: 10a89fb26431b178ef3848a9855f3902432c93642e13892953909b42c2f97bf3
Opcode Fuzzy Hash: df453561087da6c21a14c10900b06d16cb1022246eae3e037ffad4951b771440
Instruction Fuzzy Hash: 5BA1B271E052698FDB4ACFA8C8806ADFBF2FF45214B18816AD490EB257D374D946CF90

Function 063726B8 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e86d58ec54d55a68f1a0aee8fb19b8b5fda62117beefaf232a255f4aa55737
Instruction ID: 7b5b59af390f5cd9c8336de792a2218760016c0db141ae6afb000ad5c1c344b5
Opcode Fuzzy Hash: 91e86d58ec54d55a68f1a0aee8fb19b8b5fda62117beefaf232a255f4aa55737
Instruction Fuzzy Hash: 02915C34F002458FCB59DBA8C4A476EB7F2AF89300F148469D40AEB395EF74ED468B91

Function 01105B1F Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b712bf413cd416bfe70e6978d5098ad3b798e80ca2a873be174f7092ef0eedc
Instruction ID: 7c04fb91e902b74a2cdeb85838615db099c53a0d2fdf1e9ec6a161d9c1f0a1ed
Opcode Fuzzy Hash: 1b712bf413cd416bfe70e6978d5098ad3b798e80ca2a873be174f7092ef0eedc
Instruction Fuzzy Hash: 1EA19271E052698FDB4ACF68C8806ADFBF2FF45214F188169D454EB246D374D946CF90

Function 0110AB38 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcecfef92e6764fd68b64e941f07a0c125b528edfb89780da85e90114bfeff4d
Instruction ID: 0d8b1226e09951397fbe2ae694ddd53f6999d186cab001f35c2854662b0e8d4c
Opcode Fuzzy Hash: fcecfef92e6764fd68b64e941f07a0c125b528edfb89780da85e90114bfeff4d
Instruction Fuzzy Hash: F9915834E00304CFDB1EEB68E454BA973E2FF88305F168969D4069B2D6DBB59C81CB51

Function 0110AB2C Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84a4d3441c8f6c0555f5cbe2b6fa993de3f6ac225f0aa8fba03afe1d8e83a17
Instruction ID: 3ee2c41beb1ba10b7aad6bc8f1247e36ddd4cd0668d2f77173ebfe766226f8df
Opcode Fuzzy Hash: a84a4d3441c8f6c0555f5cbe2b6fa993de3f6ac225f0aa8fba03afe1d8e83a17
Instruction Fuzzy Hash: 19914834E04304CFDB1EEB68E094BA973E2FF88305F168969D5069B2D6DBB59C81CB51

Function 0633FB68 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1591492283.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aac0c662b621988329d3411e73c6cc99b18ae3e71ada733dc6e170440842d1e
Instruction ID: 4624361d55a918606adb5e3d708e2be38877e0fa60531d5722b79596a33cfd8f
Opcode Fuzzy Hash: 3aac0c662b621988329d3411e73c6cc99b18ae3e71ada733dc6e170440842d1e
Instruction Fuzzy Hash: 9E819071F00264CFE798EB64D054B6A73E3EB88315F95C06DD406AB299DB309D89CBD1

Function 0637ACE0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a11f7e19ac421e9e5ce13928a7224c05e88f3a5d596b8622b93bc93f0c5ae6
Instruction ID: 0371b74b51c037412feaf016298921ff0a5087f95e817921ea94c58868ca3a3b
Opcode Fuzzy Hash: 10a11f7e19ac421e9e5ce13928a7224c05e88f3a5d596b8622b93bc93f0c5ae6
Instruction Fuzzy Hash: CBA1FA74E002199FDB69DF64D8A0BAEB7F1FF48304F4484AAD449AB251DB705D81CFA1

Function 0110A809 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d114b3f8568ef2333328a200d571a50dbd2c5cc5d7f3fe2fc96adc17cdf6c9b5
Instruction ID: ae6849e0252455f98b8b63185fa1edbc19624887ab1f2f7ea808c998abc2140f
Opcode Fuzzy Hash: d114b3f8568ef2333328a200d571a50dbd2c5cc5d7f3fe2fc96adc17cdf6c9b5
Instruction Fuzzy Hash: 88818F34E00304CFDB1EDB68E048BA977F2BF88305F15806AD506A72E5DBB09986CB51

Function 0110A810 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 172503d80fafaddce217df2d774ba10990500d75af6feca714b4869184a9acda
Instruction ID: 1c46cded26f2cf383c320e26f949ee1e672cb520d02a9abf62093079d86cc53e
Opcode Fuzzy Hash: 172503d80fafaddce217df2d774ba10990500d75af6feca714b4869184a9acda
Instruction Fuzzy Hash: 89616D34E00304CFDB1EDB69E048BA977F2BF88305F15806AD506AB2E5DBB09D86CB51

Function 01106F30 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8692b44d733a8bbd1c660fcb9e2809b0d23e641ca2f1b5c853c1ac5b71c114c8
Instruction ID: 2c927c5cccadc9477f3811b448ae0550829ed08200e445320499ec7a345ceb4d
Opcode Fuzzy Hash: 8692b44d733a8bbd1c660fcb9e2809b0d23e641ca2f1b5c853c1ac5b71c114c8
Instruction Fuzzy Hash: 3B51BC34E00204CFDB1EDF68D464BAA77B3BB89304F558479E1029B6D9CBB1AC81CB52

Function 01106F27 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e278fdc2950d25941d0c9fab53da3661ca76c58db329134b67af58caa5d05da
Instruction ID: 7de741d48b441c9212d4e3bbcf8c72ccd8a45af23cea2528504a1a0e8f77a49b
Opcode Fuzzy Hash: 7e278fdc2950d25941d0c9fab53da3661ca76c58db329134b67af58caa5d05da
Instruction Fuzzy Hash: ED51BD34E00204CFDB1EDF28D454BAA77B3BB89304F558479E1469B6D9CBB5A881CB52

Function 011063A0 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3797d1a41adaa58ef4b6b2ab06df2a265b7ed79989149d75392f6f3392cb3244
Instruction ID: 62f981bc8c79e6f174e6aaa902d2f9d60aaafac2580816128368edd4da2a0c78
Opcode Fuzzy Hash: 3797d1a41adaa58ef4b6b2ab06df2a265b7ed79989149d75392f6f3392cb3244
Instruction Fuzzy Hash: 0441A371E0C240CFE71EDB28D0547AAB7A2FB84304F158079D18B9F2C6C7B598A2CB91

Function 011063B0 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb60a6418f2d76557dc4ad9241ac44382a0dff5692cc864250c5320ac84013a8
Instruction ID: 4ed21af9631e49984dfa6828d2b4bb291c7e6027b6970abb5ae816201f1be025
Opcode Fuzzy Hash: eb60a6418f2d76557dc4ad9241ac44382a0dff5692cc864250c5320ac84013a8
Instruction Fuzzy Hash: 8C415171E08200CFE71EEB28D45476AB3A2FB84305F158079D18B9F2C5D7B598A5CB91

Function 0110A080 Relevance: 2.7, Strings: 2, Instructions: 181COMMON

Download Yara Rule

Strings

\VXm, xrefs: 0110A24A
\VXm, xrefs: 0110A0F7

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID: \VXm$\VXm
API String ID: 0-3652994748
Opcode ID: ddf4857df72011ada0859cefd88f737589942bbd99a1de9a65a1c798281f274f
Instruction ID: bbace5baf3c5cf0836bb566c33d44fe0870b008fd19e5049728c1ff7921e8398
Opcode Fuzzy Hash: ddf4857df72011ada0859cefd88f737589942bbd99a1de9a65a1c798281f274f
Instruction Fuzzy Hash: 59717B70E00319DFDB19CFA9D8447DEBBF2BF88314F148029E414AB294EBB59841CB91

Function 0110A088 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

\VXm, xrefs: 0110A24A
\VXm, xrefs: 0110A0F7

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID: \VXm$\VXm
API String ID: 0-3652994748
Opcode ID: adb9e52b17ea14e0589f16c8b2fe11d592a522863af8e336beec8e9e26a338d5
Instruction ID: 8c636421747e650c1f5c6dc05fba1aa9e1c7f70e61bd3b9a57749f2911cf31a3
Opcode Fuzzy Hash: adb9e52b17ea14e0589f16c8b2fe11d592a522863af8e336beec8e9e26a338d5
Instruction Fuzzy Hash: 68715C70E00319DFDF19CFA9D88479EBBF2BF88710F148129D415AB294EBB59841CB81

Function 011096F3 Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

\VXm, xrefs: 01109943

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID: \VXm
API String ID: 0-2312107965
Opcode ID: 2a1e7b31a9295ecf6fe36d8d7e048889fa1325bc00a13401d1117e933d624d9c
Instruction ID: 1a1244ad04b439eae43949df70b31d5184694e3c1ad214ee7905e7658e305516
Opcode Fuzzy Hash: 2a1e7b31a9295ecf6fe36d8d7e048889fa1325bc00a13401d1117e933d624d9c
Instruction Fuzzy Hash: B4917E70E0020DDFDF19CFA9C8957DDBBF2AF88318F148129E408A7295EBB59945CB81

Function 06330040 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1591492283.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 874e0d9f97477fd216307883d5bcb535b56e6e9ab73e413affb957a2cd5c7d70
Instruction ID: 8f726346a57c981d7e89e93152de6348b1b2137b5c3fcc6307f0b03342caeca2
Opcode Fuzzy Hash: 874e0d9f97477fd216307883d5bcb535b56e6e9ab73e413affb957a2cd5c7d70
Instruction Fuzzy Hash: 1E02F138B202108BDBA92778A05923C79EBEBC9351B64482DFD07D7391CF75DC4A9B49

Function 0637DDD0 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79074c6523c80e64aeb93d636572d0c45c92d548f59bb3e30783cbabca623843
Instruction ID: cbfcc3e7a844dd377b311c4f7c37b08ea27c2277bb03ea7017a7958b21d1079e
Opcode Fuzzy Hash: 79074c6523c80e64aeb93d636572d0c45c92d548f59bb3e30783cbabca623843
Instruction Fuzzy Hash: E5B15B74E102098BDBB4DB68D4947ADB7F1EF49310F54896AE415EB381CB38DC89CB91

Function 0110A30E Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4fa2f0c4cf9037022a23cc0919ccc37b41f46a9e23bde81f902c3cb190c88be
Instruction ID: df78721e7b07db054f80435bf358e60dc3789f601147f261402bf87893bb8a25
Opcode Fuzzy Hash: c4fa2f0c4cf9037022a23cc0919ccc37b41f46a9e23bde81f902c3cb190c88be
Instruction Fuzzy Hash: 26A16170E00309CFDB19CFA9E88579EBBF1BF88314F188129D415E7294EBB59885CB81

Function 063733A8 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13024d388017f5e31708294a6eb0b49e3b861cbcf6c6af65c426fae20839174
Instruction ID: fe52919c8c50eb1547e1e18ea4dcae8a2d01f9c6e89b335ee0a81eec15022cdf
Opcode Fuzzy Hash: b13024d388017f5e31708294a6eb0b49e3b861cbcf6c6af65c426fae20839174
Instruction Fuzzy Hash: C7B14B31A04204DFFBB8DB54D8487ADB7F2BB44304F14916AE001AB695CB799C89EBD1

Function 01102D30 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a579491fc4b00cee8d5e69bcfc641bbd915f9746bad71d21a733798352f58bb
Instruction ID: 95b123afe902893db1b8e0868f7a2a7120cfbfb9d5402f187bd7922bf954b091
Opcode Fuzzy Hash: 0a579491fc4b00cee8d5e69bcfc641bbd915f9746bad71d21a733798352f58bb
Instruction Fuzzy Hash: E591A874A006108FC71AEF69D598B59BBF2FF88350F1581A9E405EB3A5DBB0EC41CB90

Function 0110EA17 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc6c4ee51d3361314d6b8d08c32ff0750501fc09f9b325de700db352d2b95ec
Instruction ID: 5365fd00869225f410e9f668e97fdd9faf1b4f28e54fa066ba17213c4af1869a
Opcode Fuzzy Hash: 5dc6c4ee51d3361314d6b8d08c32ff0750501fc09f9b325de700db352d2b95ec
Instruction Fuzzy Hash: 20916E70E02208CFD71ECB69D5547AA77B2FB88304F55C966E402AB2D5C7F59C82CB51

Function 01105F30 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b46b1f05037ec7689a21be4c40393e17ae2292e4f339faafc1c5e5c251a8a419
Instruction ID: b34daebf8014f8faea4121a1a10ac5684b3f47a4584eed0d0bdb31e75714e2fb
Opcode Fuzzy Hash: b46b1f05037ec7689a21be4c40393e17ae2292e4f339faafc1c5e5c251a8a419
Instruction Fuzzy Hash: 48814F31D04240CBE3AFDA18D4487A5BBA7BB81300F4685B9D6069B5D9DBBC9D85CF83

Function 0110EA20 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cfb3c635d576cf9696c63d24e620e7a7044dcfd88596dc905004fef0c94e386
Instruction ID: 57b09f1edace42781d21a35d7dc20528ad94a583767ed0bf220b86b4242ab123
Opcode Fuzzy Hash: 8cfb3c635d576cf9696c63d24e620e7a7044dcfd88596dc905004fef0c94e386
Instruction Fuzzy Hash: 65915E70E01208CFD71ECB66D5547AAB7B2FB88304F55C966E4029B2D5C7F59C82CB51

Function 0110ED22 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92371aef2da1a65dc1ade841531b7e7060e8dcc962de09334bac3599efc32be3
Instruction ID: b1a57ac3571046df7317e9b71d0f02d2238657b2ded1e666b15d5d7ac4af9010
Opcode Fuzzy Hash: 92371aef2da1a65dc1ade841531b7e7060e8dcc962de09334bac3599efc32be3
Instruction Fuzzy Hash: 13815D70E02204CFDB1EDB66D1587AA77B2FB88304F55C966E402AB2D5C7F59C82CB11

Function 06373AF0 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbf5187df0e8e4f1d08e35490a9a8e7853321b21d7f5db8cf94fe3d8317fda6d
Instruction ID: 0d372561253dfe02ac32f5c70085b3100fad2b700a88f734ffe196dcaf90257c
Opcode Fuzzy Hash: fbf5187df0e8e4f1d08e35490a9a8e7853321b21d7f5db8cf94fe3d8317fda6d
Instruction Fuzzy Hash: 11717E74F002199FEB64ABA8C8547AEBAF6EF88340F108429E506EB391DF755C449B91

Function 06373398 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96aef094c68e5f703f2707fcaf4e77ab3c5b05be460ce43a0e968979a2cdd68b
Instruction ID: c0a7d3ca2d72b9d390985d9258b8dbba1259a4e596275f0b30839e2ddd6c0dce
Opcode Fuzzy Hash: 96aef094c68e5f703f2707fcaf4e77ab3c5b05be460ce43a0e968979a2cdd68b
Instruction Fuzzy Hash: B6815A31A04208DFFBB8DB54D8447ADB7F2FB44304F14916AE002AB695CB799D89EBD1

Function 06373671 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f22a97f361170a323c36ce01de19b36569d51ffda67b2ef28ee55be4332802
Instruction ID: 37f6afb422acd722f71f69ee04f807b239e67c42e886d5925c13b9ec64d15bfe
Opcode Fuzzy Hash: b7f22a97f361170a323c36ce01de19b36569d51ffda67b2ef28ee55be4332802
Instruction Fuzzy Hash: A1713A71A04208CFFBB4DB44D844BADB7F2FB84304F149169E006AB695CB799D89EBD1

Function 06373488 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f7995fc27aae0f9fc4d75a6106afb0cee4f22d3cb30bbd4f73457169e20201
Instruction ID: 3be3c653d69e4be24e9e1ca668930074150e99bcad618c5189daf129bd411df7
Opcode Fuzzy Hash: 16f7995fc27aae0f9fc4d75a6106afb0cee4f22d3cb30bbd4f73457169e20201
Instruction Fuzzy Hash: 19713B35A04208CFFBB4DB54D848BADB7F2FB44304F149169E002AB695CB799D89EBD1

Function 0637373B Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b18d0b30dad7218d3cad9948f6769a383a8b82ba9c577aedf4c596015015f9
Instruction ID: 1842b8bbcd19689022073533f9439d101d888246976e0a172f2652255679d715
Opcode Fuzzy Hash: 28b18d0b30dad7218d3cad9948f6769a383a8b82ba9c577aedf4c596015015f9
Instruction Fuzzy Hash: A8712971A04204CFFBB4DB44D8487ADB7F2FB44304F549169E001AB695CB799D89EBD1

Function 0110CAC7 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82abf2507dc0086edf57d1734629aeea24e568595806fee46017553507eb5c6b
Instruction ID: 824019441c14c8d16ba0afdff38e054f85d8303fa14060d6a1d38b08fb025858
Opcode Fuzzy Hash: 82abf2507dc0086edf57d1734629aeea24e568595806fee46017553507eb5c6b
Instruction Fuzzy Hash: 0351A531E086048FD72F9668D4043AA77D2EB86380F1983F6D4558B6E6D7F48C81AFD6

Function 063733DD Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5474e5e30e925ae5159d6bee87fa9828f37ce32f25e3dd7f0f640a8836c5cf87
Instruction ID: 9eae22add43592c48741d991b1d813cea12ba3abf19f80e98659d7eed365d563
Opcode Fuzzy Hash: 5474e5e30e925ae5159d6bee87fa9828f37ce32f25e3dd7f0f640a8836c5cf87
Instruction Fuzzy Hash: 27712971A04208CFFBB4DB44D8447ADB7F2FB44304F109169E002AB695CB799D89EBD1

Function 011069C1 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 222400877dae530255054a34a60282e35df37912e537ceab00c5d1868daa9a57
Instruction ID: 796ea82cee67f2f31e6189b8587be8dcad00f802992658a59e68619b9cc28c7f
Opcode Fuzzy Hash: 222400877dae530255054a34a60282e35df37912e537ceab00c5d1868daa9a57
Instruction Fuzzy Hash: 27618131D04260CFE72FFB08D4557A673A2AB90344F428576C0079BAD9E7B49DA5CB92

Function 01102D20 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a20020a3f78e45ff6018de23eee765611ce9d52cb8835211424f24c44980f9e
Instruction ID: fcbf2fdab8fa4b72d58f5eae332fcf0db28dd886727ad1e2c750a2674b0aec21
Opcode Fuzzy Hash: 9a20020a3f78e45ff6018de23eee765611ce9d52cb8835211424f24c44980f9e
Instruction Fuzzy Hash: 2461BD75A00650CFCB1AEF69D598A59BBF2FF88350B1581A9E405EB3A1DB70EC41CF90

Function 011069D0 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f201a328902453e0624fd1af8e8e78c0557b8261ed3767943d36a60bc2e780
Instruction ID: 9f162bd2229f7c07aa6c8faeb07134721c9de730cb47ad175357b8f47b572204
Opcode Fuzzy Hash: 70f201a328902453e0624fd1af8e8e78c0557b8261ed3767943d36a60bc2e780
Instruction Fuzzy Hash: B8518231D04260CFE72FFA08D455BE673A2A790344F428576C0079BAD9E7B4ADE5CB92

Function 0110ADC8 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08d93c7e3e32719c2bbbf6c4ea71e350bc1e36c0f337dd1848eeb7758228e52
Instruction ID: 8e77d67c5c44500dae773e2c0b0e62ac74ffd4c89b8dea290cf3073dafaed4a5
Opcode Fuzzy Hash: d08d93c7e3e32719c2bbbf6c4ea71e350bc1e36c0f337dd1848eeb7758228e52
Instruction Fuzzy Hash: AE613634E04304CFDB1EEB64E594BAD73B2FF88309F164969D406AB2D5CBB49881CB11

Function 063364B0 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1591492283.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b19cef4b9905dfc1a0dda1825e9ef8a2299b8ea019fea4daeb4b0d26dfd72f0b
Instruction ID: 450432cf2ee53da1fc72efa8ecdec69c6893dd29302d10e292053386f1dee2bb
Opcode Fuzzy Hash: b19cef4b9905dfc1a0dda1825e9ef8a2299b8ea019fea4daeb4b0d26dfd72f0b
Instruction Fuzzy Hash: EB51B035E00124EFEB94DB68D446BA9B3F7FB8A314F148175D406AB29AC734AC84CBD0

Function 0110DB33 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79bb30da2d96bd03844aa1ccc40711af69d48a11bc4ac31c5a4c25ff585c0fc4
Instruction ID: 14eb172c165d27e1d07860fea041eba1dad0a6c7a22f49388f12aa2536ffddec
Opcode Fuzzy Hash: 79bb30da2d96bd03844aa1ccc40711af69d48a11bc4ac31c5a4c25ff585c0fc4
Instruction Fuzzy Hash: 96518635E04601CFEB1EDAC4E044B797BA2E786304F168675E4065B6C9C7F4AD81CB92

Function 063364A0 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1591492283.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c2a73f61286bc5a3ed7b372be67341156b30b1eb3232ed486f5436eaa63a952
Instruction ID: 7a9444f39a0b326364af058aef29547389b4d62da788c9094ad23bdb7cb7e990
Opcode Fuzzy Hash: 4c2a73f61286bc5a3ed7b372be67341156b30b1eb3232ed486f5436eaa63a952
Instruction Fuzzy Hash: E751AF75E00124EFEB84DB58D4467A9B3F3FB8A354F148079D406AB2AAD774AC84CBD0

Function 06373AEF Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc9d71140030085efba8fad2418be88d24639cd05a93903f183243b702e8b1a
Instruction ID: 19f1b57bea4070c77f373a4cfdf6ffd834fb5c8915b0e19d50d642e9afc2bcf3
Opcode Fuzzy Hash: 3dc9d71140030085efba8fad2418be88d24639cd05a93903f183243b702e8b1a
Instruction Fuzzy Hash: 6C518070F102189FEB649FB8C4547AE7AF6EF88300F208429E506EB395DF759C059B90

Function 0110C8D8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0be250a4ed5fab7db09917bd19395232491f678a73b3ee3ee52ccff78c84812
Instruction ID: a1940a92f587d8ad1730ad2d2947e7298357078fc38c12e23ac01ee6988c2d91
Opcode Fuzzy Hash: c0be250a4ed5fab7db09917bd19395232491f678a73b3ee3ee52ccff78c84812
Instruction Fuzzy Hash: E6510571D00218CFEB19CFA9C844B9DBBB1BF48310F148659D819BB391EBB49844CF95

Function 0633544B Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1591492283.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8cb57828445b9daf86180e21bcc19d7ecdaafc416aa2201b4adf8349519b43
Instruction ID: 4a2122507bd3d4fef907b94bd2c25171b92feca2e7b29db981f074939db3f5ad
Opcode Fuzzy Hash: 8c8cb57828445b9daf86180e21bcc19d7ecdaafc416aa2201b4adf8349519b43
Instruction Fuzzy Hash: 9C51AA30E00225CFEB58CF54D14079EB7B3FB84326F14852AE416AB694D774A89ACBD0

Function 06335458 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1591492283.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fded6d4ec7792f88849a1db32b637197f05a998ee60775faba008f8523208632
Instruction ID: 6b907c9e80003167633cafbbb0fa06727e2f54486621f8335f8cbd265d465551
Opcode Fuzzy Hash: fded6d4ec7792f88849a1db32b637197f05a998ee60775faba008f8523208632
Instruction Fuzzy Hash: 6D51AD70E10224CFEB58CF54D444B9EB7B7FF84325F14812AE416AB694D774A89ACBD0

Function 01101710 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e3a96712cc6b85b35242b2b62b4f9f70f2102ec5c3d36a228c4150d7763217
Instruction ID: a2fe1235242efc480055e03fefbda08152c06b07f78aee99cac5e1feee3a2cbc
Opcode Fuzzy Hash: e2e3a96712cc6b85b35242b2b62b4f9f70f2102ec5c3d36a228c4150d7763217
Instruction Fuzzy Hash: 3741FD39F04600EBE32F9658D0047E57792A781394F568176C4029F2D9DBFCDE86C782

Function 0110C8CD Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e79e794c264c319d1d42dc659b4e64890418f85145942ce653f7f9cc405c768
Instruction ID: 32db34218e8bec01b05b27649145253044da0362cbd8c35a85fb246dd4257e0d
Opcode Fuzzy Hash: 6e79e794c264c319d1d42dc659b4e64890418f85145942ce653f7f9cc405c768
Instruction Fuzzy Hash: 1F511274D00218CFEB19CFA9C844B9DBBB1BF48314F14865AD819BB391EBB4A844CF95

Function 01106D0C Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9a0aa47f06b9dee3559470a3acbafae354dc2b1b86630685b24c9e5e401f0a
Instruction ID: 2ce1533a572bda8f43e6e7daa058076771e22e4ced4fdbf3a32be39e6235141b
Opcode Fuzzy Hash: cd9a0aa47f06b9dee3559470a3acbafae354dc2b1b86630685b24c9e5e401f0a
Instruction Fuzzy Hash: B741C131A00240CFEB1EDB68D058BAE77E2BB84304F5584B9D0469B2DADBB59CD1CB51

Function 01101720 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3530d9cb9eb8cbeb119455c9b4e266ba1425cd2a97a552cc5290d96067ab612b
Instruction ID: 309b311a5614a9be3e7b8a300498f48bfc67048ac87f1c171c45f4cae9fd4eac
Opcode Fuzzy Hash: 3530d9cb9eb8cbeb119455c9b4e266ba1425cd2a97a552cc5290d96067ab612b
Instruction Fuzzy Hash: 8141B939F04504EBE72FAA58D0447A57392AB80394F568176C4029F2D9DFFCDE86CB82

Function 06335560 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1591492283.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a789f93375aca736661ebb713023e1999aa0c6f840c44fbb62a45f2a392745dd
Instruction ID: 5510a869e1060ca4e8d51ab3c07485e0419935c84d7e7b131066371a77b4e859
Opcode Fuzzy Hash: a789f93375aca736661ebb713023e1999aa0c6f840c44fbb62a45f2a392745dd
Instruction Fuzzy Hash: 7C419F70E10225CFEB58CF54D4847AEB7B3FF84326F14812AE416AB654D774A89ACBD0

Function 0110DC88 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be3b29e1466f455e79d1160a871dac30c94772f590d41cb48a92af6f578f43b
Instruction ID: 0e79b74314c60ebaa7039c8cf8f76814bf91f9f4555ab78dee746b8f526f96b5
Opcode Fuzzy Hash: 3be3b29e1466f455e79d1160a871dac30c94772f590d41cb48a92af6f578f43b
Instruction Fuzzy Hash: 45413231D04615CBEF2FDAC8F044B65BBA2E782304F468675E8065B6C9D3F49D85CB92

Function 0110D8E8 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac64ee34c63eebf598975f3bed8aa6b285f4d383f74695aba9165ad1cafe54f3
Instruction ID: d09fde4de0708170145a7135ff7bfc3ea1623c2a1363acd6b2de73eb2dc2cb01
Opcode Fuzzy Hash: ac64ee34c63eebf598975f3bed8aa6b285f4d383f74695aba9165ad1cafe54f3
Instruction Fuzzy Hash: C941B136E04200CFEF2E8AD8F4547AAB3A3F780320F16817AD5065B1DAE7B55D85CB51

Function 0110DB50 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b0797a38456779877c527d4cced988a48395d68daaa4db490d502aded45394
Instruction ID: da96a7b22fabfa82ecd84c11777804162b3daf0abc7d49232d26b196837a36d8
Opcode Fuzzy Hash: c4b0797a38456779877c527d4cced988a48395d68daaa4db490d502aded45394
Instruction Fuzzy Hash: 24415331D04601CBEF2EDAC8F044B65BBA2E781300F068676E8069B6C9D3F49D84CB92

Function 0110DBD9 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf0d7fbdc2f4717665b36776aed6be7308f01865fe5e91cb61f3d2a048d057af
Instruction ID: 85a2c92ffbc8c33f6c7f94abaf1edf530f5cce37acda6fbf0340e541652ef966
Opcode Fuzzy Hash: bf0d7fbdc2f4717665b36776aed6be7308f01865fe5e91cb61f3d2a048d057af
Instruction Fuzzy Hash: BD416131D04601CFEB1EDBC4F084B65BBA2E785300F0686B5E8069B6C9D7F4AD85CB92

Function 0110CB68 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875c59207a97d555f34f3dab58bf41e3eae54347015d72eddecdb26d2b944ef6
Instruction ID: 1b79dbc70abc709205a442a137b86d940070b31cf55b91e023bb321e23180b2d
Opcode Fuzzy Hash: 875c59207a97d555f34f3dab58bf41e3eae54347015d72eddecdb26d2b944ef6
Instruction Fuzzy Hash: A2312E31E08504C7E72F9618D4487A67692F782380F1A83F6D8568B5E9D3F49881BFC7

Function 0110DCAF Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3b1100911358edc229fd30f3be7b52f3a1f00332ed3b2d0fe1f87230cd7252
Instruction ID: 1540bb4164ca77c6dd7ccb4f3f8b2a2a71343263b8834bdf004841c660a581fe
Opcode Fuzzy Hash: 9f3b1100911358edc229fd30f3be7b52f3a1f00332ed3b2d0fe1f87230cd7252
Instruction Fuzzy Hash: DE411031D04641CFEB1EDAC4F044B65BBA2E782304F4686B5E4069B6CAD7F49D85CB92

Function 0110DDE5 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfbd2945c2b428b38d4d4a82dfdb4af2fe5af453bb78cb64186b7a89ffa6ef53
Instruction ID: 23c7cd0a53bdfe7009074a0b67d0a2a0274c65f1d7f5881d68ac47ad9e57c9ef
Opcode Fuzzy Hash: dfbd2945c2b428b38d4d4a82dfdb4af2fe5af453bb78cb64186b7a89ffa6ef53
Instruction Fuzzy Hash: DB411035D04601CBEB1EDAC4F044B65BBA2E786304F4686B5E4069B6C9D3F4AD84CB92

Function 0110DC59 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 741a48648a3958587177d9eb716701e5b9225ef9c9f48c91dd79ba8a7dbe63c8
Instruction ID: 229f2c05d5e93467a1ab9279e9de6bf094d7fd3f10af340e80e429dc0813f251
Opcode Fuzzy Hash: 741a48648a3958587177d9eb716701e5b9225ef9c9f48c91dd79ba8a7dbe63c8
Instruction Fuzzy Hash: 01412135D04A05CBEB1EDAC4F084B65BBA2E781304F4686B5E4069B6C9D7F4AD84CBD2

Function 0110DCF7 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d87f55e200270be0cf55fd26e1c52fcdf8b62609dfafe865dd532a2481d33b
Instruction ID: 2777889e9dba8f8895f108de2d4d664098725fd8033cabf7db251a71f7677921
Opcode Fuzzy Hash: 47d87f55e200270be0cf55fd26e1c52fcdf8b62609dfafe865dd532a2481d33b
Instruction Fuzzy Hash: 12412135D04601CFEB1EDAC4F044B65BBA2E781304F4686B5E8069B6C9D3F4AD85CBD2

Function 0110DEE3 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b6b9f7e1b246a1b4b59a6cf9e08b9eb5a50bf17769c0ddb698818f9e8e2f43
Instruction ID: 09f712500c71f932106d89811c2f4d6183b1ff123ef5e7e758335be5bcd0ca0e
Opcode Fuzzy Hash: 59b6b9f7e1b246a1b4b59a6cf9e08b9eb5a50bf17769c0ddb698818f9e8e2f43
Instruction Fuzzy Hash: 0D413031D04641CBEB1EDAC4F084B65BBA2E782300F0686B5E4069B6DAD3F49D85CB92

Function 0110CF59 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133dfd23119c2e57d11e7ce2f0884ae9a2ef5511d0582d0951e6213bcdb383be
Instruction ID: 34a28803dc3d0c59fde7aa07fe1cc8b10b931ecba7ceebec7d2010a294f8d1f2
Opcode Fuzzy Hash: 133dfd23119c2e57d11e7ce2f0884ae9a2ef5511d0582d0951e6213bcdb383be
Instruction Fuzzy Hash: 0B31EA35F002408FEB1EEAB9D41076A77E3AB85354F0581BED14AC71D6DBB08986CB92

Function 06372028 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfe5e96e9499a70ce03bef14afba52da0474c56cfbcfce7c27e3cd630f819e8f
Instruction ID: bfa868046530242b9835e32ae9ce155d53802fc61328d729d28d3c07825435bf
Opcode Fuzzy Hash: dfe5e96e9499a70ce03bef14afba52da0474c56cfbcfce7c27e3cd630f819e8f
Instruction Fuzzy Hash: C5318875F002008FDB59EF78C890BAEB7F1AB48710F45846AE905EB380DB35AD45CBA0

Function 0637201B Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a7cd2c860d3b4b94c23255f79a35265febe5a7892c7a35d38c30c759e1175a
Instruction ID: 2523bb5d5584413cd9ca44ee5307d8132657c7c6b32b8a0a4556d1da37804641
Opcode Fuzzy Hash: 09a7cd2c860d3b4b94c23255f79a35265febe5a7892c7a35d38c30c759e1175a
Instruction Fuzzy Hash: 2131DE75F002008FDB59EB78C451BAE7BE1AB48310F0584AEE805EB391DB359D45CBA1

Function 01107B4C Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a98a48af96fe0b1114d3023d55299bfeac7aa51c529f3d42c038391a0619ef
Instruction ID: 66d397edd0bd10535ab8a36f3055a9e597980d4c8e5ecf144750002005e887f8
Opcode Fuzzy Hash: 48a98a48af96fe0b1114d3023d55299bfeac7aa51c529f3d42c038391a0619ef
Instruction Fuzzy Hash: 304102B0D0034D9FDB14CFA9C584ADEBFB5FF48314F248029E459AB290DBB5A945CB90

Function 0110CDA8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ce3a420a9875532f7cbb7c4b45759230a34828cb745081896562854ee4fe48
Instruction ID: 11207d73232cec82e965799cd74306ded8638f9a86ef3dd14bf0818c369d9a3d
Opcode Fuzzy Hash: 38ce3a420a9875532f7cbb7c4b45759230a34828cb745081896562854ee4fe48
Instruction Fuzzy Hash: C0318C31E04250CBDB1EEA18D0547AEBBA2FB81304F1982EAD106961D6DBB45D96CFD2

Function 0633FA28 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1591492283.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 223fae1556ad3fc9fdf4a040b871799c0977cf85dae6cdd5aaad07e593e8e8f4
Instruction ID: 86e693e4107706f3a9f70d98630e64a5a3ef1e4f4a934b8387a68e608e743e95
Opcode Fuzzy Hash: 223fae1556ad3fc9fdf4a040b871799c0977cf85dae6cdd5aaad07e593e8e8f4
Instruction Fuzzy Hash: 7B316030E107159BCB15DF65D594A9EB7F6EF89300F50891DE806EB750EB70AC45CB90

Function 01107B58 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce40c22be40856af9c08c47a02d58ac8571b8a0ce25bc054639f78546b4ee67
Instruction ID: 2a9c15ad27d2796006c81722a3abda02eb922e67d36750f6d72c1966215781a3
Opcode Fuzzy Hash: 3ce40c22be40856af9c08c47a02d58ac8571b8a0ce25bc054639f78546b4ee67
Instruction Fuzzy Hash: 6F41EEB0D003499FDB14CF99C584ADEBBB5FF48310F248429E819AB290DBB5A985CB90

Function 06337628 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1591492283.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61f3db1f6c94182f7d9fdfe5226059b9fb4f30e06a70752716146707eb9bc834
Instruction ID: 6642d6753ff723e1dbd9a014f39d87c7c025cf35778ab16273971e69d13ce926
Opcode Fuzzy Hash: 61f3db1f6c94182f7d9fdfe5226059b9fb4f30e06a70752716146707eb9bc834
Instruction Fuzzy Hash: 4341B431C14B1A8ADB51EB68C8445A9F7B0EF9A300F10D79AE45D76120FF74AAD4CF82

Function 06335AB0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1591492283.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76acfcefdc7d37db9d3bca61506f351a992357f7616b83df051a5430f8f82c3d
Instruction ID: 3b52ab86a55d7c26952750696bae4784095cbe0b9a0698f085a7fa46190290d7
Opcode Fuzzy Hash: 76acfcefdc7d37db9d3bca61506f351a992357f7616b83df051a5430f8f82c3d
Instruction Fuzzy Hash: 3C318170E102199BDB56DFA8C4916AEF7B6FF89310F148519E806FB341DB70AC89CB90

Function 06330738 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1591492283.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f3626508258e48db06a4830de8b441df10c8835a03c8abeb7ae40d1bbb4059
Instruction ID: 9c4510b8b820005e4897c8ab55d19abe34dd797e5c39b9dfa5b69bc35a812551
Opcode Fuzzy Hash: 00f3626508258e48db06a4830de8b441df10c8835a03c8abeb7ae40d1bbb4059
Instruction Fuzzy Hash: CE414DB4D00708EFDB88DFA4E588BAD7BF1FB44304F5081AAD406A7252EB705A85CF80

Function 063371C5 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1591492283.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f99d60270e9c1bdf6252bdf1dce63ee605a9bab0eff6dd0982433682775a7d4
Instruction ID: 34ac21bfb22fefac0cec518e45ee294f7510987dee76b6fc4bd4adf03defae54
Opcode Fuzzy Hash: 2f99d60270e9c1bdf6252bdf1dce63ee605a9bab0eff6dd0982433682775a7d4
Instruction Fuzzy Hash: F0411A71C20B1ADEDB10EB68C854AA9B771FF96300F11C79AE14937151FB70AAD4CB86

Function 06330748 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1591492283.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 774ba273eccf0318828451217cbecebbe586168ed8061f3dc3f4f544dd727347
Instruction ID: a4beb2341363522db90aec4154faf1d79220dde77324b2fda984e3adffcb2a3a
Opcode Fuzzy Hash: 774ba273eccf0318828451217cbecebbe586168ed8061f3dc3f4f544dd727347
Instruction Fuzzy Hash: 723132B4900718EFDB88EFA4E599BAD7BF5FB44304F5081A9D006A7255EB705A85CF80

Function 011029BE Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59c818c5b86c399c181f89c89952199bf5a5f6891eb026ac006293f2cf542b7
Instruction ID: d2be94e3d156a77400c5d972fa99fda075ad0d35d3c168bd7712e908c8015e62
Opcode Fuzzy Hash: f59c818c5b86c399c181f89c89952199bf5a5f6891eb026ac006293f2cf542b7
Instruction Fuzzy Hash: 1831073185B3C18FC787CB7498521803FB2EE5722D32D49DAC0C09F467E369695ADB91

Function 063780E0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc50e81df6fe6cadbb03f63525bf6251c5200f7bd7bc4cf605a3374e0cbf37f
Instruction ID: 33a694df240733a34f2aaeaf2ce47c6182b0f7711bad1f3d80fe0f7f27ac82f8
Opcode Fuzzy Hash: 2bc50e81df6fe6cadbb03f63525bf6251c5200f7bd7bc4cf605a3374e0cbf37f
Instruction Fuzzy Hash: 5C219C35B001149BDF98EB68E4587AEB7F6EB88254F548429E806EB380DB34ED458B94

Function 0110C791 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6890e132491b577fa5e3495422b1796ec18284a00649ebbc496a6e80fe0193e
Instruction ID: 757cf44ef7ed8fedc89821699bf4db1b9cce0dc49d0cc766c08ae10e8ec590e4
Opcode Fuzzy Hash: a6890e132491b577fa5e3495422b1796ec18284a00649ebbc496a6e80fe0193e
Instruction Fuzzy Hash: 3921D7317043409FD356ABB9E45079E3BE6AF8A710B1544AED004DF396EF744D8587E1

Function 0633FEF8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1591492283.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aae22cc2f9248c603b732c485c14654128d9d8326fbad4b81db774c4f5ceef9
Instruction ID: a2b6ed4a72f6c39d0e69f2646d77742f0bbb643c998b8b37b408f73173c67718
Opcode Fuzzy Hash: 8aae22cc2f9248c603b732c485c14654128d9d8326fbad4b81db774c4f5ceef9
Instruction Fuzzy Hash: 20213675B042159F5744DF69E4404BABBE9FB8A265714C06EE90DC7341EB31D90ACB90

Function 00E6D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1566809685.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e6d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c4aee6d7f58750e86d8b06ac73b72c239353d5c8d5dfdc1b19211776b74933
Instruction ID: 71ebbb2ef7562a77af0c8334055aa5789fbf866354301c0e80d1d43006cd97b9
Opcode Fuzzy Hash: d6c4aee6d7f58750e86d8b06ac73b72c239353d5c8d5dfdc1b19211776b74933
Instruction Fuzzy Hash: 3B214871A48344DFDB04DF00EDC0B16BF65FB98368F608169D80A5B656C336D856CBA2

Function 06372188 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eee241b9095c13c3e99e50e7f2a00c15af2013b75e010329ee95d47089c7a31
Instruction ID: 2e9799a4fbdb3ecd2234bcf2a1703742f08958d5a2b1584cd4fb9f96ce24c5a6
Opcode Fuzzy Hash: 1eee241b9095c13c3e99e50e7f2a00c15af2013b75e010329ee95d47089c7a31
Instruction Fuzzy Hash: 6221D532B101015FCB69EA788864AFB77FAEB88354B4540BEE546D7281EE258D064BA1

Function 00E7D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1566896590.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e7d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec5895d789b676d371fe529daadd99f5b5e9c7d9d2423d18ac37b60b76f02dc
Instruction ID: 91f7b55d57794263e473a906de781c41f7827141adaced441e9609656fcb2a16
Opcode Fuzzy Hash: 9ec5895d789b676d371fe529daadd99f5b5e9c7d9d2423d18ac37b60b76f02dc
Instruction Fuzzy Hash: ED21D071508204DFDB14DF10DD80B26BBB6EF84318F24D569D84E5A292C376D856CA62

Function 06372198 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734833b71dc6bdc7c26545d517af500e89e33b7cb295f31754a64b8671072175
Instruction ID: 9fbfc1d06d7c436ce12685dff36273adffc7dff1b60a4d38ece2572780c374ab
Opcode Fuzzy Hash: 734833b71dc6bdc7c26545d517af500e89e33b7cb295f31754a64b8671072175
Instruction Fuzzy Hash: CC11AF36B101148FCB98EA788864ABF77EAAB88350B55847AD406E7340DE36DD058BE1

Function 00E7D005 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1566896590.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e7d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc8ffe07c29f3e1341294075ed425b30602ea2c63969f4190323569ae4607da
Instruction ID: af369ccd7472d4ef1197e0c90417dc8413ecfdcd9c23baaab5a33b628450f780
Opcode Fuzzy Hash: dcc8ffe07c29f3e1341294075ed425b30602ea2c63969f4190323569ae4607da
Instruction Fuzzy Hash: B8215E7110D3C09FC703CB24D994711BF71AF46214F29C5EBD8898F2A7C23A984ACB62

Function 06379920 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d09403bd59ad295328467af53b6db206a7a99435ef0b32dbf581fec496fad67
Instruction ID: 97b7fe3a8aeaf3559ad702ab8a64a1178d39f84646e14f5462d0d3b943bc828d
Opcode Fuzzy Hash: 7d09403bd59ad295328467af53b6db206a7a99435ef0b32dbf581fec496fad67
Instruction Fuzzy Hash: 9D113036B002058FEB389EB4D541B7973E1FB95214F01497EC802EB282DB389E49CBD0

Function 06377478 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3241308ba498016d1847d6589c50a3ed78715df581f61edf8bec0b5759fde2
Instruction ID: 260efdd9aa9dd110ee5d3f7c23aff79dc02eca43daa737fd760ea43240455452
Opcode Fuzzy Hash: fb3241308ba498016d1847d6589c50a3ed78715df581f61edf8bec0b5759fde2
Instruction Fuzzy Hash: 9F218031900609DFE3B4DB45D848BB5BBB6A740304F05C166D4099B559C378BC89EBC0

Function 06370FE0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7e377231807b049e9007bf43fb1651eea774507526ff8db3e36a53271109d3
Instruction ID: 312ea3ff3d7bcd636b4b9a49d999192770f6edcee51654300d8962ffe7fd7afa
Opcode Fuzzy Hash: 1c7e377231807b049e9007bf43fb1651eea774507526ff8db3e36a53271109d3
Instruction Fuzzy Hash: B4213B71E002189BDB64DBA8D8846DEB7F5EB89310F1484AAD509E7200DA329D45CF90

Function 0633550B Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1591492283.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b429496c44d8fe4f9f15b41c6af0be4ba3dd665071a94df62402b84b5c68bb
Instruction ID: 44482ac3c87e52791c93423de4969da6c1d359fb85ff5f7144e9d0f280a79cff
Opcode Fuzzy Hash: a4b429496c44d8fe4f9f15b41c6af0be4ba3dd665071a94df62402b84b5c68bb
Instruction Fuzzy Hash: F521A230A00214CFE798DF18D04476973F3FB8437AF14C429D41AA72A5DB349C99CB90

Function 00E6D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1566809685.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e6d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
Instruction ID: 859f6545a72ff6869bda136b271d17de8992de2318e329f57a8944b5da3a80f0
Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
Instruction Fuzzy Hash: 7211E976944240CFCB15CF10D9C4B56BF71FB94328F24C5A9D80A4F656C336D856CB91

Function 063719F0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac7d7198652fa8d1fbfc4b45c33a5c4638e726bd1172ad5f93acc6552afe398
Instruction ID: 82a1e60a35625b1d8fd5373860f83be8fc3a99c5a8c3b8a1ac6b2790e8169cf3
Opcode Fuzzy Hash: cac7d7198652fa8d1fbfc4b45c33a5c4638e726bd1172ad5f93acc6552afe398
Instruction Fuzzy Hash: 8F21F4B5C01259AFCB10CF9AD884BDEFBF4FB49310F10812AE918A7251C379A554CFA5

Function 0637C278 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c50bb48b7bf523e2af3a2a1ad49b11508a1de890f625ddbe49687683233d47
Instruction ID: f54ce44a8ecbe03751915d6f71d0d7df99bd046ad8c6dc7f5166e18b23a6d73d
Opcode Fuzzy Hash: f3c50bb48b7bf523e2af3a2a1ad49b11508a1de890f625ddbe49687683233d47
Instruction Fuzzy Hash: 33018C34B002044FDB69EAB8D454B2F73D6AB88704F40983DE40ADB392EF29EC4587D5

Function 0637C268 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bbeb37ef43085ae41fcefbe104f1a0a74b8c5f637bf6c085f45da5bad14bc07
Instruction ID: a12b1b54f0d91794fcd0be102ce5137d1f83c8084aeb4409e56375cbc19fcbec
Opcode Fuzzy Hash: 2bbeb37ef43085ae41fcefbe104f1a0a74b8c5f637bf6c085f45da5bad14bc07
Instruction Fuzzy Hash: 6811A174B042404FDBA5E6B8D46472F37E5DB88704F40487EE00ADB392EF28DC058795

Function 063719F8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4c21302b3ef8bd8fb1d04415ac94df6643fb175a799510af52c5eefc03b4109
Instruction ID: 46168b6fb7848a8cd93f61509d5af41e750e26d57c9201443a34b8d6f00f4b26
Opcode Fuzzy Hash: b4c21302b3ef8bd8fb1d04415ac94df6643fb175a799510af52c5eefc03b4109
Instruction Fuzzy Hash: F911D0B5D01219AFCB10CF9AD884BDEFBB4FB49310F10812AE918A7250C374A954CFA5

Function 06372618 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd9059e2856db24df6a23991b0d252bfac5b9f073cea28460817277fc0129fa1
Instruction ID: 00e4e98a5bdf62782c8490c8810f966bd04cc0b3eb775946a12e4c8e968b4527
Opcode Fuzzy Hash: bd9059e2856db24df6a23991b0d252bfac5b9f073cea28460817277fc0129fa1
Instruction Fuzzy Hash: B501D130B001100BDB66957DD414B2FA7DADBC8710F10883EE50AC7345EEA9EE4643E5

Function 06371A9C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01ac7382c0ea0b4ab8c113d185bc7a90c9f904905e4051f1f2b2feafff3ddedd
Instruction ID: d5219b531b747bda3c14bcc9d9437a6f55118deb2c5a45251bf5d06a9e8454d8
Opcode Fuzzy Hash: 01ac7382c0ea0b4ab8c113d185bc7a90c9f904905e4051f1f2b2feafff3ddedd
Instruction Fuzzy Hash: E6118BB2C093549FDB41DF98D8447CEBFB0BF49364F148256D458A7291D3389958CBE2

Function 06372608 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 841750f30443db7dd058b6fb4700630b6381fb5b1d754946371839f700afda3f
Instruction ID: 209133269e420bcd00c09b114273cb34ea66a60a7270e6b13583049f9e797038
Opcode Fuzzy Hash: 841750f30443db7dd058b6fb4700630b6381fb5b1d754946371839f700afda3f
Instruction Fuzzy Hash: DC01CBB07083804BDF668B7880013AB7FE4CBC6210F0448BEE589CB243CA28DE468381

Function 0637F270 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4c75587fb41418378e3c1e43927d6ab339faa2c228db63acfe750ff291dfc4
Instruction ID: 4abb7af1ca6fb95a54f1a1ec4247f903f0a4600166be487d600008969cba242f
Opcode Fuzzy Hash: 9e4c75587fb41418378e3c1e43927d6ab339faa2c228db63acfe750ff291dfc4
Instruction Fuzzy Hash: 6DF0B437F202649BCB296A75D800AEEB3A9FB88254F10447DED01FB380DA75AC0587D0

Function 06374C40 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff2a33777a51abc6d12706a31152445ed59c3a9037c0d17d8cbddb452e18501e
Instruction ID: d66325761e4b98eda77a7cdf3162e51a9b36a353260b9bf03d7a2a7b51fc7ce2
Opcode Fuzzy Hash: ff2a33777a51abc6d12706a31152445ed59c3a9037c0d17d8cbddb452e18501e
Instruction Fuzzy Hash: 40F04475E002099FDB14DFA9C985A6FFBB6FB89310F05C039E60597351CA78A801CBD1

Function 06333F70 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1591492283.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b21a26cd3065956e2517dd6559a6efd76228ee82cee7d42d34b404e0ad9448eb
Instruction ID: 84037447b8f9c024945c41db9e6e58e3f6344dc9d2162143e5190339a2902273
Opcode Fuzzy Hash: b21a26cd3065956e2517dd6559a6efd76228ee82cee7d42d34b404e0ad9448eb
Instruction Fuzzy Hash: FAF096316152A1CFE349EB34D44876637F3BB85314F99C0ABE049D7196CB745C86CB50

Function 0110E267 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215ab9d1ac55c051a7f6208a4d7c5fc58790b5fbf236581273eaf0d19f3967f7
Instruction ID: d7ef41a8f8aff74f959badb48e8bed5c888943a85b504b3b65445b2df9f57ee8
Opcode Fuzzy Hash: 215ab9d1ac55c051a7f6208a4d7c5fc58790b5fbf236581273eaf0d19f3967f7
Instruction Fuzzy Hash: 5CF06D75B012908BDB1EFB699090B2D37D37B9C208B454869D006EB386DF709C428792

Function 06333F80 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1591492283.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22bcb665069060735aafebd22632fc76825d6f85cfb1d30cb8417acdbd6c4249
Instruction ID: c5ea850b8e01aaaf25aa80780ec75a01369084d592e446ddaf38db5e060d2b27
Opcode Fuzzy Hash: 22bcb665069060735aafebd22632fc76825d6f85cfb1d30cb8417acdbd6c4249
Instruction Fuzzy Hash: F0F03031A101618FE388EB69E448B6633E7BB88355F99C075F009C7699DF746C86CB94

Function 011009BC Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f70e91fd4cb51ecfaa6808f481345ddfd0c77372f82c592addf15eb957996c69
Instruction ID: 2d403680e864708d5bf88eace5a8bc865d3b7b4e0573fbd0200e4d6457ac3b4e
Opcode Fuzzy Hash: f70e91fd4cb51ecfaa6808f481345ddfd0c77372f82c592addf15eb957996c69
Instruction Fuzzy Hash: F8F04F36E04608CFD71EDF1AD848B5577F4FB4838870A4076E509AB155D7B0EA458B82

Function 0637FF53 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47faf4c9865ed9e2b194d2699622565608d8761f4f8402944ed8439908fbfd0a
Instruction ID: 603be508b9d9cdfe13a9758a6b03fc0f5077ffe62c34ca798650020f2a323807
Opcode Fuzzy Hash: 47faf4c9865ed9e2b194d2699622565608d8761f4f8402944ed8439908fbfd0a
Instruction Fuzzy Hash: F3E0223050A7409FC3026B38A80415A7BB9EB83214F0501ABE045F7612DA208A5883E1

Function 06374D86 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671c1ba94dd0c5272ecab56c0cb252351159e903c7217e846cafabe6d0e1063c
Instruction ID: 6b188be744f40d87cd20a62070b0c22f9a3f07b9061171b43e8a31be9d19ffbd
Opcode Fuzzy Hash: 671c1ba94dd0c5272ecab56c0cb252351159e903c7217e846cafabe6d0e1063c
Instruction Fuzzy Hash: C1F01534A01205DFEB68CF48C485B99B3F2BB88711F24C669D0016B6A9C339AC85CBD1

Function 01103819 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac999cabf9e3c5aa04abb07fe180966fc27f42a0ae7d366bc29930cee773960e
Instruction ID: e2f6112c07a68db4ee9f2d402e2432bb2d96b8d68f1574a20e19c5bbe30e106e
Opcode Fuzzy Hash: ac999cabf9e3c5aa04abb07fe180966fc27f42a0ae7d366bc29930cee773960e
Instruction Fuzzy Hash: 4FE012397100048FDB0EDB64D95497CBBF2FB48314B454025E911EB3A5CB359C418B11

Function 0637FF60 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41423d17668a49eef60e1ed8cbed29c1da811480932362cace7c42ed1fb0315c
Instruction ID: 4bf13ecfef8ac4206face6a93f6c8fc136c481019bf82b5bc4e5574fb956d6fe
Opcode Fuzzy Hash: 41423d17668a49eef60e1ed8cbed29c1da811480932362cace7c42ed1fb0315c
Instruction Fuzzy Hash: A9E08C316107048FD7047B79E40925977E9FB86355F51012AE10AB7B15EF70984487C5

Function 01102827 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12491bef4ab0a4b884fa91c290d745eb2f0abc335861a9f90ee3b6e5ff074560
Instruction ID: b84d92e0bc6e6450e9f4ea003d5bf07012920d7482a525f924c1a5c41e0088e6
Opcode Fuzzy Hash: 12491bef4ab0a4b884fa91c290d745eb2f0abc335861a9f90ee3b6e5ff074560
Instruction Fuzzy Hash: 47F06D74A00244CFDB1EDF68E04C7A83BF1BB08305F4144AAE112E72D6C7744984CF11

Function 0633B028 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1591492283.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042dbd35b2f36f7aca290c81752a32fcebd25ae7a4eb4f38aa068b1931868edc
Instruction ID: f2cc5f2718b6505413c0004dd700c353de00c7ae269c4f8478b1d50b4dc031ae
Opcode Fuzzy Hash: 042dbd35b2f36f7aca290c81752a32fcebd25ae7a4eb4f38aa068b1931868edc
Instruction Fuzzy Hash: 11D0C9B610021C7B9B00DE89D840CEB776DEA89270B408506FD44573008671EC508AF4

Function 01101620 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd717ce1b831cff0fa8cb6a078301768192ea91c93974abb6ffbb66d972102c3
Instruction ID: 6a9ab6b9d0dc633d308c28958f0def0d51fab08b05e4836ac32e78e5ce943ac4
Opcode Fuzzy Hash: bd717ce1b831cff0fa8cb6a078301768192ea91c93974abb6ffbb66d972102c3
Instruction Fuzzy Hash: D8C0126208F3C82ED30313B22C264A13FBC880300871840C7E888C98A3C28D19998362

Function 063767B3 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b613d80bd5253660aa133f0b170f754c7d52bae4619556672aa9bca311ecd614
Instruction ID: 89d80c621d7977c6761f8d88107f3d5d35d8a15f20aefa3494cbccf4098e0823
Opcode Fuzzy Hash: b613d80bd5253660aa133f0b170f754c7d52bae4619556672aa9bca311ecd614
Instruction Fuzzy Hash: D7E0E238A005088FC740CB68C995B8DBBF1AF8C300F208098E50AA7360C630EC008F50

Function 01102483 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdfb013d66abec8aa8b187abd46536d75a6615f4c0cc500296f183314af169ce
Instruction ID: 2b2678a0350f2fdbd4bf080acce53e3f503a606c4cac4cb1bd4e796cf663ea4c
Opcode Fuzzy Hash: fdfb013d66abec8aa8b187abd46536d75a6615f4c0cc500296f183314af169ce
Instruction Fuzzy Hash: 6BD06C78D00208DBE72ADF88E08C7A87BB1BB05345F5484AAE221A6695C3B989D4CF11

Function 0633752E Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1591492283.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee64a97ef1314ba9b0989f9c7fa1c0b8b80d26be3f6b8b6e9a963f9534b5d509
Instruction ID: c1f0b56d83eb99792784fcaec8a9d6bcd412c442a74589899c488b64cf49c649
Opcode Fuzzy Hash: ee64a97ef1314ba9b0989f9c7fa1c0b8b80d26be3f6b8b6e9a963f9534b5d509
Instruction Fuzzy Hash: C9D01234E05224DFFB508B04C946EAC77F5EB8A204F104051D80533B94C6355D40CFD1

Function 011036C4 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5173c8ce4f96980b7c581e24af06e174f4702b0832d7f95a32dc643fe0ae1a6d
Instruction ID: f742b43b7d319157a79748264c0e8c6a1c69de4219dc93c1bf215ef51702bc5a
Opcode Fuzzy Hash: 5173c8ce4f96980b7c581e24af06e174f4702b0832d7f95a32dc643fe0ae1a6d
Instruction Fuzzy Hash: EBC08C38A0000CEFEF0E6BA0E9008FC7EB2FB4C318F840028F602B6291CB320D818B15

Function 06374869 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6802b27d97f02c13814a5ebebd563f388864cde111ad9d4e3a37373341d624ec
Instruction ID: 13b22ac63df5f6415c751e74803547e7a407b1fb87bced7d19a2d8b552144262
Opcode Fuzzy Hash: 6802b27d97f02c13814a5ebebd563f388864cde111ad9d4e3a37373341d624ec
Instruction Fuzzy Hash: B0C08CB001A302DFDB02AF60CC206863B68FF02204B088162985089817CB26AA1CCBDA

Function 01101698 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90381a800611aaf3e2528ee9fea72df9decfbbb7426667956060777dbb8f5ad
Instruction ID: cb813310e99682943a72cef4655a782578127e690437bf5017dbf5735c1535dd
Opcode Fuzzy Hash: e90381a800611aaf3e2528ee9fea72df9decfbbb7426667956060777dbb8f5ad
Instruction Fuzzy Hash: 45C08CA0E402881EDF46E3726C1C7282981A381308F089148C009BF2D2DBE900CC8305

Function 01105F10 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01cce74342aa5f2e0930a3ff5888253f4ba0d4d4a9b036b4662331b0e2ef05e3
Instruction ID: 8f01a37d552579e951b8919d52e12baa2d69bc7061b6a4a9fe61411ef7b57419
Opcode Fuzzy Hash: 01cce74342aa5f2e0930a3ff5888253f4ba0d4d4a9b036b4662331b0e2ef05e3
Instruction Fuzzy Hash: E3B0928180C2C20ACB13973164600603F605A5710879802DE88C4888A3A19B096A8606

Function 06372CD6 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1592146175.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82b1fcacacf6694cde8040bbe1fac4bb7b0f18368f46d5e1d980c1e131d459da
Instruction ID: 6eb706a89928dc6d96b3fc53579796f8c30032512c88bcc7298ed216ad68cede
Opcode Fuzzy Hash: 82b1fcacacf6694cde8040bbe1fac4bb7b0f18368f46d5e1d980c1e131d459da
Instruction Fuzzy Hash: A0B09234A001098FE7908AD4C41439EB6A2AB86300F10902648096BA88DF7888429B92

Function 01101630 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e6d5789117d84c211830ebdbf569b0a650b17a917f08e74c782e9df963996a
Instruction ID: 79f3f09df42129e747e4f9462b999598e1e3ea01105953b5bcdd442ef2897282
Opcode Fuzzy Hash: e5e6d5789117d84c211830ebdbf569b0a650b17a917f08e74c782e9df963996a
Instruction Fuzzy Hash: 1B900473445F0CCF454077D77D0D575775CD7445157C00051F50D755115FD5745445D5

Function 01100890 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1568897937.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93f4d91e31a308be0de39cabc2c5224fe019d77933c21eb165c0b1db43ac868d
Instruction ID: 492a9aef990e14207884fc58ce62417a6d239ac608915d306e9f544d8f12495b
Opcode Fuzzy Hash: 93f4d91e31a308be0de39cabc2c5224fe019d77933c21eb165c0b1db43ac868d
Instruction Fuzzy Hash: 87902232000A0C8F000023C23808880330C83000223800020A00C008000A8020800280

Analysis Process: Tcdyttxfbca.exePID: 4020, Parent PID: 3504COMMON

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	92.7%
Signature Coverage:	0%
Total number of Nodes:	82
Total number of Limit Nodes:	9

Executed Functions

Function 05DECED0 Relevance: 1.6, APIs: 1, Instructions: 107
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 05DECF8D

Memory Dump Source

Source File: 00000003.00000002.1610946258.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5de0000_Tcdyttxfbca.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 35343a7191cd71593d9f9cd3ae1009583c128791c752e3e4faa3f81dad807359
Instruction ID: ab4eaba8ef1d30cee6f848579b7e715530bb3488b525bce3831fe3b469b0a54b
Opcode Fuzzy Hash: 35343a7191cd71593d9f9cd3ae1009583c128791c752e3e4faa3f81dad807359
Instruction Fuzzy Hash: 2541A8B5D042589FCF10CFAAD880ADEFBB1BB49310F14942AE819B7310D775A945CF68

Function 05DECED8 Relevance: 1.6, APIs: 1, Instructions: 105
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 05DECF8D

Memory Dump Source

Source File: 00000003.00000002.1610946258.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5de0000_Tcdyttxfbca.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 764772bc84fcb038019437ffd6098f470c19ed406532920b61a7a4948f028715
Instruction ID: b151dc09d7d679e88793caa7e78a1261d3ec1aceb4a04c5b36037f30122b8742
Opcode Fuzzy Hash: 764772bc84fcb038019437ffd6098f470c19ed406532920b61a7a4948f028715
Instruction Fuzzy Hash: 7D4197B5D052589FCF10CFAAD880AEEFBB1BB49310F14942AE819B7210D775A945CF68

Function 05DEE409 Relevance: 1.6, APIs: 1, Instructions: 84nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 05DEE49E

Memory Dump Source

Source File: 00000003.00000002.1610946258.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5de0000_Tcdyttxfbca.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 54d77f409d3156fde37e6b16a6453cd20573421bdd1b7a878b1ec5393b57ea9c
Instruction ID: 658acd7ce385e14aab6751c0ac97ee7ed019e7b4c1a98bc991dcbdb50b366115
Opcode Fuzzy Hash: 54d77f409d3156fde37e6b16a6453cd20573421bdd1b7a878b1ec5393b57ea9c
Instruction Fuzzy Hash: 9131B8B5D052189FDB10CFAAD880A9EFBF5FB49320F14842AE814B7240D775A945CF94

Function 05DEE410 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 05DEE49E

Memory Dump Source

Source File: 00000003.00000002.1610946258.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5de0000_Tcdyttxfbca.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 18a77088e90fa6fc8ebc5a167ecd274be53e00da1129fae99e435ff360a2e4e9
Instruction ID: 732eb7c97465d529d67dbbc87364f5e51d40e64ec8c2b34d0c846f838c367934
Opcode Fuzzy Hash: 18a77088e90fa6fc8ebc5a167ecd274be53e00da1129fae99e435ff360a2e4e9
Instruction Fuzzy Hash: E931C8B4D052189FCF10CFAAD880AAEFBF5FB49310F14842AE808B7200C775A945CF94

Function 05DED775 Relevance: 1.8, APIs: 1, Instructions: 263
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05DED9E7

Memory Dump Source

Source File: 00000003.00000002.1610946258.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5de0000_Tcdyttxfbca.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f5a547d7f020cdff7aab6d511b00454805caab484ac1e9e8ac337d4317b7c504
Instruction ID: 6d5fbceceb849c178ce9679f4b777b3c47e77d4cb8390827a5da5d84b0b16409
Opcode Fuzzy Hash: f5a547d7f020cdff7aab6d511b00454805caab484ac1e9e8ac337d4317b7c504
Instruction Fuzzy Hash: 77A10374D04318DFDB20EFA9C885BEDBBB2BB09300F14916AE859A7280DB749985CF55

Function 05DED780 Relevance: 1.8, APIs: 1, Instructions: 261
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05DED9E7

Memory Dump Source

Source File: 00000003.00000002.1610946258.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5de0000_Tcdyttxfbca.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5fd10e33cd9c2fd18908cfa38ea972836509e54593361945d3faa460a793cb3d
Instruction ID: 3fdf9dbe809bf0e479f37de6d7c65c69b447ae712d93c181d98ff847e0a6b3ee
Opcode Fuzzy Hash: 5fd10e33cd9c2fd18908cfa38ea972836509e54593361945d3faa460a793cb3d
Instruction Fuzzy Hash: 82A10374D04318DFDB20EFA9C885BEDBBB2BB09300F14916AE859A7240DB749985CF55

Function 05DEE1F1 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05DEE2CB

Memory Dump Source

Source File: 00000003.00000002.1610946258.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5de0000_Tcdyttxfbca.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 95d6a86f896515a8dc0c33ea2a758e0e7f8706edd9706ec590d4be710aad4144
Instruction ID: 72b8f51834d9682c9881285831318cf0569e04e1cc11d006f5d14a0b4ed99d8d
Opcode Fuzzy Hash: 95d6a86f896515a8dc0c33ea2a758e0e7f8706edd9706ec590d4be710aad4144
Instruction Fuzzy Hash: 9D41A8B5D052589FCF00CFA9D984AEEBBF1FB09310F24942AE818B7250D375AA45CF64

Function 05DEE1F8 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05DEE2CB

Memory Dump Source

Source File: 00000003.00000002.1610946258.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5de0000_Tcdyttxfbca.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: bebcdd418385ce804e015beeef4aca00de7c77b2186b0ce7084e66d0a3c036f4
Instruction ID: 101925254f5961c332706cd0901672c7933179c7ac0487eabd4aada2d5c7babc
Opcode Fuzzy Hash: bebcdd418385ce804e015beeef4aca00de7c77b2186b0ce7084e66d0a3c036f4
Instruction Fuzzy Hash: 8B41A8B5D052589FCF00CFA9D984AEEBBF1FB09310F14942AE818B7250C375AA45CB64

Function 05DEE090 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05DEE142

Memory Dump Source

Source File: 00000003.00000002.1610946258.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5de0000_Tcdyttxfbca.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1c629de847fe9a9b3b0d24b5a76f8d18a74a9e95ba23a06401cdc86cab03ef02
Instruction ID: fde15322f5ff64d591942fd09fcd43846c0588aed541df5d81452a90505a315e
Opcode Fuzzy Hash: 1c629de847fe9a9b3b0d24b5a76f8d18a74a9e95ba23a06401cdc86cab03ef02
Instruction Fuzzy Hash: BA31A6B9D05258DFCF10CFA9D880A9EBBB5FB09310F10942AE814BB300D735A946CF58

Function 05DEE098 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05DEE142

Memory Dump Source

Source File: 00000003.00000002.1610946258.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5de0000_Tcdyttxfbca.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 97bd51b7bd32d3795ec79448e9ab047dd10007ddbd1ad15ccf2d6ca682a8fc58
Instruction ID: 099382ec567c9f4dbb5a373aff95614770cdd7ef976654842c9ac42c21b9e09f
Opcode Fuzzy Hash: 97bd51b7bd32d3795ec79448e9ab047dd10007ddbd1ad15ccf2d6ca682a8fc58
Instruction Fuzzy Hash: 8B3197B9D052589FCF10CFA9D880A9EFBB5FB09310F14942AE815BB310D775A945CF58

Function 05DEE6E1 Relevance: 1.6, APIs: 1, Instructions: 99
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 05DEE78C

Memory Dump Source

Source File: 00000003.00000002.1610946258.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5de0000_Tcdyttxfbca.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 21da0d9bd23dee08f89ba2251eada033b2883ea0f2f66aba24e3340ea983b372
Instruction ID: 49315f9f9eb8487abb51e08ab84c3d6eb04c8aa8f9ad32ec7005fecd455ce5a1
Opcode Fuzzy Hash: 21da0d9bd23dee08f89ba2251eada033b2883ea0f2f66aba24e3340ea983b372
Instruction Fuzzy Hash: F231CAB5D042589FCF10DFA9D884AEEFBB1FB09310F14942AE815B7210D775A945CF98

Function 05DEE6E8 Relevance: 1.6, APIs: 1, Instructions: 98
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 05DEE78C

Memory Dump Source

Source File: 00000003.00000002.1610946258.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5de0000_Tcdyttxfbca.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a3de8e4cd46f813da29fb96b6fa306f185ec9b42cfccc6341c7d19b0567ba039
Instruction ID: 94868dbdad5fcc214ad59eb897746497e1fd6cbb9b49db2c0e45548e85b3d27d
Opcode Fuzzy Hash: a3de8e4cd46f813da29fb96b6fa306f185ec9b42cfccc6341c7d19b0567ba039
Instruction Fuzzy Hash: D531C9B9D042589FCF10DFAAD884AEEFBB1FB09310F14942AE815B7210D775A945CF98

Function 05DEDB30 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 05DEDBE7

Memory Dump Source

Source File: 00000003.00000002.1610946258.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5de0000_Tcdyttxfbca.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 43d5d51fade466c8f0dcbd63441b7b41e8c1aced0afc35edf3c0bdafa47d1573
Instruction ID: 2623f9e417c126816105f0d119b53b2250f3a2c00f6aea87afccab385d5776a1
Opcode Fuzzy Hash: 43d5d51fade466c8f0dcbd63441b7b41e8c1aced0afc35edf3c0bdafa47d1573
Instruction Fuzzy Hash: 9141CDB5D052189FDB10DFA9D885AEEFBF1BF49310F14802AE405B7240D778A945CF54

Function 05DBD980 Relevance: 1.6, APIs: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 05DBDA24

Memory Dump Source

Source File: 00000003.00000002.1610576468.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5db0000_Tcdyttxfbca.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 812d27cd4b44ec22f7a3b2aa81f178c9c897d7a3991b0bd06c90d251d79078e8
Instruction ID: bf57c62b2416cff776e63155c4df6ee3a3d0a1e6bc4b016b86cd0bbc3e906a4e
Opcode Fuzzy Hash: 812d27cd4b44ec22f7a3b2aa81f178c9c897d7a3991b0bd06c90d251d79078e8
Instruction Fuzzy Hash: 7431A7B4D05208EFDF10CFA9D880AEEFBB1BB09310F14942AE819B7210D775A945CF94

Function 05DEDB38 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 05DEDBE7

Memory Dump Source

Source File: 00000003.00000002.1610946258.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5de0000_Tcdyttxfbca.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 49a4eb58f55c7a084d3590a89b5430ed5f6eb5f89fc6f62d41fcb9c4e9591f8a
Instruction ID: b57ea97a951e0d8eb5afbd2848569a65ee9a8868a29ae7aa48cbc60ff9959e2a
Opcode Fuzzy Hash: 49a4eb58f55c7a084d3590a89b5430ed5f6eb5f89fc6f62d41fcb9c4e9591f8a
Instruction Fuzzy Hash: F331DBB4D042189FDB10DFAAD884AEEFBF1BF49310F24802AE408B7240D778A985CF54

Function 05DBEB48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 05DBEBE7

Memory Dump Source

Source File: 00000003.00000002.1610576468.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5db0000_Tcdyttxfbca.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 36e19b9db786d0bb1d1fe2cfb6f54b83cde70d4829df9b099998ac9354dcd86b
Instruction ID: 25da3c071c57e11c4516b49eb5333772e2ef285c4673cfa55e7224e82afbc39e
Opcode Fuzzy Hash: 36e19b9db786d0bb1d1fe2cfb6f54b83cde70d4829df9b099998ac9354dcd86b
Instruction Fuzzy Hash: 4D31A7B8D04208EFDF10CFA9D880AEEFBB5EB09310F14942AE815B7210C775A945CF98

Function 0602F898 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1611768630.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6010000_Tcdyttxfbca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74567b399484738e1aa99dc69e2d01e4a8f1e142d622eda06c297e9b9554791a
Instruction ID: 4e5816f4aeb3321d1f89e20abb39fa81ca82c21d748b51b3326cb3dfe823f799
Opcode Fuzzy Hash: 74567b399484738e1aa99dc69e2d01e4a8f1e142d622eda06c297e9b9554791a
Instruction Fuzzy Hash: 2EA19A31B8121A9FDB55CFA8E458AADBBF6EF89351F14806AE815DB380CB31DD41CB50

Function 05D025F0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1610304323.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d00000_Tcdyttxfbca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1797433929b00fedf0d46d5933fe174f791a0cbce0ece34e46de42ee5eecf5aa
Instruction ID: a80846df436fbf63a052360d9eb42a1d510ea6b561b7c1b2afb0e98623833732
Opcode Fuzzy Hash: 1797433929b00fedf0d46d5933fe174f791a0cbce0ece34e46de42ee5eecf5aa
Instruction Fuzzy Hash: 3D910978E06218DFCB14DFA8E5587ADBBB2FB89314F60501AE446AB384CB349E45CF51

Function 0602F528 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1611768630.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6010000_Tcdyttxfbca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a37e8b62b067451930fd0101ea6c677a93bc7a0b80392a800f6112024baeaa44
Instruction ID: a2be5f7d77286db9b9394e80a35f8534e5d1aed4482f4ffd53d2a250ce646b5d
Opcode Fuzzy Hash: a37e8b62b067451930fd0101ea6c677a93bc7a0b80392a800f6112024baeaa44
Instruction Fuzzy Hash: 5F51AF31A402268FCB10DF68C484A6AFBB5FF89350F55856AE529AB291D730FC51CBD4

Function 06028968 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1611768630.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6010000_Tcdyttxfbca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2abe0f59e4bba36466f8af0a100b81c2692bb46c18bed04691fd037c92b90907
Instruction ID: 35cdee33cf2fa85dbe41945753c53abe4171c06a4daeda3e4a212d005b7e5817
Opcode Fuzzy Hash: 2abe0f59e4bba36466f8af0a100b81c2692bb46c18bed04691fd037c92b90907
Instruction Fuzzy Hash: 8B51CD78D4022ACFDB88DFA9D8446EEBBF2FF89305F54812AE415B7240D7745989CB81

Function 06011EB2 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1611768630.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6010000_Tcdyttxfbca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f03842210a0aebe103d83c1a8b918dc5867f768a02c8d9e75eeaec12838e65
Instruction ID: 1acdb955ad71aae6149c7040674b3d837865c3507a26d3e0548ddc0cffcbaf4d
Opcode Fuzzy Hash: b9f03842210a0aebe103d83c1a8b918dc5867f768a02c8d9e75eeaec12838e65
Instruction Fuzzy Hash: AB317078A056289FCB64DF68D894A9ABBF5FB48315F1041DAE80DAB351D734AEC0CF40

Function 0602F320 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1611768630.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6010000_Tcdyttxfbca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd4bcdb909f68a4dc84b161defd57dbcff4d7990024d5c03646185d1a328b26
Instruction ID: ac1d6fa56fcda97179eec0cd38b1425697569bed53b045ec89d331a9d01d8f0b
Opcode Fuzzy Hash: 6cd4bcdb909f68a4dc84b161defd57dbcff4d7990024d5c03646185d1a328b26
Instruction Fuzzy Hash: 55012176350219AFDB108E59DC85F9E7BADFB88B21F108066FA15CF290CAB1D8108B50

Function 0602DDC8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1611768630.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6010000_Tcdyttxfbca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2880a00244afa4fef2bae0652d55716ef3961e048fa908125b1e988c9bf2b38e
Instruction ID: 19bd79185551a4165296713c697b21b5efd42f9d8a0cc19ea6f4b2605ddd9816
Opcode Fuzzy Hash: 2880a00244afa4fef2bae0652d55716ef3961e048fa908125b1e988c9bf2b38e
Instruction Fuzzy Hash: 1811F3B0E0021ADFDB48EFE9C9417BEBBF1BF88300F20846AD419A7344DA345A418B91

Function 0602A408 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1611768630.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6010000_Tcdyttxfbca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a1ff5782e8161cf33727fe07066ad5f46cd8911c3f299d81bdc3e21d903419
Instruction ID: 9cc0882fd1ec8c2cc68cf3278ed20413db868d1d0fd20eee16e3cd797482075b
Opcode Fuzzy Hash: 11a1ff5782e8161cf33727fe07066ad5f46cd8911c3f299d81bdc3e21d903419
Instruction Fuzzy Hash: 28F04470E85219DFDB84EFB5C4482ADBFF9BF89600F4084AAC419D3204EE708540CF40

Function 06014915 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1611768630.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6010000_Tcdyttxfbca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7c2c8d178fd7cc0c1cda50580ba92021022c7444a74168eb3dd1dff461aa4e
Instruction ID: 5afee0340d0446e8fcb5b2e804629322c6bf4a8c165e2dd6800d4cd571800c53
Opcode Fuzzy Hash: 9a7c2c8d178fd7cc0c1cda50580ba92021022c7444a74168eb3dd1dff461aa4e
Instruction Fuzzy Hash: 3C01CCB8949228CFD7A8DF58D895A99FBB5FB88304F1040D9D50AAB354CB349E85CF44

Function 06013E11 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1611768630.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6010000_Tcdyttxfbca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8717b8cf372a8d50a0a98c942bf37e3bcaaeac10c5fdbf9da5edbb6e367e1d0b
Instruction ID: 9a28b11e8dccfd0c1eccf91437d7744de475b10038058dd178059e21e0d14315
Opcode Fuzzy Hash: 8717b8cf372a8d50a0a98c942bf37e3bcaaeac10c5fdbf9da5edbb6e367e1d0b
Instruction Fuzzy Hash: 7BF05E78A04228AFC754EF58CC899D9BBB5FB88304F0401D4E01AAB354CB35AEC9CF55

Function 06024E90 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1611768630.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6010000_Tcdyttxfbca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec604dcd27adadf669f6bb395136c6a3bf5e9adfbc6bbb26283ab96c7f4ad60e
Instruction ID: c8fc0e234b5ad8af1cc039e9a22854c7443b665543e5b74ba46affd53dd3fdcb
Opcode Fuzzy Hash: ec604dcd27adadf669f6bb395136c6a3bf5e9adfbc6bbb26283ab96c7f4ad60e
Instruction Fuzzy Hash: 5FE03274E04208EFCB84DFA8C440AACBBF4EF48300F10C0AA9808A3300E6319A41DF80

Function 060292C8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1611768630.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6010000_Tcdyttxfbca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec604dcd27adadf669f6bb395136c6a3bf5e9adfbc6bbb26283ab96c7f4ad60e
Instruction ID: 14ef22a6e558a708fd2e2abce6bbe9f50db7c6659694f5216472c8cb45a2e280
Opcode Fuzzy Hash: ec604dcd27adadf669f6bb395136c6a3bf5e9adfbc6bbb26283ab96c7f4ad60e
Instruction Fuzzy Hash: EAE0ED74D44208EFCB84DFA9D540AACFBF4EF49310F14C0A9984893340D635AE55DF84

Function 0602ADF8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1611768630.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6010000_Tcdyttxfbca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec604dcd27adadf669f6bb395136c6a3bf5e9adfbc6bbb26283ab96c7f4ad60e
Instruction ID: 79500c0c0ffd106ac785ae97359581a714120a9b096b8e4bbe9dc4215e66ca36
Opcode Fuzzy Hash: ec604dcd27adadf669f6bb395136c6a3bf5e9adfbc6bbb26283ab96c7f4ad60e
Instruction Fuzzy Hash: 01E0C274E44218EFCB84DFA8D541AADBBF4EF49310F14C0AA9808A3341EA359E52DF94

Function 060148D7 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1611768630.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6010000_Tcdyttxfbca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c8eab71094ca1d2161637d81c35ae131eae08ba8412ab46c6ae434e8417a03
Instruction ID: 650b9d8649d6f3a6cc4cbb5758f8dc30efa475eb2c8d563eedf08485a77ac2d1
Opcode Fuzzy Hash: 46c8eab71094ca1d2161637d81c35ae131eae08ba8412ab46c6ae434e8417a03
Instruction Fuzzy Hash: 4FF0F4B8945258DFC794DF24D889698FFB1FB49308F0040D9D54AEB245CB799E88CF54

Function 06028918 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1611768630.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6010000_Tcdyttxfbca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a2ae1b56f29fd1fad90a856a27800e519148d2ca523b7bdb26606ad7be87ba
Instruction ID: a63de8c3bb860d6fd5780e8d50d45738e4260061122aa95a75d7c074f94a14a5
Opcode Fuzzy Hash: 68a2ae1b56f29fd1fad90a856a27800e519148d2ca523b7bdb26606ad7be87ba
Instruction Fuzzy Hash: BDE0E574E44208EFCB84DFA8D5406ACBBF4EF49314F14C0ED880893340D6359A56CF81

Function 0602EAD8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1611768630.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6010000_Tcdyttxfbca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d36637219e2487d99e1d9337d66ce21883fa568208db0a34fd9f146d487b2ce
Instruction ID: 67ecf417834e9412b2bc7e61a18246aea523054833fad85103f1c9e33be0380b
Opcode Fuzzy Hash: 5d36637219e2487d99e1d9337d66ce21883fa568208db0a34fd9f146d487b2ce
Instruction Fuzzy Hash: 52E02674848228EFC744CFA4D440A7CBFB8AF46300F14C09DD80857340C672AE41DB94

Function 06027AD8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1611768630.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6010000_Tcdyttxfbca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3323a67b58d167455f41debd884bc61470ceaacce823f59437be925a2872f2a7
Instruction ID: 0d6766ea5f44c512ac8c79c9f63f486cbe98d0f83b0276e12d70f702cd9c34f8
Opcode Fuzzy Hash: 3323a67b58d167455f41debd884bc61470ceaacce823f59437be925a2872f2a7
Instruction Fuzzy Hash: 17E01A34D44258EFCB54DFA8D5416ACBBB8AF89310F1480ADC80857341D6769A41DB85

Function 0602CCE0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1611768630.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6010000_Tcdyttxfbca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a80fecb908823949e50f8c1f71d8185e0edd6a3d9791420192d3db08f2945b13
Instruction ID: 870deeb289d769ebd05da44ae6167f910af3bbff50de78d826f0b855d34a744e
Opcode Fuzzy Hash: a80fecb908823949e50f8c1f71d8185e0edd6a3d9791420192d3db08f2945b13
Instruction Fuzzy Hash: 33E0C234948208DFDB88DFA4D54066CFBB9EF46300F24849ECC0927340C6315E42CB84

Function 06016ED6 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1611768630.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6010000_Tcdyttxfbca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cfb785de069a32337b3aeffbcedae6543f45d22625705db20b53ccbda0f23a7
Instruction ID: 15a224af446f0c10a998d9f0b110c382ad8fe89ee2fc86135e9c34a07cb77adb
Opcode Fuzzy Hash: 1cfb785de069a32337b3aeffbcedae6543f45d22625705db20b53ccbda0f23a7
Instruction Fuzzy Hash: 7EE0E5B4A4021A9FC764DF58C845A99B7B5FB48304F0141E8E119AB351CF345DC4CF15

Function 0602D100 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1611768630.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6010000_Tcdyttxfbca.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edc00941e222108a251202dc33e6229c1cc72afadf8916e7d853e59ec6acf16d
Instruction ID: 405cff0548dac5437f0fd517865909b3572781e6617cdaca065b374740a37c92
Opcode Fuzzy Hash: edc00941e222108a251202dc33e6229c1cc72afadf8916e7d853e59ec6acf16d
Instruction Fuzzy Hash: 3CC02B310CA7159FD7DC1650740F374BBDC8F03712F042814D20C028928AA0C8C4C3A8

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report nDHL_AWB_6078538091_scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe

C:\Users\user\AppData\Roaming\Tcdyttxfbca.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
nDHL_AWB_6078538091_scr.exe

Function 06069C90 Relevance: 1.8, Strings: 1, Instructions: 544
COMMON

Function 0606CED0 Relevance: 1.6, APIs: 1, Instructions: 107
nativeCOMMON

Function 0606CED8 Relevance: 1.6, APIs: 1, Instructions: 105
nativeCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre