Edit tour

Windows Analysis Report
tJzfnaqOxj.exe

Overview

General Information

Sample name:	tJzfnaqOxj.exe renamed because original name is a hash value
Original sample name:	a516ee0eb4804ca7f6991b4d631305dd3ee0611b9c5612567720e8c403795714.exe
Analysis ID:	1562383
MD5:	645b21c9a9f4b1d500e490ea0186cef5
SHA1:	af4f8a87517cedd096b05ad9819173a28b50816f
SHA256:	a516ee0eb4804ca7f6991b4d631305dd3ee0611b9c5612567720e8c403795714
Tags:	cia-tfexeuser-JAMESWT_MHT
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Drops VBS files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

tJzfnaqOxj.exe (PID: 3340 cmdline: "C:\Users\user\Desktop\tJzfnaqOxj.exe" MD5: 645B21C9A9F4B1D500E490EA0186CEF5)

InstallUtil.exe (PID: 3428 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

wscript.exe (PID: 3576 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncRoot.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

SyncRoot.exe (PID: 5420 cmdline: "C:\Users\user\AppData\Roaming\SyncRoot.exe" MD5: 645B21C9A9F4B1D500E490EA0186CEF5)

InstallUtil.exe (PID: 3600 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "sendpcamill@juguly.shop", "Password": "rEBS93U9rKLG", "Host": "juguly.shop", "Port": "587", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3984677313.0000000003481000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.3983615017.00000000032FE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.3979235025.000000000041A000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3979235025.000000000041A000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.3979235025.000000000041A000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x248:$x1: $%SMTPDV$ 0x2ae:$x2: $#TheHashHere%& 0x18bf:$x3: %FTPDV$ 0x19b3:$x4: $%TelegramDv$ 0x18e3:$m2: Clipboard Logs ID 0x1b03:$m2: Screenshot Logs ID 0x1c13:$m2: keystroke Logs ID 0x1eed:$m3: SnakePW 0x1adb:$m4: \SnakeKeylogger\
00000002.00000002.3979235025.0000000000415000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1885:$a1: get_encryptedPassword 0x1b71:$a2: get_encryptedUsername 0x1691:$a3: get_timePasswordChanged 0x178c:$a4: get_passwordField 0x189b:$a5: set_encryptedPassword 0x2f18:$a7: get_logins 0x2e7b:$a10: KeyLoggerEventArgs 0x2ae6:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1507240597.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1523355462.0000000006010000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.1617371931.0000000002871000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x63ad5:$a1: get_encryptedPassword 0x842f5:$a1: get_encryptedPassword 0x63dc1:$a2: get_encryptedUsername 0x845e1:$a2: get_encryptedUsername 0x638e1:$a3: get_timePasswordChanged 0x84101:$a3: get_timePasswordChanged 0x639dc:$a4: get_passwordField 0x841fc:$a4: get_passwordField 0x63aeb:$a5: set_encryptedPassword 0x8430b:$a5: set_encryptedPassword 0x65168:$a7: get_logins 0x85988:$a7: get_logins 0x650cb:$a10: KeyLoggerEventArgs 0x858eb:$a10: KeyLoggerEventArgs 0x64d36:$a11: KeyLoggerEventArgsEventHandler 0x85556:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x67498:$x1: $%SMTPDV$ 0x87cb8:$x1: $%SMTPDV$ 0x674fe:$x2: $#TheHashHere%& 0x87d1e:$x2: $#TheHashHere%& 0x68b0f:$x3: %FTPDV$ 0x8932f:$x3: %FTPDV$ 0x68c03:$x4: $%TelegramDv$ 0x89423:$x4: $%TelegramDv$ 0x64d36:$x5: KeyLoggerEventArgs 0x650cb:$x5: KeyLoggerEventArgs 0x85556:$x5: KeyLoggerEventArgs 0x858eb:$x5: KeyLoggerEventArgs 0x68b33:$m2: Clipboard Logs ID 0x68d53:$m2: Screenshot Logs ID 0x68e63:$m2: keystroke Logs ID 0x89353:$m2: Clipboard Logs ID 0x89573:$m2: Screenshot Logs ID 0x89683:$m2: keystroke Logs ID 0x6913d:$m3: SnakePW 0x8995d:$m3: SnakePW 0x68d2b:$m4: \SnakeKeylogger\
00000005.00000002.3983615017.0000000003141000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.3984677313.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: tJzfnaqOxj.exe PID: 3340	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: tJzfnaqOxj.exe PID: 3340	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: tJzfnaqOxj.exe PID: 3340	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: tJzfnaqOxj.exe PID: 3340	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: tJzfnaqOxj.exe PID: 3340	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf2fb4:$a1: get_encryptedPassword 0xf3183:$a2: get_encryptedUsername 0xf2ddd:$a3: get_timePasswordChanged 0xf2ecc:$a4: get_passwordField 0xf2fca:$a5: set_encryptedPassword 0xf4dc0:$a7: get_logins 0xf4d2d:$a10: KeyLoggerEventArgs 0xf4a56:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: tJzfnaqOxj.exe PID: 3340	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xf4a56:$x5: KeyLoggerEventArgs 0xf4d2d:$x5: KeyLoggerEventArgs 0xf56f0:$x5: KeyLoggerEventArgs 0xf5a51:$x5: KeyLoggerEventArgs 0xf6d6e:$m2: Clipboard Logs ID 0xf6e65:$m2: Screenshot Logs ID 0xf6ebb:$m2: keystroke Logs ID 0xf6ff0:$m3: SnakePW 0xf6e51:$m4: \SnakeKeylogger\
Process Memory Space: InstallUtil.exe PID: 3428	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 3428	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: InstallUtil.exe PID: 3428	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf5ac:$a1: get_encryptedPassword 0xf88e:$a2: get_encryptedUsername 0xf3c2:$a3: get_timePasswordChanged 0xf4bd:$a4: get_passwordField 0xf5c2:$a5: set_encryptedPassword 0x11a98:$a7: get_logins 0x119fb:$a10: KeyLoggerEventArgs 0x11666:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: InstallUtil.exe PID: 3428	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x11666:$x5: KeyLoggerEventArgs 0x119fb:$x5: KeyLoggerEventArgs 0x125d4:$x5: KeyLoggerEventArgs 0x12935:$x5: KeyLoggerEventArgs 0x98e1:$m2: Clipboard Logs ID 0x99d8:$m2: Screenshot Logs ID 0x9a2e:$m2: keystroke Logs ID 0x9b63:$m3: SnakePW 0x99c4:$m4: \SnakeKeylogger\
Process Memory Space: SyncRoot.exe PID: 5420	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: SyncRoot.exe PID: 5420	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InstallUtil.exe PID: 3600	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 3600	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.tJzfnaqOxj.exe.6010000.9.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.tJzfnaqOxj.exe.3e2a050.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.tJzfnaqOxj.exe.3e2a050.7.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.tJzfnaqOxj.exe.3e2a050.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c85:$a1: get_encryptedPassword 0x12f71:$a2: get_encryptedUsername 0x12a91:$a3: get_timePasswordChanged 0x12b8c:$a4: get_passwordField 0x12c9b:$a5: set_encryptedPassword 0x14318:$a7: get_logins 0x1427b:$a10: KeyLoggerEventArgs 0x13ee6:$a11: KeyLoggerEventArgsEventHandler
2.2.InstallUtil.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a85:$a1: get_encryptedPassword 0x14d71:$a2: get_encryptedUsername 0x14891:$a3: get_timePasswordChanged 0x1498c:$a4: get_passwordField 0x14a9b:$a5: set_encryptedPassword 0x16118:$a7: get_logins 0x1607b:$a10: KeyLoggerEventArgs 0x15ce6:$a11: KeyLoggerEventArgsEventHandler
0.2.tJzfnaqOxj.exe.3e2a050.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a6af:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x198e1:$a3: \Google\Chrome\User Data\Default\Login Data 0x19d14:$a4: \Orbitum\User Data\Default\Login Data 0x1ad53:$a5: \Kometa\User Data\Default\Login Data
2.2.InstallUtil.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c4af:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6e1:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb14:$a4: \Orbitum\User Data\Default\Login Data 0x1cb53:$a5: \Kometa\User Data\Default\Login Data
0.2.tJzfnaqOxj.exe.3e2a050.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1385c:$s1: UnHook 0x13863:$s2: SetHook 0x1386b:$s3: CallNextHook 0x13878:$s4: _hook
2.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1565c:$s1: UnHook 0x15663:$s2: SetHook 0x1566b:$s3: CallNextHook 0x15678:$s4: _hook
2.2.InstallUtil.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18448:$x1: $%SMTPDV$ 0x184ae:$x2: $#TheHashHere%& 0x19abf:$x3: %FTPDV$ 0x19bb3:$x4: $%TelegramDv$ 0x15ce6:$x5: KeyLoggerEventArgs 0x1607b:$x5: KeyLoggerEventArgs 0x19ae3:$m2: Clipboard Logs ID 0x19d03:$m2: Screenshot Logs ID 0x19e13:$m2: keystroke Logs ID 0x1a0ed:$m3: SnakePW 0x19cdb:$m4: \SnakeKeylogger\
0.2.tJzfnaqOxj.exe.3e2a050.7.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16648:$x1: $%SMTPDV$ 0x166ae:$x2: $#TheHashHere%& 0x17cbf:$x3: %FTPDV$ 0x17db3:$x4: $%TelegramDv$ 0x13ee6:$x5: KeyLoggerEventArgs 0x1427b:$x5: KeyLoggerEventArgs 0x17ce3:$m2: Clipboard Logs ID 0x17f03:$m2: Screenshot Logs ID 0x18013:$m2: keystroke Logs ID 0x182ed:$m3: SnakePW 0x17edb:$m4: \SnakeKeylogger\
0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a85:$a1: get_encryptedPassword 0x352a5:$a1: get_encryptedPassword 0x14d71:$a2: get_encryptedUsername 0x35591:$a2: get_encryptedUsername 0x14891:$a3: get_timePasswordChanged 0x350b1:$a3: get_timePasswordChanged 0x1498c:$a4: get_passwordField 0x351ac:$a4: get_passwordField 0x14a9b:$a5: set_encryptedPassword 0x352bb:$a5: set_encryptedPassword 0x16118:$a7: get_logins 0x36938:$a7: get_logins 0x1607b:$a10: KeyLoggerEventArgs 0x3689b:$a10: KeyLoggerEventArgs 0x15ce6:$a11: KeyLoggerEventArgsEventHandler 0x36506:$a11: KeyLoggerEventArgsEventHandler
0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c4af:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cccf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6e1:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bf01:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb14:$a4: \Orbitum\User Data\Default\Login Data 0x3c334:$a4: \Orbitum\User Data\Default\Login Data 0x1cb53:$a5: \Kometa\User Data\Default\Login Data 0x3d373:$a5: \Kometa\User Data\Default\Login Data
0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1565c:$s1: UnHook 0x35e7c:$s1: UnHook 0x15663:$s2: SetHook 0x35e83:$s2: SetHook 0x1566b:$s3: CallNextHook 0x35e8b:$s3: CallNextHook 0x15678:$s4: _hook 0x35e98:$s4: _hook
0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18448:$x1: $%SMTPDV$ 0x38c68:$x1: $%SMTPDV$ 0x184ae:$x2: $#TheHashHere%& 0x38cce:$x2: $#TheHashHere%& 0x19abf:$x3: %FTPDV$ 0x3a2df:$x3: %FTPDV$ 0x19bb3:$x4: $%TelegramDv$ 0x3a3d3:$x4: $%TelegramDv$ 0x15ce6:$x5: KeyLoggerEventArgs 0x1607b:$x5: KeyLoggerEventArgs 0x36506:$x5: KeyLoggerEventArgs 0x3689b:$x5: KeyLoggerEventArgs 0x19ae3:$m2: Clipboard Logs ID 0x19d03:$m2: Screenshot Logs ID 0x19e13:$m2: keystroke Logs ID 0x3a303:$m2: Clipboard Logs ID 0x3a523:$m2: Screenshot Logs ID 0x3a633:$m2: keystroke Logs ID 0x1a0ed:$m3: SnakePW 0x3a90d:$m3: SnakePW 0x19cdb:$m4: \SnakeKeylogger\
0.2.tJzfnaqOxj.exe.3ddb830.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.tJzfnaqOxj.exe.3ddb830.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.tJzfnaqOxj.exe.3ddb830.6.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.tJzfnaqOxj.exe.3ddb830.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x632a5:$a1: get_encryptedPassword 0x83ac5:$a1: get_encryptedPassword 0x63591:$a2: get_encryptedUsername 0x83db1:$a2: get_encryptedUsername 0x630b1:$a3: get_timePasswordChanged 0x838d1:$a3: get_timePasswordChanged 0x631ac:$a4: get_passwordField 0x839cc:$a4: get_passwordField 0x632bb:$a5: set_encryptedPassword 0x83adb:$a5: set_encryptedPassword 0x64938:$a7: get_logins 0x85158:$a7: get_logins 0x6489b:$a10: KeyLoggerEventArgs 0x850bb:$a10: KeyLoggerEventArgs 0x64506:$a11: KeyLoggerEventArgsEventHandler 0x84d26:$a11: KeyLoggerEventArgsEventHandler
0.2.tJzfnaqOxj.exe.3ddb830.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x6accf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x8b4ef:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x69f01:$a3: \Google\Chrome\User Data\Default\Login Data 0x8a721:$a3: \Google\Chrome\User Data\Default\Login Data 0x6a334:$a4: \Orbitum\User Data\Default\Login Data 0x8ab54:$a4: \Orbitum\User Data\Default\Login Data 0x6b373:$a5: \Kometa\User Data\Default\Login Data 0x8bb93:$a5: \Kometa\User Data\Default\Login Data
0.2.tJzfnaqOxj.exe.3ddb830.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x63e7c:$s1: UnHook 0x8469c:$s1: UnHook 0x63e83:$s2: SetHook 0x846a3:$s2: SetHook 0x63e8b:$s3: CallNextHook 0x846ab:$s3: CallNextHook 0x63e98:$s4: _hook 0x846b8:$s4: _hook
0.2.tJzfnaqOxj.exe.3ddb830.6.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x66c68:$x1: $%SMTPDV$ 0x87488:$x1: $%SMTPDV$ 0x66cce:$x2: $#TheHashHere%& 0x874ee:$x2: $#TheHashHere%& 0x682df:$x3: %FTPDV$ 0x88aff:$x3: %FTPDV$ 0x683d3:$x4: $%TelegramDv$ 0x88bf3:$x4: $%TelegramDv$ 0x64506:$x5: KeyLoggerEventArgs 0x6489b:$x5: KeyLoggerEventArgs 0x84d26:$x5: KeyLoggerEventArgs 0x850bb:$x5: KeyLoggerEventArgs 0x68303:$m2: Clipboard Logs ID 0x68523:$m2: Screenshot Logs ID 0x68633:$m2: keystroke Logs ID 0x88b23:$m2: Clipboard Logs ID 0x88d43:$m2: Screenshot Logs ID 0x88e53:$m2: keystroke Logs ID 0x6890d:$m3: SnakePW 0x8912d:$m3: SnakePW 0x684fb:$m4: \SnakeKeylogger\
Click to see the 23 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncRoot.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncRoot.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncRoot.vbs" , ProcessId: 3576, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncRoot.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncRoot.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncRoot.vbs" , ProcessId: 3576, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\tJzfnaqOxj.exe, ProcessId: 3340, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncRoot.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T15:00:32.917968+0100	2803305	3	Unknown Traffic	192.168.2.8	49716	172.67.177.134	443	TCP
2024-11-25T15:00:36.801093+0100	2803305	3	Unknown Traffic	192.168.2.8	49722	172.67.177.134	443	TCP
2024-11-25T15:00:36.963742+0100	2803305	3	Unknown Traffic	192.168.2.8	49723	172.67.177.134	443	TCP
2024-11-25T15:00:40.777333+0100	2803305	3	Unknown Traffic	192.168.2.8	49727	172.67.177.134	443	TCP
2024-11-25T15:00:43.095982+0100	2803305	3	Unknown Traffic	192.168.2.8	49730	172.67.177.134	443	TCP
2024-11-25T15:00:50.520080+0100	2803305	3	Unknown Traffic	192.168.2.8	49737	172.67.177.134	443	TCP
2024-11-25T15:00:52.261863+0100	2803305	3	Unknown Traffic	192.168.2.8	49739	172.67.177.134	443	TCP
2024-11-25T15:00:55.442168+0100	2803305	3	Unknown Traffic	192.168.2.8	49743	172.67.177.134	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T15:00:27.514714+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49714	193.122.130.0	80	TCP
2024-11-25T15:00:30.874029+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49714	193.122.130.0	80	TCP
2024-11-25T15:00:33.061554+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49717	193.122.130.0	80	TCP
2024-11-25T15:00:35.170914+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49717	193.122.130.0	80	TCP
2024-11-25T15:00:35.233415+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49718	193.122.130.0	80	TCP
2024-11-25T15:00:39.077174+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49724	193.122.130.0	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.3979235025.000000000041A000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sendpcamill@juguly.shop", "Password": "rEBS93U9rKLG", "Host": "juguly.shop", "Port": "587", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\SyncRoot.exe

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: tJzfnaqOxj.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\SyncRoot.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: tJzfnaqOxj.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: tJzfnaqOxj.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.8:49715 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.8:49720 version: TLS 1.0

Source: tJzfnaqOxj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: tJzfnaqOxj.exe, 00000000.00000002.1523738133.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: tJzfnaqOxj.exe, 00000000.00000002.1523738133.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: tJzfnaqOxj.exe, 00000000.00000002.1523511599.0000000006070000.00000004.08000000.00040000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: tJzfnaqOxj.exe, 00000000.00000002.1523511599.0000000006070000.00000004.08000000.00040000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0183F206h	2_2_0183F017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0183FB90h	2_2_0183F017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_0183E538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_0183EB6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_0183ED4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D21A38h	2_2_06D21620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D202F1h	2_2_06D20040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D21471h	2_2_06D211C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D2D1A1h	2_2_06D2CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D2CD49h	2_2_06D2CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D2C8F1h	2_2_06D2C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D2FD11h	2_2_06D2FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D2F8B9h	2_2_06D2F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D2DA51h	2_2_06D2D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D2D5F9h	2_2_06D2D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D2B791h	2_2_06D2B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D2E759h	2_2_06D2E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D20751h	2_2_06D204A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D2E301h	2_2_06D2E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D2DEA9h	2_2_06D2DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D2C499h	2_2_06D2C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D2C041h	2_2_06D2BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D2F461h	2_2_06D2F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D2BBE9h	2_2_06D2B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D21011h	2_2_06D20D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D2F009h	2_2_06D2ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D21A38h	2_2_06D21966
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D20BB1h	2_2_06D20900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D2EBB1h	2_2_06D2E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D58945h	2_2_06D58608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D50741h	2_2_06D50498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D56171h	2_2_06D55EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D55D19h	2_2_06D55A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D558C1h	2_2_06D55618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D56E79h	2_2_06D56BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_06D533B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_06D533A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D56A21h	2_2_06D56778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D565C9h	2_2_06D56320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D50B99h	2_2_06D508F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D57751h	2_2_06D574A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D572FAh	2_2_06D57050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D502E9h	2_2_06D50040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D55441h	2_2_06D55198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D58459h	2_2_06D581B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D58001h	2_2_06D57D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D50FF1h	2_2_06D50D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06D57BA9h	2_2_06D57900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 014DF055h	5_2_014DEE68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 014DF9DFh	5_2_014DEE68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_014DE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_014DE9BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_014DEB9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AB1A38h	5_2_06AB1620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06ABDA51h	5_2_06ABD7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AB02F1h	5_2_06AB0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AB1471h	5_2_06AB11C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06ABD1A1h	5_2_06ABCEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06ABF8B9h	5_2_06ABF610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06ABC8F1h	5_2_06ABC648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AB0751h	5_2_06AB04A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06ABE759h	5_2_06ABE4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06ABB791h	5_2_06ABB4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06ABDEA9h	5_2_06ABDC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06ABC041h	5_2_06ABBD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AB1011h	5_2_06AB0D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06ABF009h	5_2_06ABED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06ABCD49h	5_2_06ABCAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06ABFD11h	5_2_06ABFA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06ABD5F9h	5_2_06ABD350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06ABE301h	5_2_06ABE058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06ABF461h	5_2_06ABF1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06ABC499h	5_2_06ABC1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06ABEBB1h	5_2_06ABE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AB0BB1h	5_2_06AB0900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AB1A38h	5_2_06AB1966
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06ABBBE9h	5_2_06ABB940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AE8945h	5_2_06AE8608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AE7751h	5_2_06AE74A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AE6171h	5_2_06AE5EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AE58C1h	5_2_06AE5618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AE5D19h	5_2_06AE5A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	5_2_06AE33A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	5_2_06AE33B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AE6E79h	5_2_06AE6BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AE65C9h	5_2_06AE6320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AE6A21h	5_2_06AE6778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AE0741h	5_2_06AE0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AE0B99h	5_2_06AE08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AE02E9h	5_2_06AE0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AE72FAh	5_2_06AE7050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AE8459h	5_2_06AE81B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AE5441h	5_2_06AE5198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AE7BA9h	5_2_06AE7900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AE0FF1h	5_2_06AE0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06AE8001h	5_2_06AE7D58

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tJzfnaqOxj.exe.3ddb830.6.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49724 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49714 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49718 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49717 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49730 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49737 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49743 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49739 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49727 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49722 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49723 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49716 -> 172.67.177.134:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.8:49715 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.8:49720 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: tJzfnaqOxj.exe, SyncRoot.exe.0.dr	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: tJzfnaqOxj.exe, SyncRoot.exe.0.dr	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
Source: InstallUtil.exe, 00000002.00000002.3984677313.000000000342A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000337C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003473000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003437000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000340F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003465000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.000000000329A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.0000000003207000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: InstallUtil.exe, 00000002.00000002.3984677313.00000000033BF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000342A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000337C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003445000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003473000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003437000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000340F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003465000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.000000000329A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.000000000324A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.0000000003207000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: InstallUtil.exe, 00000002.00000002.3984677313.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.0000000003141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3979235025.000000000041A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: InstallUtil.exe, 00000005.00000002.3979989804.000000000125D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: tJzfnaqOxj.exe, SyncRoot.exe.0.dr	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: tJzfnaqOxj.exe, SyncRoot.exe.0.dr	String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: tJzfnaqOxj.exe, SyncRoot.exe.0.dr	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: tJzfnaqOxj.exe, SyncRoot.exe.0.dr	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: tJzfnaqOxj.exe, SyncRoot.exe.0.dr	String found in binary or memory: http://ocsps.ssl.com0
Source: tJzfnaqOxj.exe, SyncRoot.exe.0.dr	String found in binary or memory: http://ocsps.ssl.com0?
Source: tJzfnaqOxj.exe, SyncRoot.exe.0.dr	String found in binary or memory: http://ocsps.ssl.com0_
Source: InstallUtil.exe, 00000002.00000002.3984677313.000000000342A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003394000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003473000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003437000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000340F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003465000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.000000000329A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.000000000321F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: tJzfnaqOxj.exe, 00000000.00000002.1507240597.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, SyncRoot.exe, 00000004.00000002.1617371931.0000000002871000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.0000000003141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tJzfnaqOxj.exe, SyncRoot.exe.0.dr	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: tJzfnaqOxj.exe, SyncRoot.exe.0.dr	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: tJzfnaqOxj.exe, 00000000.00000002.1523511599.0000000006070000.00000004.08000000.00040000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: tJzfnaqOxj.exe, 00000000.00000002.1523511599.0000000006070000.00000004.08000000.00040000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: tJzfnaqOxj.exe, 00000000.00000002.1523511599.0000000006070000.00000004.08000000.00040000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 00000002.00000002.3984677313.00000000033BF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000342A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000337C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003473000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003437000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000340F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003465000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.000000000329A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.000000000324A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.0000000003207000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3979235025.000000000041A000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000337C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.0000000003207000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: InstallUtil.exe, 00000005.00000002.3983615017.00000000032A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: InstallUtil.exe, 00000002.00000002.3984677313.00000000033BF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000342A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003473000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003437000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000340F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003465000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.000000000329A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.000000000324A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$
Source: tJzfnaqOxj.exe, 00000000.00000002.1523511599.0000000006070000.00000004.08000000.00040000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: tJzfnaqOxj.exe, 00000000.00000002.1507240597.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1523511599.0000000006070000.00000004.08000000.00040000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp, SyncRoot.exe, 00000004.00000002.1617371931.0000000002871000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: tJzfnaqOxj.exe, 00000000.00000002.1523511599.0000000006070000.00000004.08000000.00040000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: tJzfnaqOxj.exe, SyncRoot.exe.0.dr	String found in binary or memory: https://www.ssl.com/repository0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.tJzfnaqOxj.exe.3e2a050.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.tJzfnaqOxj.exe.3e2a050.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.tJzfnaqOxj.exe.3e2a050.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.tJzfnaqOxj.exe.3e2a050.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.tJzfnaqOxj.exe.3ddb830.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.tJzfnaqOxj.exe.3ddb830.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.tJzfnaqOxj.exe.3ddb830.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.tJzfnaqOxj.exe.3ddb830.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.3979235025.000000000041A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.3979235025.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: tJzfnaqOxj.exe PID: 3340, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: tJzfnaqOxj.exe PID: 3340, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: InstallUtil.exe PID: 3428, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 3428, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Code function: 0_2_012E8AB8	0_2_012E8AB8
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Code function: 0_2_012ECC80	0_2_012ECC80
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Code function: 0_2_012E8AA9	0_2_012E8AA9
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Code function: 0_2_012E9150	0_2_012E9150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01836120	2_2_01836120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0183F017	2_2_0183F017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0183B338	2_2_0183B338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0183C457	2_2_0183C457
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0183B7E7	2_2_0183B7E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01836748	2_2_01836748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0183C763	2_2_0183C763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_018346D9	2_2_018346D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01839868	2_2_01839868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0183BAC0	2_2_0183BAC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0183CA43	2_2_0183CA43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0183BDA3	2_2_0183BDA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0183B503	2_2_0183B503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0183E527	2_2_0183E527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0183E538	2_2_0183E538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01833573	2_2_01833573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0183C480	2_2_0183C480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D20040	2_2_06D20040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D23870	2_2_06D23870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D28460	2_2_06D28460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D211C0	2_2_06D211C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D27D90	2_2_06D27D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2CEF8	2_2_06D2CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2CEE9	2_2_06D2CEE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2CAA0	2_2_06D2CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2FA59	2_2_06D2FA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2C648	2_2_06D2C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2FA68	2_2_06D2FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2F610	2_2_06D2F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2F600	2_2_06D2F600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2C638	2_2_06D2C638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2DBF1	2_2_06D2DBF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D273E8	2_2_06D273E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2D798	2_2_06D2D798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2D7A8	2_2_06D2D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2D350	2_2_06D2D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2D340	2_2_06D2D340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2B4D7	2_2_06D2B4D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D208F0	2_2_06D208F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2E8F8	2_2_06D2E8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2B4E8	2_2_06D2B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D20490	2_2_06D20490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2E4B0	2_2_06D2E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D204A0	2_2_06D204A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2E4A0	2_2_06D2E4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2E058	2_2_06D2E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2E04B	2_2_06D2E04B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D23860	2_2_06D23860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2001F	2_2_06D2001F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2DC00	2_2_06D2DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2C1F0	2_2_06D2C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2C1E0	2_2_06D2C1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2BD98	2_2_06D2BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2BD88	2_2_06D2BD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D211B0	2_2_06D211B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2F1B8	2_2_06D2F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2F1A9	2_2_06D2F1A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2ED50	2_2_06D2ED50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D20D51	2_2_06D20D51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2B940	2_2_06D2B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D20D60	2_2_06D20D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2ED60	2_2_06D2ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D20900	2_2_06D20900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2E908	2_2_06D2E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D2B930	2_2_06D2B930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D5B6E8	2_2_06D5B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D5AA58	2_2_06D5AA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D5D670	2_2_06D5D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D58608	2_2_06D58608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D5C388	2_2_06D5C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D50498	2_2_06D50498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D5B0A0	2_2_06D5B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D58C51	2_2_06D58C51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D5A408	2_2_06D5A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D5D028	2_2_06D5D028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D5C9D8	2_2_06D5C9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D511A0	2_2_06D511A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D5BD38	2_2_06D5BD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D5B6D9	2_2_06D5B6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D55EC8	2_2_06D55EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D55EB8	2_2_06D55EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D5AA48	2_2_06D5AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D55A70	2_2_06D55A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D5D661	2_2_06D5D661
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D55A60	2_2_06D55A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D55618	2_2_06D55618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D58603	2_2_06D58603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D55609	2_2_06D55609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D56BD0	2_2_06D56BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D56BC1	2_2_06D56BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D5A3F8	2_2_06D5A3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D533B8	2_2_06D533B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D533A8	2_2_06D533A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D56778	2_2_06D56778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D5C378	2_2_06D5C378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D56311	2_2_06D56311
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D53730	2_2_06D53730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D56320	2_2_06D56320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D578F0	2_2_06D578F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D508F0	2_2_06D508F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D508E0	2_2_06D508E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D57497	2_2_06D57497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D5B09A	2_2_06D5B09A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D50488	2_2_06D50488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D528B0	2_2_06D528B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D574A8	2_2_06D574A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D57050	2_2_06D57050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D50040	2_2_06D50040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D57049	2_2_06D57049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D5D018	2_2_06D5D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D52807	2_2_06D52807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D50006	2_2_06D50006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D52809	2_2_06D52809
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D54430	2_2_06D54430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D5C9C8	2_2_06D5C9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D51191	2_2_06D51191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D55198	2_2_06D55198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D581B0	2_2_06D581B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D581A0	2_2_06D581A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D57D58	2_2_06D57D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D50D48	2_2_06D50D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D57D48	2_2_06D57D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D57900	2_2_06D57900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D50D39	2_2_06D50D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D5BD28	2_2_06D5BD28
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Code function: 4_2_00EF8AB8	4_2_00EF8AB8
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Code function: 4_2_00EFCC80	4_2_00EFCC80
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Code function: 4_2_00EF8AAB	4_2_00EF8AAB
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Code function: 4_2_00EF9140	4_2_00EF9140
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Code function: 4_2_00EF9150	4_2_00EF9150
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Code function: 4_2_06360006	4_2_06360006
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Code function: 4_2_06360040	4_2_06360040
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Code function: 4_2_0637E1E8	4_2_0637E1E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_014D6108	5_2_014D6108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_014DC190	5_2_014DC190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_014DC470	5_2_014DC470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_014DB4F7	5_2_014DB4F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_014DC753	5_2_014DC753
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_014D6730	5_2_014D6730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_014D9858	5_2_014D9858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_014DBBB0	5_2_014DBBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_014DCA33	5_2_014DCA33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_014D4AD9	5_2_014D4AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_014DEE68	5_2_014DEE68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_014DBEB0	5_2_014DBEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_014DE379	5_2_014DE379
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_014DE388	5_2_014DE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_014D3573	5_2_014D3573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABD7A8	5_2_06ABD7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AB8460	5_2_06AB8460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AB7D90	5_2_06AB7D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AB3870	5_2_06AB3870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AB0040	5_2_06AB0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AB11C0	5_2_06AB11C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABCEEA	5_2_06ABCEEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABCEF8	5_2_06ABCEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABC638	5_2_06ABC638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABF600	5_2_06ABF600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABF610	5_2_06ABF610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABC648	5_2_06ABC648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABD798	5_2_06ABD798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AB04A0	5_2_06AB04A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABE4A0	5_2_06ABE4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABE4B0	5_2_06ABE4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AB0491	5_2_06AB0491
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABB4E8	5_2_06ABB4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABB4D7	5_2_06ABB4D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABDC00	5_2_06ABDC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABBD88	5_2_06ABBD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABBD98	5_2_06ABBD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AB0D60	5_2_06AB0D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABED60	5_2_06ABED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AB0D51	5_2_06AB0D51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABED50	5_2_06ABED50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABCAA0	5_2_06ABCAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABCA90	5_2_06ABCA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABFA68	5_2_06ABFA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABFA59	5_2_06ABFA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AB73E8	5_2_06AB73E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABDBF1	5_2_06ABDBF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AB73D8	5_2_06AB73D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABD340	5_2_06ABD340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABD350	5_2_06ABD350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABE8F8	5_2_06ABE8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AB08F0	5_2_06AB08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AB001F	5_2_06AB001F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AB3863	5_2_06AB3863
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABE049	5_2_06ABE049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABE058	5_2_06ABE058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABF1A9	5_2_06ABF1A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABF1B8	5_2_06ABF1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AB11B0	5_2_06AB11B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABC1E0	5_2_06ABC1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABC1F0	5_2_06ABC1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABB930	5_2_06ABB930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABE908	5_2_06ABE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AB0900	5_2_06AB0900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06ABB940	5_2_06ABB940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AEB6E8	5_2_06AEB6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE8608	5_2_06AE8608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AED670	5_2_06AED670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AEAA58	5_2_06AEAA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AEC388	5_2_06AEC388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE8BF2	5_2_06AE8BF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE74A8	5_2_06AE74A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AEB0A0	5_2_06AEB0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AED028	5_2_06AED028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AEA408	5_2_06AEA408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE11A0	5_2_06AE11A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AEC9D8	5_2_06AEC9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AEBD38	5_2_06AEBD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE5EB8	5_2_06AE5EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE5EC8	5_2_06AE5EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AEB6D9	5_2_06AEB6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE560A	5_2_06AE560A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE8602	5_2_06AE8602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE5618	5_2_06AE5618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AED662	5_2_06AED662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE5A60	5_2_06AE5A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE5A70	5_2_06AE5A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AEAA52	5_2_06AEAA52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE33A8	5_2_06AE33A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE33B8	5_2_06AE33B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AEA3F8	5_2_06AEA3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE6BC1	5_2_06AE6BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE6BD0	5_2_06AE6BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE6320	5_2_06AE6320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE3730	5_2_06AE3730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE6310	5_2_06AE6310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE676A	5_2_06AE676A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE6778	5_2_06AE6778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AEC378	5_2_06AEC378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE0488	5_2_06AE0488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE0498	5_2_06AE0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE7497	5_2_06AE7497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE08E0	5_2_06AE08E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE08F0	5_2_06AE08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE78F0	5_2_06AE78F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE4430	5_2_06AE4430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE0006	5_2_06AE0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE2807	5_2_06AE2807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE2818	5_2_06AE2818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AED018	5_2_06AED018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE7049	5_2_06AE7049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE0040	5_2_06AE0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE7050	5_2_06AE7050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE81A0	5_2_06AE81A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE81B0	5_2_06AE81B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE518A	5_2_06AE518A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE5198	5_2_06AE5198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE1191	5_2_06AE1191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AEC9C8	5_2_06AEC9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AEBD28	5_2_06AEBD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE0D39	5_2_06AE0D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE7900	5_2_06AE7900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE0D48	5_2_06AE0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE7D48	5_2_06AE7D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AE7D58	5_2_06AE7D58

Source: tJzfnaqOxj.exe

Static PE information: invalid certificate

Source: tJzfnaqOxj.exe, 00000000.00000002.1506209854.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs tJzfnaqOxj.exe
Source: tJzfnaqOxj.exe, 00000000.00000000.1496296575.0000000000872000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRef2051.exe8 vs tJzfnaqOxj.exe
Source: tJzfnaqOxj.exe, 00000000.00000002.1522514953.0000000005C00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameObwykbif.dll" vs tJzfnaqOxj.exe
Source: tJzfnaqOxj.exe, 00000000.00000002.1507240597.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs tJzfnaqOxj.exe
Source: tJzfnaqOxj.exe, 00000000.00000002.1507240597.0000000002E2D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs tJzfnaqOxj.exe
Source: tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003E7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRef2051.exe8 vs tJzfnaqOxj.exe
Source: tJzfnaqOxj.exe, 00000000.00000002.1523511599.0000000006070000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs tJzfnaqOxj.exe
Source: tJzfnaqOxj.exe, 00000000.00000002.1523738133.00000000060F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs tJzfnaqOxj.exe
Source: tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs tJzfnaqOxj.exe
Source: tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs tJzfnaqOxj.exe
Source: tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameObwykbif.dll" vs tJzfnaqOxj.exe
Source: tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs tJzfnaqOxj.exe
Source: tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs tJzfnaqOxj.exe
Source: tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs tJzfnaqOxj.exe
Source: tJzfnaqOxj.exe	Binary or memory string: OriginalFilenameRef2051.exe8 vs tJzfnaqOxj.exe

Source: tJzfnaqOxj.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.tJzfnaqOxj.exe.3e2a050.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.tJzfnaqOxj.exe.3e2a050.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.tJzfnaqOxj.exe.3e2a050.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.tJzfnaqOxj.exe.3e2a050.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.tJzfnaqOxj.exe.3ddb830.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.tJzfnaqOxj.exe.3ddb830.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.tJzfnaqOxj.exe.3ddb830.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.tJzfnaqOxj.exe.3ddb830.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.3979235025.000000000041A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.3979235025.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: tJzfnaqOxj.exe PID: 3340, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: tJzfnaqOxj.exe PID: 3340, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: InstallUtil.exe PID: 3428, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 3428, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: tJzfnaqOxj.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SyncRoot.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.tJzfnaqOxj.exe.60f0000.11.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.tJzfnaqOxj.exe.60f0000.11.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.tJzfnaqOxj.exe.60f0000.11.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.tJzfnaqOxj.exe.60f0000.11.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.tJzfnaqOxj.exe.60f0000.11.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.tJzfnaqOxj.exe.60f0000.11.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.tJzfnaqOxj.exe.60f0000.11.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.tJzfnaqOxj.exe.60f0000.11.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.tJzfnaqOxj.exe.60f0000.11.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.tJzfnaqOxj.exe.60f0000.11.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@8/3@2/2

Source: C:\Users\user\Desktop\tJzfnaqOxj.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncRoot.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Mutant created: NULL

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncRoot.vbs"

Source: tJzfnaqOxj.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: tJzfnaqOxj.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\tJzfnaqOxj.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: InstallUtil.exe, 00000002.00000002.3984677313.0000000003535000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.00000000034EF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000350D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003541000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3988723629.000000000434D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3987699561.00000000041CD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.0000000003374000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.0000000003384000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: tJzfnaqOxj.exe

ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\tJzfnaqOxj.exe

File read: C:\Users\user\Desktop\tJzfnaqOxj.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\tJzfnaqOxj.exe "C:\Users\user\Desktop\tJzfnaqOxj.exe"
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncRoot.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\SyncRoot.exe "C:\Users\user\AppData\Roaming\SyncRoot.exe"
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\SyncRoot.exe "C:\Users\user\AppData\Roaming\SyncRoot.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\tJzfnaqOxj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\tJzfnaqOxj.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: tJzfnaqOxj.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: tJzfnaqOxj.exe

Static file information: File size 1070560 > 1048576

Source: tJzfnaqOxj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: tJzfnaqOxj.exe, 00000000.00000002.1523738133.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: tJzfnaqOxj.exe, 00000000.00000002.1523738133.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: tJzfnaqOxj.exe, 00000000.00000002.1523511599.0000000006070000.00000004.08000000.00040000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: tJzfnaqOxj.exe, 00000000.00000002.1523511599.0000000006070000.00000004.08000000.00040000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.tJzfnaqOxj.exe.60f0000.11.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.tJzfnaqOxj.exe.60f0000.11.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.tJzfnaqOxj.exe.60f0000.11.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.tJzfnaqOxj.exe.6010000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1507240597.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1523355462.0000000006010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1617371931.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tJzfnaqOxj.exe PID: 3340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SyncRoot.exe PID: 5420, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0183B0B5 pushfd ; iretd	2_2_0183B0BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D22E78 push esp; iretd	2_2_06D22E79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06D53181 push ebx; retf	2_2_06D53182
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Code function: 4_2_063631C1 push eax; iretd	4_2_063631C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_014DB105 pushfd ; iretd	5_2_014DB10A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AB2E6B pushad ; iretd	5_2_06AB2E79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AB6F8B push es; ret	5_2_06AB6FE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AB6F13 push es; ret	5_2_06AB6FE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AB7059 push es; iretd	5_2_06AB705C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06AB2990 pushad ; retf	5_2_06AB2AC9

Source: tJzfnaqOxj.exe	Static PE information: section name: .text entropy: 7.74612102616028
Source: SyncRoot.exe.0.dr	Static PE information: section name: .text entropy: 7.74612102616028

Source: C:\Users\user\Desktop\tJzfnaqOxj.exe

File created: C:\Users\user\AppData\Roaming\SyncRoot.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\tJzfnaqOxj.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncRoot.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\tJzfnaqOxj.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncRoot.vbs

Jump to behavior

Source: C:\Users\user\Desktop\tJzfnaqOxj.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncRoot.vbs

Jump to behavior

Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: tJzfnaqOxj.exe PID: 3340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SyncRoot.exe PID: 5420, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: tJzfnaqOxj.exe, 00000000.00000002.1507240597.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, SyncRoot.exe, 00000004.00000002.1617371931.0000000002871000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Memory allocated: 12E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Memory allocated: 2CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Memory allocated: 4CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 32C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Memory allocated: EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Memory allocated: 2870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Memory allocated: 4870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 14D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2F00000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598842	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598169	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597733	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597512	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597160	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596903	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596418	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594460	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594225	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599339	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599005	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598757	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598522	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597182	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596495	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596042	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595936	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595723	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595456	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594219	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3732	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 6106	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 4463	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 5368	Jump to behavior

Source: C:\Users\user\Desktop\tJzfnaqOxj.exe TID: 5652	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe TID: 1928	Thread sleep count: 189 > 30	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe TID: 2396	Thread sleep count: 98 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5444	Thread sleep count: 3732 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -599516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5444	Thread sleep count: 6106 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -599406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -598842s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -598516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -598391s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -598169s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -598062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -597733s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -597624s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -597512s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -597296s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -597160s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -596903s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -596797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -596418s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -596297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -596188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -595844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -595188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -595063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -594719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -594593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -594460s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -594344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -594225s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -594109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3688	Thread sleep time: -594000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe TID: 5640	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe TID: 3036	Thread sleep count: 224 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe TID: 5916	Thread sleep count: 72 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5692	Thread sleep count: 4463 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5692	Thread sleep count: 5368 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -599339s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -599005s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -598757s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -598655s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -598522s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -598187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -597968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -597859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -597750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -597640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -597297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -597182s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -596734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -596625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -596495s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -596042s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -595936s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -595723s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -595594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -595456s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -595219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -594890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -594671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -594562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -594452s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -594344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep time: -594219s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598842	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598169	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597733	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597512	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597160	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596903	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596418	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594460	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594225	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599339	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599005	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598757	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598522	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597182	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596495	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596042	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595936	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595723	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595456	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594219	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: SyncRoot.exe, 00000004.00000002.1617371931.0000000002871000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: SyncRoot.exe, 00000004.00000002.1617371931.0000000002871000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: InstallUtil.exe, 00000002.00000002.3981267815.000000000163B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: InstallUtil.exe, 00000005.00000002.3979989804.000000000125D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\tJzfnaqOxj.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 2_2_06D27D90 LdrInitializeThunk,

2_2_06D27D90

Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\tJzfnaqOxj.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\SyncRoot.exe "C:\Users\user\AppData\Roaming\SyncRoot.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Queries volume information: C:\Users\user\Desktop\tJzfnaqOxj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tJzfnaqOxj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Queries volume information: C:\Users\user\AppData\Roaming\SyncRoot.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncRoot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\tJzfnaqOxj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.tJzfnaqOxj.exe.3e2a050.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tJzfnaqOxj.exe.3ddb830.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3984677313.0000000003481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3983615017.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3979235025.000000000041A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3983615017.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3984677313.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tJzfnaqOxj.exe PID: 3340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 3428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 3600, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 0.2.tJzfnaqOxj.exe.3e2a050.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tJzfnaqOxj.exe.3ddb830.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3979235025.000000000041A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tJzfnaqOxj.exe PID: 3340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 3428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 3600, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.tJzfnaqOxj.exe.3e2a050.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tJzfnaqOxj.exe.3e2a050.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tJzfnaqOxj.exe.3ddb830.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3984677313.0000000003481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3983615017.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3979235025.000000000041A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3983615017.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3984677313.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tJzfnaqOxj.exe PID: 3340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 3428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 3600, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	1 Scheduled Task/Job	111 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	21 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
tJzfnaqOxj.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.RedLineStealer
tJzfnaqOxj.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\SyncRoot.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\SyncRoot.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.RedLineStealer

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	172.67.177.134	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.75	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://stackoverflow.com/q/14436606/23354	tJzfnaqOxj.exe, 00000000.00000002.1507240597.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1523511599.0000000006070000.00000004.08000000.00040000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp, SyncRoot.exe, 00000004.00000002.1617371931.0000000002871000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	tJzfnaqOxj.exe, 00000000.00000002.1523511599.0000000006070000.00000004.08000000.00040000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.microsoft	InstallUtil.exe, 00000005.00000002.3979989804.000000000125D000.00000004.00000020.00020000.00000000.sdmp	false	high
http://ocsps.ssl.com0?	tJzfnaqOxj.exe, SyncRoot.exe.0.dr	false	high
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0	tJzfnaqOxj.exe, SyncRoot.exe.0.dr	false	high
https://github.com/mgravell/protobuf-net	tJzfnaqOxj.exe, 00000000.00000002.1523511599.0000000006070000.00000004.08000000.00040000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q	tJzfnaqOxj.exe, SyncRoot.exe.0.dr	false	high
http://ocsps.ssl.com0	tJzfnaqOxj.exe, SyncRoot.exe.0.dr	false	high
http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0	tJzfnaqOxj.exe, SyncRoot.exe.0.dr	false	high
http://checkip.dyndns.org	InstallUtil.exe, 00000002.00000002.3984677313.00000000033BF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000342A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000337C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003445000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003473000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003437000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000340F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003465000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.000000000329A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.000000000324A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.0000000003207000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032A7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0	tJzfnaqOxj.exe, SyncRoot.exe.0.dr	false	high
http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0	tJzfnaqOxj.exe, SyncRoot.exe.0.dr	false	high
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	tJzfnaqOxj.exe, SyncRoot.exe.0.dr	false	high
https://github.com/mgravell/protobuf-neti	tJzfnaqOxj.exe, 00000000.00000002.1523511599.0000000006070000.00000004.08000000.00040000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0	tJzfnaqOxj.exe, SyncRoot.exe.0.dr	false	high
https://reallyfreegeoip.org/xml/8.46.123.75$	InstallUtil.exe, 00000002.00000002.3984677313.00000000033BF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000342A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003473000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003437000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000340F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003465000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.000000000329A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.000000000324A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032A7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	tJzfnaqOxj.exe, 00000000.00000002.1523511599.0000000006070000.00000004.08000000.00040000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	tJzfnaqOxj.exe, 00000000.00000002.1523511599.0000000006070000.00000004.08000000.00040000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp, tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3979235025.000000000041A000.00000040.00000400.00020000.00000000.sdmp	false	high
https://www.ssl.com/repository0	tJzfnaqOxj.exe, SyncRoot.exe.0.dr	false	high
http://ocsps.ssl.com0_	tJzfnaqOxj.exe, SyncRoot.exe.0.dr	false	high
http://reallyfreegeoip.org	InstallUtil.exe, 00000002.00000002.3984677313.000000000342A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003394000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003473000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003437000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000340F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003465000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.000000000329A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.000000000321F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032A7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	InstallUtil.exe, 00000002.00000002.3984677313.00000000033BF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000342A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000337C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003473000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003437000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000340F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003465000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.000000000329A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.000000000324A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.0000000003207000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032A7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	InstallUtil.exe, 00000002.00000002.3984677313.000000000342A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000337C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003473000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003437000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000340F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.0000000003465000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.000000000329A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.0000000003207000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.00000000032A7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	tJzfnaqOxj.exe, 00000000.00000002.1507240597.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, SyncRoot.exe, 00000004.00000002.1617371931.0000000002871000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.0000000003141000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0	tJzfnaqOxj.exe, SyncRoot.exe.0.dr	false	high
https://reallyfreegeoip.org/xml/	tJzfnaqOxj.exe, 00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3979235025.000000000041A000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3984677313.000000000337C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3983615017.0000000003207000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.122.130.0	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false
172.67.177.134	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562383
Start date and time:	2024-11-25 14:59:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	tJzfnaqOxj.exe renamed because original name is a hash value
Original Sample Name:	a516ee0eb4804ca7f6991b4d631305dd3ee0611b9c5612567720e8c403795714.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@8/3@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 292 Number of non-executed functions: 41
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SyncRoot.exe, PID 5420 because it is empty
Execution Graph export aborted for target tJzfnaqOxj.exe, PID 3340 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: tJzfnaqOxj.exe

Simulations

Behavior and APIs

Time	Type	Description
09:00:30	API Interceptor	13066135x Sleep call for process: InstallUtil.exe modified
15:00:20	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncRoot.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.122.130.0	LAQfpnQvPQ.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	denizbank 25.11.2024 E80 aspc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	VSP469620.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Shave.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SOA SEP 2024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PO-841122676_g787.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
172.67.177.134	LAQfpnQvPQ.exe	Get hash	malicious	Snake Keylogger	Browse
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	F7Xu8bRnXT.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	IMG-20241119-WA0006(162KB).Pdf.exe	Get hash	malicious	Snake Keylogger	Browse
	NEW P.O.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	MC8017774DOCS.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	Shave.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	New shipment AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	LAQfpnQvPQ.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	F7Xu8bRnXT.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	denizbank 25.11.2024 E80 aspc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	VSP469620.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	order requirements CIF-TRC809910645210.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
reallyfreegeoip.org	LAQfpnQvPQ.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	F7Xu8bRnXT.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.67.152
	denizbank 25.11.2024 E80 aspc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	VSP469620.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	order requirements CIF-TRC809910645210.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	LAQfpnQvPQ.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	193.123.91.33
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	F7Xu8bRnXT.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	denizbank 25.11.2024 E80 aspc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	VSP469620.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	IMG-20241119-WA0006(162KB).Pdf.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Pigroots.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
CLOUDFLARENETUS	LAQfpnQvPQ.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	DGTCkacbSz.xlsx	Get hash	malicious	Snake Keylogger	Browse	172.67.129.178
	idk_1.ps1	Get hash	malicious	Unknown	Browse	172.67.129.178
	FreeCs2Skins.ps1	Get hash	malicious	Unknown	Browse	172.67.129.178
	Ref#2056119.exe	Get hash	malicious	AgentTesla, XWorm	Browse	104.26.13.205
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	PO#86637.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.13.205
	0Xp3q1l7De.exe	Get hash	malicious	Remcos	Browse	172.64.41.3
	DO-COSU6387686280.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	104.21.24.198

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	LAQfpnQvPQ.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	F7Xu8bRnXT.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
	denizbank 25.11.2024 E80 aspc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	VSP469620.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	order requirements CIF-TRC809910645210.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134

Process:	C:\Users\user\Desktop\tJzfnaqOxj.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	84
Entropy (8bit):	4.744655184756046
Encrypted:	false
SSDEEP:	3:FER/n0eFHHoCHyg4EaKC5PG3KVEnn:FER/lFHICHhJaZ5PGp
MD5:	0032D9D2D9A469500EBEDDDF87555F4B
SHA1:	097C39FCB62BFF91FF7D0C81CE6FC62A22049EBC
SHA-256:	DE0C0A3BA300ACE8FFDA628684AA4BBB44C32C29A8A2D1702C86E20AB4524D9E
SHA-512:	2A4642FC21D63B58C2F025E060B243C206CD509C200D9C3F0B65A7C5661F688AE6957D8AC829D05B49D13B76D152BF4B09032288B6AFFBFB7A0A5D95ED5B4F25
Malicious:	true
Reputation:	low
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\SyncRoot.exe"""

C:\Users\user\AppData\Roaming\SyncRoot.exe

Download File

Process:	C:\Users\user\Desktop\tJzfnaqOxj.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1070560
Entropy (8bit):	7.73394335291535
Encrypted:	false
SSDEEP:	24576:dY2YACYOYGYAAYAtY0YHYAkYAtYJYAAYoYA2YRYAUYDYAHkjSjy4s8nY/mCtCA6y:JZpnWmC96kDiy4QTn/
MD5:	645B21C9A9F4B1D500E490EA0186CEF5
SHA1:	AF4F8A87517CEDD096B05AD9819173A28B50816F
SHA-256:	A516EE0EB4804CA7F6991B4D631305DD3EE0611B9C5612567720E8C403795714
SHA-512:	B8D9094E63DFFF43101CB4481E97392F71CF11883BBD1818B9A7CA09D76A46B10D75A5AE6D92CC87024B116FDC4F75D6E642CBD53A77F5EE6B101953BE66A7B6
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=.=g.....................J........... ... ....@.. ....................................`.....................................S.... ..nF...........8............................................................... ............... ..H............text........ ...................... ..`.rsrc...nF... ...H..................@..@.reloc...............6..............@..B........................H........k.............................................................?.C.:....g\|........>~.g?..!.....t}....]...W........>6#S....>.....`T?.(.>_'.>.......&!?.V!......>&..^..f.....O.n?T.>b,.>.......xcm?>.........7.._...h".......{..7?..&.......w..9..8f........f?.Q.>........+.d?Y.............<.'....?......r?a.G..`}>....*..>..N.G......r6a?.?.>.Y.>....z..?AH2?...>....-'....\|..Yk.....g....8..7.O?.........:u>..A.....,J.>..I...n.....q.Z...a..l......PY?6..>+l.....H...../.

C:\Users\user\AppData\Roaming\SyncRoot.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\tJzfnaqOxj.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.73394335291535
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	tJzfnaqOxj.exe
File size:	1'070'560 bytes
MD5:	645b21c9a9f4b1d500e490ea0186cef5
SHA1:	af4f8a87517cedd096b05ad9819173a28b50816f
SHA256:	a516ee0eb4804ca7f6991b4d631305dd3ee0611b9c5612567720e8c403795714
SHA512:	b8d9094e63dfff43101cb4481e97392f71cf11883bbd1818b9a7ca09d76a46b10d75a5ae6d92cc87024b116fdc4f75d6e642cbd53a77f5ee6b101953be66a7b6
SSDEEP:	24576:dY2YACYOYGYAAYAtY0YHYAkYAtYJYAAYoYA2YRYAUYDYAHkjSjy4s8nY/mCtCA6y:JZpnWmC96kDiy4QTn/
TLSH:	9235F11DC5E449C2C02B1EF2BD7677A8C2A52139272FDF976E5C584026623BE1A35CBC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=.=g.....................J........... ... ....@.. ....................................`................................

File Icon


Icon Hash:	fcdc888888a498b8

Static PE Info

General

Entrypoint:	0x500aee
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673DAB3D [Wed Nov 20 09:26:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	04/07/2024 00:35:32 15/05/2027 11:15:04
Subject Chain	OID.1.3.6.1.4.1.311.60.2.1.3=VN, OID.2.5.4.15=Private Organization, CN="DUC FABULOUS CO.,LTD", SERIALNUMBER=0105838409, O="DUC FABULOUS CO.,LTD", L=Hanoi, C=VN
Version:	3
Thumbprint MD5:	FF0E889D2A73C3A679605952D35452DC
Thumbprint SHA-1:	2C1D12F8BBE0827400A8440AF74FFFA8DCC8097C
Thumbprint SHA-256:	A73352D67693AA16BCE2F182B15891F0F23EA0485CC18938686AAFDEE7B743E3
Serial:	6DD2E3173995F51BFAC1D9FB4CB200C1

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x100a98	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x102000	0x466e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x103800	0x1de0	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x108000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xfeaf4	0xfec00	ee3d055418c21f5813de60ac8ac990f1	False	0.8124051229759568	data	7.74612102616028	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x102000	0x466e	0x4800	27943735553b430db6728cecdfa76809	False	0.1759982638888889	data	3.8311833466224563	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x108000	0xc	0x200	756196e29dcda430d16ff70563391d43	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x102130	0x4028	Device independent bitmap graphic, 64 x 128 x 32, image size 0	0.15172917681441792
RT_GROUP_ICON	0x106158	0x14	data	1.05
RT_VERSION	0x10616c	0x318	data	0.44696969696969696
RT_MANIFEST	0x106484	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-25T15:00:27.514714+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49714	193.122.130.0	80	TCP
2024-11-25T15:00:30.874029+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49714	193.122.130.0	80	TCP
2024-11-25T15:00:32.917968+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49716	172.67.177.134	443	TCP
2024-11-25T15:00:33.061554+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49717	193.122.130.0	80	TCP
2024-11-25T15:00:35.170914+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49717	193.122.130.0	80	TCP
2024-11-25T15:00:35.233415+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49718	193.122.130.0	80	TCP
2024-11-25T15:00:36.801093+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49722	172.67.177.134	443	TCP
2024-11-25T15:00:36.963742+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49723	172.67.177.134	443	TCP
2024-11-25T15:00:39.077174+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49724	193.122.130.0	80	TCP
2024-11-25T15:00:40.777333+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49727	172.67.177.134	443	TCP
2024-11-25T15:00:43.095982+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49730	172.67.177.134	443	TCP
2024-11-25T15:00:50.520080+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49737	172.67.177.134	443	TCP
2024-11-25T15:00:52.261863+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49739	172.67.177.134	443	TCP
2024-11-25T15:00:55.442168+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49743	172.67.177.134	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 15:00:20.867506981 CET	49714	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:20.987673998 CET	80	49714	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:20.987780094 CET	49714	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:20.988260984 CET	49714	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:21.108191967 CET	80	49714	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:25.114682913 CET	80	49714	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:25.129945993 CET	49714	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:25.250607967 CET	80	49714	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:27.472774982 CET	80	49714	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:27.514714003 CET	49714	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:27.656893969 CET	49715	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:27.656913042 CET	443	49715	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:27.657054901 CET	49715	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:27.666317940 CET	49715	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:27.666335106 CET	443	49715	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:28.978935957 CET	443	49715	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:28.979031086 CET	49715	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:28.987448931 CET	49715	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:28.987468004 CET	443	49715	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:28.987797022 CET	443	49715	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:29.030255079 CET	49715	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:29.127979040 CET	49715	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:29.175334930 CET	443	49715	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:29.477125883 CET	443	49715	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:29.477189064 CET	443	49715	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:29.477240086 CET	49715	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:29.483789921 CET	49715	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:29.487663031 CET	49714	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:29.607661009 CET	80	49714	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:30.826567888 CET	80	49714	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:30.874028921 CET	49714	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:31.181278944 CET	49716	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:31.181334019 CET	443	49716	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:31.181564093 CET	49716	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:31.181912899 CET	49716	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:31.181926012 CET	443	49716	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:31.348542929 CET	49717	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:31.468852997 CET	80	49717	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:31.468952894 CET	49717	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:31.469297886 CET	49717	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:31.589243889 CET	80	49717	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:32.443018913 CET	443	49716	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:32.445401907 CET	49716	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:32.445419073 CET	443	49716	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:32.566931009 CET	80	49717	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:32.570682049 CET	49717	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:32.690700054 CET	80	49717	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:32.918014050 CET	443	49716	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:32.918097019 CET	443	49716	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:32.918303013 CET	49716	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:32.918917894 CET	49716	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:32.922920942 CET	49714	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:32.924427986 CET	49718	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:33.009540081 CET	80	49717	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:33.043437958 CET	80	49714	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:33.044405937 CET	80	49718	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:33.044485092 CET	49714	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:33.044526100 CET	49718	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:33.044699907 CET	49718	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:33.060683966 CET	49720	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:33.060746908 CET	443	49720	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:33.060959101 CET	49720	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:33.061553955 CET	49717	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:33.067770958 CET	49720	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:33.067796946 CET	443	49720	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:33.164645910 CET	80	49718	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:34.327928066 CET	443	49720	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:34.328008890 CET	49720	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:34.329422951 CET	49720	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:34.329432964 CET	443	49720	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:34.329720974 CET	443	49720	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:34.374037027 CET	49720	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:34.429642916 CET	49720	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:34.475333929 CET	443	49720	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:34.792171955 CET	443	49720	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:34.792238951 CET	443	49720	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:34.792347908 CET	49720	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:34.795212030 CET	49720	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:34.798985958 CET	49717	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:34.919049025 CET	80	49717	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:35.126163006 CET	80	49717	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:35.128470898 CET	49722	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:35.128530979 CET	443	49722	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:35.128670931 CET	49722	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:35.128983021 CET	49722	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:35.128998041 CET	443	49722	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:35.170913935 CET	49717	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:35.187889099 CET	80	49718	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:35.189059973 CET	49723	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:35.189116955 CET	443	49723	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:35.189173937 CET	49723	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:35.189465046 CET	49723	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:35.189477921 CET	443	49723	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:35.233414888 CET	49718	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:36.341146946 CET	443	49722	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:36.364547968 CET	49722	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:36.364597082 CET	443	49722	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:36.493099928 CET	443	49723	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:36.513371944 CET	49723	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:36.513400078 CET	443	49723	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:36.801127911 CET	443	49722	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:36.801265001 CET	443	49722	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:36.801542044 CET	49722	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:36.801817894 CET	49722	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:36.805358887 CET	49717	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:36.806719065 CET	49724	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:36.925728083 CET	80	49717	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:36.925787926 CET	49717	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:36.926704884 CET	80	49724	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:36.926795006 CET	49724	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:36.926985025 CET	49724	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:36.963752985 CET	443	49723	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:36.963825941 CET	443	49723	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:36.963890076 CET	49723	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:36.964505911 CET	49723	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:36.969485998 CET	49725	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:37.046905041 CET	80	49724	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:37.089534044 CET	80	49725	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:37.089660883 CET	49725	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:37.089848042 CET	49725	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:37.209916115 CET	80	49725	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:38.240824938 CET	80	49725	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:38.242316961 CET	49726	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:38.242374897 CET	443	49726	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:38.242515087 CET	49726	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:38.242758989 CET	49726	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:38.242773056 CET	443	49726	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:38.295929909 CET	49725	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:39.024035931 CET	80	49724	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:39.077173948 CET	49724	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:39.082204103 CET	49727	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:39.082241058 CET	443	49727	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:39.082508087 CET	49727	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:39.083025932 CET	49727	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:39.083039045 CET	443	49727	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:39.546777964 CET	443	49726	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:39.548576117 CET	49726	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:39.548600912 CET	443	49726	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:40.015018940 CET	443	49726	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:40.015104055 CET	443	49726	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:40.015358925 CET	49726	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:40.015784025 CET	49726	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:40.020870924 CET	49725	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:40.021528006 CET	49728	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:40.141562939 CET	80	49728	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:40.141768932 CET	49728	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:40.141953945 CET	49728	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:40.143944025 CET	80	49725	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:40.144068003 CET	49725	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:40.261898041 CET	80	49728	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:40.307710886 CET	443	49727	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:40.309571981 CET	49727	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:40.309612036 CET	443	49727	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:40.777328014 CET	443	49727	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:40.777393103 CET	443	49727	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:40.777518988 CET	49727	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:40.778011084 CET	49727	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:40.782550097 CET	49729	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:40.902519941 CET	80	49729	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:40.902596951 CET	49729	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:40.902730942 CET	49729	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:41.022732019 CET	80	49729	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:41.264539003 CET	80	49728	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:41.266107082 CET	49730	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:41.266150951 CET	443	49730	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:41.266211033 CET	49730	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:41.266577959 CET	49730	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:41.266592979 CET	443	49730	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:41.311568022 CET	49728	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:42.186516047 CET	80	49729	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:42.188075066 CET	49731	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:42.188112974 CET	443	49731	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:42.188195944 CET	49731	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:42.188436985 CET	49731	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:42.188446999 CET	443	49731	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:42.233423948 CET	49729	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:42.623608112 CET	443	49730	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:42.625339985 CET	49730	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:42.625400066 CET	443	49730	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:43.095987082 CET	443	49730	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:43.096061945 CET	443	49730	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:43.096151114 CET	49730	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:43.096765995 CET	49730	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:43.100181103 CET	49728	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:43.101294041 CET	49732	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:43.220545053 CET	80	49728	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:43.220700979 CET	49728	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:43.221301079 CET	80	49732	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:43.221440077 CET	49732	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:43.221589088 CET	49732	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:43.341564894 CET	80	49732	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:43.467802048 CET	443	49731	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:43.470017910 CET	49731	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:43.470060110 CET	443	49731	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:43.928073883 CET	443	49731	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:43.928139925 CET	443	49731	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:43.928184986 CET	49731	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:43.929145098 CET	49731	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:43.933660984 CET	49729	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:43.935184002 CET	49733	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:44.053950071 CET	80	49729	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:44.054120064 CET	49729	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:44.055258036 CET	80	49733	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:44.055334091 CET	49733	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:44.055640936 CET	49733	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:44.181731939 CET	80	49733	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:44.580584049 CET	80	49732	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:44.581824064 CET	49734	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:44.581857920 CET	443	49734	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:44.582171917 CET	49734	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:44.582201004 CET	49734	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:44.582206964 CET	443	49734	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:44.624193907 CET	49732	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:45.904568911 CET	443	49734	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:45.906877041 CET	49734	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:45.906922102 CET	443	49734	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:46.479871988 CET	443	49734	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:46.479943037 CET	443	49734	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:46.480007887 CET	49734	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:46.480649948 CET	49734	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:46.484936953 CET	49732	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:46.485539913 CET	49735	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:46.605135918 CET	80	49732	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:46.605226994 CET	49732	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:46.605545998 CET	80	49735	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:46.605623960 CET	49735	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:46.605799913 CET	49735	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:46.725687981 CET	80	49735	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:47.307549000 CET	80	49733	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:47.309420109 CET	49736	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:47.309467077 CET	443	49736	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:47.309575081 CET	49736	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:47.309844017 CET	49736	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:47.309859037 CET	443	49736	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:47.358535051 CET	49733	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:48.587991953 CET	443	49736	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:48.590547085 CET	49736	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:48.590572119 CET	443	49736	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:48.748604059 CET	80	49735	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:48.749962091 CET	49737	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:48.750006914 CET	443	49737	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:48.750072002 CET	49737	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:48.750355005 CET	49737	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:48.750369072 CET	443	49737	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:48.795980930 CET	49735	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:49.057049036 CET	443	49736	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:49.057117939 CET	443	49736	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:49.057281017 CET	49736	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:49.057893038 CET	49736	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:49.061501026 CET	49733	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:49.062824965 CET	49738	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:49.181996107 CET	80	49733	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:49.182207108 CET	49733	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:49.182970047 CET	80	49738	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:49.183065891 CET	49738	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:49.183303118 CET	49738	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:49.303683996 CET	80	49738	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:50.054315090 CET	443	49737	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:50.079463959 CET	49737	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:50.079488039 CET	443	49737	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:50.395243883 CET	80	49738	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:50.396466970 CET	49739	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:50.396513939 CET	443	49739	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:50.396595001 CET	49739	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:50.396853924 CET	49739	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:50.396863937 CET	443	49739	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:50.436587095 CET	49738	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:50.520117044 CET	443	49737	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:50.520184040 CET	443	49737	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:50.520282030 CET	49737	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:50.520756006 CET	49737	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:50.524477005 CET	49735	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:50.525105953 CET	49740	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:50.644812107 CET	80	49735	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:50.644943953 CET	49735	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:50.645085096 CET	80	49740	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:50.645158052 CET	49740	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:50.651735067 CET	49740	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:50.771703959 CET	80	49740	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:51.779603004 CET	443	49739	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:51.781536102 CET	49739	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:51.781565905 CET	443	49739	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:51.872709036 CET	80	49740	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:51.874315023 CET	49741	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:51.874372959 CET	443	49741	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:51.874510050 CET	49741	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:51.874845982 CET	49741	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:51.874857903 CET	443	49741	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:51.921025991 CET	49740	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:52.261881113 CET	443	49739	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:52.261945963 CET	443	49739	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:52.262020111 CET	49739	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:52.262540102 CET	49739	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:52.267128944 CET	49738	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:52.268306017 CET	49742	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:52.388190985 CET	80	49738	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:52.388731003 CET	80	49742	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:52.388820887 CET	49738	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:52.388865948 CET	49742	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:52.389076948 CET	49742	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:52.509118080 CET	80	49742	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:53.522695065 CET	443	49741	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:53.558193922 CET	49741	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:53.558213949 CET	443	49741	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:53.600980997 CET	80	49742	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:53.612875938 CET	49743	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:53.612921000 CET	443	49743	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:53.612991095 CET	49743	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:53.613360882 CET	49743	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:53.613373995 CET	443	49743	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:53.655323982 CET	49742	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:53.996424913 CET	443	49741	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:53.996483088 CET	443	49741	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:53.996572971 CET	49741	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:53.997270107 CET	49741	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:54.916598082 CET	443	49743	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:54.918248892 CET	49743	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:54.918302059 CET	443	49743	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:55.442178965 CET	443	49743	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:55.442248106 CET	443	49743	172.67.177.134	192.168.2.8
Nov 25, 2024 15:00:55.442308903 CET	49743	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:55.442955017 CET	49743	443	192.168.2.8	172.67.177.134
Nov 25, 2024 15:00:55.447216034 CET	49742	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:55.448014975 CET	49744	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:55.567735910 CET	80	49742	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:55.567819118 CET	49742	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:55.567928076 CET	80	49744	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:55.568010092 CET	49744	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:55.568397045 CET	49744	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:00:55.688982010 CET	80	49744	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:59.802635908 CET	80	49744	193.122.130.0	192.168.2.8
Nov 25, 2024 15:00:59.842885017 CET	49744	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:01:40.188019991 CET	80	49718	193.122.130.0	192.168.2.8
Nov 25, 2024 15:01:40.188093901 CET	49718	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:01:44.024543047 CET	80	49724	193.122.130.0	192.168.2.8
Nov 25, 2024 15:01:44.024604082 CET	49724	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:01:56.871520042 CET	80	49740	193.122.130.0	192.168.2.8
Nov 25, 2024 15:01:56.871709108 CET	49740	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:02:04.802450895 CET	80	49744	193.122.130.0	192.168.2.8
Nov 25, 2024 15:02:04.802500010 CET	49744	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:02:31.874430895 CET	49740	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:02:31.995369911 CET	80	49740	193.122.130.0	192.168.2.8
Nov 25, 2024 15:02:35.455912113 CET	49744	80	192.168.2.8	193.122.130.0
Nov 25, 2024 15:02:35.576035023 CET	80	49744	193.122.130.0	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 15:00:20.721698999 CET	64269	53	192.168.2.8	1.1.1.1
Nov 25, 2024 15:00:20.859778881 CET	53	64269	1.1.1.1	192.168.2.8
Nov 25, 2024 15:00:27.517832994 CET	54025	53	192.168.2.8	1.1.1.1
Nov 25, 2024 15:00:27.655728102 CET	53	54025	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 15:00:20.721698999 CET	192.168.2.8	1.1.1.1	0xb6ff	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 15:00:27.517832994 CET	192.168.2.8	1.1.1.1	0xbeb1	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 15:00:20.859778881 CET	1.1.1.1	192.168.2.8	0xb6ff	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 15:00:20.859778881 CET	1.1.1.1	192.168.2.8	0xb6ff	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 25, 2024 15:00:20.859778881 CET	1.1.1.1	192.168.2.8	0xb6ff	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 25, 2024 15:00:20.859778881 CET	1.1.1.1	192.168.2.8	0xb6ff	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 25, 2024 15:00:20.859778881 CET	1.1.1.1	192.168.2.8	0xb6ff	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 25, 2024 15:00:20.859778881 CET	1.1.1.1	192.168.2.8	0xb6ff	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 25, 2024 15:00:27.655728102 CET	1.1.1.1	192.168.2.8	0xbeb1	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Nov 25, 2024 15:00:27.655728102 CET	1.1.1.1	192.168.2.8	0xbeb1	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49714	193.122.130.0	80	3428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 15:00:20.988260984 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 15:00:25.114682913 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:24 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 00f08e453f2c738792b3f96cfbadf301 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 25, 2024 15:00:25.129945993 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 25, 2024 15:00:27.472774982 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:27 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1b77d0e6e0c665677efb9239e5a61c3f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 25, 2024 15:00:29.487663031 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 25, 2024 15:00:30.826567888 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d49cde74bc7e289e3a3cd9fffafefadf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49717	193.122.130.0	80	3600	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 15:00:31.469297886 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 15:00:32.566931009 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:32 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d4cedc0769ae23b6cc3d7fea2ba05802 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 25, 2024 15:00:32.570682049 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 25, 2024 15:00:33.009540081 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:32 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 02976f591672ba3e9879e71045fe7673 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 25, 2024 15:00:34.798985958 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 25, 2024 15:00:35.126163006 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:34 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 26286fe5cc20b0cbcb1d4381228b2243 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49718	193.122.130.0	80	3428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 15:00:33.044699907 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 25, 2024 15:00:35.187889099 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:35 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 751446abdb9f84f9a0564387f5955e3b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49724	193.122.130.0	80	3600	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 15:00:36.926985025 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 25, 2024 15:00:39.024035931 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:38 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 205c5a333a8b604b61c9c2edb9862915 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49725	193.122.130.0	80	3428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 15:00:37.089848042 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 15:00:38.240824938 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:38 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 09219cfe6a7b9570b7b2c56b79017139 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49728	193.122.130.0	80	3428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 15:00:40.141953945 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 15:00:41.264539003 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:41 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1fc6c005072852703fdb5ba2350f86a4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49729	193.122.130.0	80	3600	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 15:00:40.902730942 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 15:00:42.186516047 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:42 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 39fe03c23cbb625008ae7bddd1c90f83 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49732	193.122.130.0	80	3428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 15:00:43.221589088 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 15:00:44.580584049 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:44 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1d723d453112b60f7287f3a2716754d4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49733	193.122.130.0	80	3600	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 15:00:44.055640936 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 15:00:47.307549000 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:47 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fbf901d54c52c4f28576b6956141545f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49735	193.122.130.0	80	3428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 15:00:46.605799913 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 15:00:48.748604059 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:48 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8c7272176e1e7cf867db557dfe54b719 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49738	193.122.130.0	80	3600	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 15:00:49.183303118 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 15:00:50.395243883 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:50 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b6acb6803a0f901991ff42959b185117 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49740	193.122.130.0	80	3428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 15:00:50.651735067 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 15:00:51.872709036 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:51 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 76aead77bd072a8d0f2257e18a34f1cd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49742	193.122.130.0	80	3600	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 15:00:52.389076948 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 15:00:53.600980997 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:53 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2eefd8872a469ef1a6b58f306ccd114d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49744	193.122.130.0	80	3600	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 15:00:55.568397045 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 15:00:59.802635908 CET	745	IN	HTTP/1.1 504 Gateway Time-out Date: Mon, 25 Nov 2024 14:00:59 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive X-Request-ID: 2cecf85374919bf754ddafb9278412e5 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49715	172.67.177.134	443	3428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 14:00:29 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 14:00:29 UTC	851	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:29 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 507138 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iwb94sLr0cePKlOc80P0JBJ7vOWWwheiEeAU7kUMWNpUX8HLTTEumEg%2B312wb7R4C1jv9%2BiSGi7jdUxRLh1LdL5oRl70%2BfO7iJaHSr60wORkWJasiQUYQQMka7tniGjS9wsa1Ir7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e822a4f1b3643fe-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1773&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1005163&cwnd=241&unsent_bytes=0&cid=9a24d0f94f65c8bc&ts=512&x=0"
2024-11-25 14:00:29 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49716	172.67.177.134	443	3428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 14:00:32 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-25 14:00:32 UTC	851	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:32 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 507141 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qP8pzK%2FqLjyC7BpLVabyFhzJxyYWct8udT6woyomtpyuwwDoUTeI2mOtOTcy3PeNL3a%2FlD3j9pGJyIq5NGW%2FaH6ioMqI5eCFFESlcfRTx4LlCffjFO7mFjvPWluEbO0cNmxDyHiE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e822a64888a440d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1738&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1151419&cwnd=169&unsent_bytes=0&cid=f4b9dc5010359d31&ts=481&x=0"
2024-11-25 14:00:32 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49720	172.67.177.134	443	3600	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 14:00:34 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 14:00:34 UTC	853	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:34 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 507143 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1wlgXnF8ocgBCaFDzWI6mPTO%2FwCSvqeDG8mWxWgugB95APUuu0HKFqjgZiiNEDDdD0B67e9YsLY7ddc5fuLhUo9bMt1A5WbvKJl%2FMdLROlfBOOL7tCNK4epvsLinSvC%2BErhRwpR%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e822a704bb0c44a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1522&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1932495&cwnd=223&unsent_bytes=0&cid=853b1fc3d755f91d&ts=470&x=0"
2024-11-25 14:00:34 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49722	172.67.177.134	443	3600	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 14:00:36 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-25 14:00:36 UTC	853	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:36 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 507145 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZaQNT8ZX%2FHKEYYRnSw%2BsSB%2Fp5Ul6JSOvBDHK4vG9GSN2Rj6KNa3UCBL4g7j3wlfL2tox3LzDWKKqOhJCXjdgdFr3sfSuxXajeAsd8JLms2p2EpVldulcV9QqURoCPd6xMe%2BYeqvT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e822a7cd80e18c0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1520&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1903520&cwnd=234&unsent_bytes=0&cid=b050a3b013bdfc92&ts=465&x=0"
2024-11-25 14:00:36 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49723	172.67.177.134	443	3428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 14:00:36 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-25 14:00:36 UTC	851	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:36 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 507145 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WeGdD4Kw09hGtbZaD7NV2lfpDc6rquFcNJjMEDtknfTwDOods7%2BM53M9Z0x5H81w38XzazRY3LG%2FrZlNxJwp3KY2kFIcBYyAdZwGyktVkxlubb72dmDkoktk1rhFGoC%2BRpB1wFe6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e822a7dd92a32e8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1991&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1449131&cwnd=245&unsent_bytes=0&cid=b8aba040a6cd9779&ts=471&x=0"
2024-11-25 14:00:36 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49726	172.67.177.134	443	3428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 14:00:39 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 14:00:40 UTC	863	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:39 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 507148 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LjOjRTp6ge9bOVWRDpgQ%2FB0uJNlW%2BEJsYPYN3TBdQrGxTkUlsfnEy%2Ftjw38MLgySUrpcTe3Mmaubbt22M7gqX9iDk3OkS%2BUCyMuUhFlakq9%2Fxmh%2FrmGjfH3ehJZ%2Bu%2FDh%2FUaHnheI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e822a90fe99de93-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1481&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1914754&cwnd=244&unsent_bytes=0&cid=5d5866f90f777b33&ts=472&x=0"
2024-11-25 14:00:40 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49727	172.67.177.134	443	3600	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 14:00:40 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-25 14:00:40 UTC	858	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:40 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 507149 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B%2BsGre2nQZT3jS4EzTU6%2BbvbSWxBViO%2FkORwNQr%2Fz67dZtQcHFbwJHd6eQjlcLLHaSQurNp0zXMySMLSdnAGv8Fh9jujN5NcXNmedvRTMPBSxr%2Fki%2BbpgKkCKz9hWeEdlzYGI7Mz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e822a95aa888ce0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2042&sent=6&recv=8&lost=0&retrans=1&sent_bytes=4240&recv_bytes=698&delivery_rate=258727&cwnd=202&unsent_bytes=0&cid=c93cf7bab8a09f5e&ts=483&x=0"
2024-11-25 14:00:40 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49730	172.67.177.134	443	3428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 14:00:42 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-25 14:00:43 UTC	857	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:42 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 507151 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TciZ15JcR0qkBe%2FpuLKN%2FCjkComYd4q9KySig%2BB4gMhMnqsvK%2Fk9WDB%2FHrXqUnI910TWTAwexU6jgflI1mkTVJZC6ewQfq3sZtpzrnkNgY%2BIqSHxW1jMTZaHr0iyLYrjtxMdndDO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e822aa42d9232dc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1998&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1345002&cwnd=241&unsent_bytes=0&cid=0a900cfcf62ae459&ts=478&x=0"
2024-11-25 14:00:43 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49731	172.67.177.134	443	3600	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 14:00:43 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 14:00:43 UTC	853	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:43 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 507152 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I5HDQfrCOACdSV3rv6Nt0AAcr7Ws8s5CNSQdudYsJkYEu9rKu4oNQPvvnD0xmRT1wPCsPBmYMhlKWcDpYFjgZx%2FYaPLpDxNwXpZZocs1%2FnhQNGKv9obwg3aoCWE%2FMjEQ%2FrHERUc2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e822aa97d36434b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2908&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1780487&cwnd=243&unsent_bytes=0&cid=8a79e1b8e2d63601&ts=466&x=0"
2024-11-25 14:00:43 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49734	172.67.177.134	443	3428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 14:00:45 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 14:00:46 UTC	859	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:46 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 507155 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mzfinUioRsw68ANR9qL4ldGfqrLrNcdvmxKOoty%2B1QLjE9lAMrWnRHAPSKE6sLcmqBhoMzA3m%2Fknpgws%2BUgPT6QpapW%2F21K16CDjKaQNgwE5ZIL%2BzjbAdRtopiIDe0D6xEUo%2BC4%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e822ab949cd78d0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2025&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1386514&cwnd=144&unsent_bytes=0&cid=e2d5014709f4fed3&ts=580&x=0"
2024-11-25 14:00:46 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49736	172.67.177.134	443	3600	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 14:00:48 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 14:00:49 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:48 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 507157 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GhVdAxW%2BW47NeaYoqsxIbapQLPc772LuT%2FmWyBdAvvRL9n9%2BnK7MHCVWDgbuH4dAVYjpDUCIMzVtppSB%2Bbq1gOk6Zs9PY79Ed12Ho4RejaR%2BwgGVQ94YwabntL6ls3azpLaL3iII"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e822ac97b648cc0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7766&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1416787&cwnd=249&unsent_bytes=0&cid=bbc29216829690f8&ts=475&x=0"
2024-11-25 14:00:49 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49737	172.67.177.134	443	3428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 14:00:50 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-25 14:00:50 UTC	851	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:50 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 507159 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EO%2FgWx14fW0dW29XNaVWzHQcg7DHzyl%2BFt0P9J0rW7UKJsmIFDhtiMUVPWGlQmAbrQLmFPRQLiAXJxXBzHY3rSmsxmOFnCA8nUCB2S7pYt1%2FjqP42y9xt9Sv0gN8hS9SlGKMfDUT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e822ad29d58de97-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1939&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1236764&cwnd=216&unsent_bytes=0&cid=c0e00c68ccd8f03a&ts=469&x=0"
2024-11-25 14:00:50 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49739	172.67.177.134	443	3600	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 14:00:51 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-25 14:00:52 UTC	849	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:52 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 507161 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PRWCSACfeqtxcCU4KIIcXQNWSPq9pCyo%2BUfyuf9WVp1DgnczdpaiGz7K8x135nAJIKZ7ZDo7xNdUKwlkCHinzBfhfeFsAiq9h%2BaYZK05BhI4JDeUUqMF1Z2XgSPYXArjwhMYm6BW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e822add689d1a0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1972&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1370248&cwnd=214&unsent_bytes=0&cid=b7fb87014308997e&ts=485&x=0"
2024-11-25 14:00:52 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49741	172.67.177.134	443	3428	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 14:00:53 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 14:00:53 UTC	849	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:53 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 507162 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xppFxusWQQf9SXALejjQAtktdSjyQYjwiOL7U6OkCo1HZu6lLBhMTeozd5qeHtLJPFr%2BtuF1wM7guS8q2xnX5CDdflT2bbEqNlEyQuPJOJV281UwOL9F0KTELPVoD%2FfO1vHeRYnI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e822ae84a927274-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2027&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1421616&cwnd=181&unsent_bytes=0&cid=ca28ad9a3acb23d4&ts=778&x=0"
2024-11-25 14:00:53 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49743	172.67.177.134	443	3600	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 14:00:54 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-25 14:00:55 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:00:55 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 507164 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GgsqRnPDygOtBUyThr6%2Bh9wRoIh%2FbCSYGrUsLCTiGTyczX6G9PjmYh%2BhvjW6njncfGLHtFRxh8%2BJURxaAH878xYeaCaHeUqJRpt2QXWJY1F8XXpq1iyN85mq%2FmXHKMBIfMdoZUpc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e822af108d6429e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1833&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1648785&cwnd=192&unsent_bytes=0&cid=b990cb0fbc2a12d4&ts=529&x=0"
2024-11-25 14:00:55 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Target ID:	0
Start time:	09:00:18
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\tJzfnaqOxj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tJzfnaqOxj.exe"
Imagebase:	0x770000
File size:	1'070'560 bytes
MD5 hash:	645B21C9A9F4B1D500E490EA0186CEF5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1507240597.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1523355462.0000000006010000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1520354714.0000000003DDB000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:00:19
Start date:	25/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xed0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3984677313.0000000003481000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3979235025.000000000041A000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3979235025.000000000041A000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.3979235025.000000000041A000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3979235025.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3984677313.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	09:00:28
Start date:	25/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncRoot.vbs"
Imagebase:	0x7ff7b8970000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:00:29
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Roaming\SyncRoot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SyncRoot.exe"
Imagebase:	0x410000
File size:	1'070'560 bytes
MD5 hash:	645B21C9A9F4B1D500E490EA0186CEF5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.1617371931.0000000002871000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:00:30
Start date:	25/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xd90000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.3983615017.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.3983615017.0000000003141000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Function 012ECC80 Relevance: 1.0, Instructions: 983COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 682df1a4388ec2fdff7c1589983bd7df5a05a9b38cc8da064de67b162bbb9e80
Instruction ID: ea29bd7d8c9dfab69a398d80b48951e9eee20e3dfb0663bc89dd9a2e688a6d15
Opcode Fuzzy Hash: 682df1a4388ec2fdff7c1589983bd7df5a05a9b38cc8da064de67b162bbb9e80
Instruction Fuzzy Hash: 50A2B375A00228CFDB65CF69C984AD9BBB2FF89304F1581E9D509AB365DB319E81CF40

Function 012E8AA9 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74e80ff8c116745621a7fefeb94a89e18d5dd56f414590f93bf63de836f9e92
Instruction ID: f839980bdfe1f6f6abf74bae9195fcf81e82768c8bee93f051859b87bb19a7d6
Opcode Fuzzy Hash: b74e80ff8c116745621a7fefeb94a89e18d5dd56f414590f93bf63de836f9e92
Instruction Fuzzy Hash: 9171FEB5D00A498FD758EFAAEA9169DBBF2BFC8304F14C52AD044DB268EB7558058B40

Function 012E8AB8 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0413993ca400a38cd1786f67a9e12d0c1e04f2cf1705a16b44660d40b30d97
Instruction ID: 408f5890e7fdf24e8279b1c8876b82e40e8b76233ba6e3622176f8071c93d692
Opcode Fuzzy Hash: 0f0413993ca400a38cd1786f67a9e12d0c1e04f2cf1705a16b44660d40b30d97
Instruction Fuzzy Hash: A571F1B5900A498FD758EFBAEA9069DBBF3BBC8304F14C52AD044DB268EB755805CB41

Function 012E898D Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

P, xrefs: 012E8A17, 012E8A5F

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-1343716551
Opcode ID: 8d8342a19ff14f3cfc61812dafa29d4b40a5a7c2cb33ab5fbdedbcad48fdbdc4
Instruction ID: 87b7f44ac44da026aa79116baf73e6d577c130926e6fe75c3901a0096b2b4e55
Opcode Fuzzy Hash: 8d8342a19ff14f3cfc61812dafa29d4b40a5a7c2cb33ab5fbdedbcad48fdbdc4
Instruction Fuzzy Hash: 9D2168B4D29208DFEB01DFA8C44A7ADBFF4EB46304F5080AAE545D7351DB744945CB12

Function 012E89A8 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

P, xrefs: 012E8A17, 012E8A5F

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-1343716551
Opcode ID: 184b2c8d3bfda108aa99f49ce4344b4cf11b27a4152cfa17b944139a55d0be3e
Instruction ID: 4a6dac804064b536db5a8d42b8ac861a4cca5404f2261f27520f0e3fe98d31f7
Opcode Fuzzy Hash: 184b2c8d3bfda108aa99f49ce4344b4cf11b27a4152cfa17b944139a55d0be3e
Instruction Fuzzy Hash: FF2149B4D25208DFDB00EFA9C18A7ADBFF4FB49305F6080A9E545A3340DB745985CB12

Function 012EE750 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a8ff4aff2980322546954eeadf6fbe9b2fff0646ad8f0d743c34f4d05280cc
Instruction ID: 4cf20f6feb85ba151e9b5eef8ffb618c84b51dacec178f1a7759e2a2f639b5a5
Opcode Fuzzy Hash: b5a8ff4aff2980322546954eeadf6fbe9b2fff0646ad8f0d743c34f4d05280cc
Instruction Fuzzy Hash: F9C112323006169FEB19DF6CD858BAE7BE6FF84210B55806AEA05CB391DB34DC42C791

Function 012EEC20 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58c78003d8c3f5160b33de40e13eb8419a57c43ac108b14c76e22ed65ff8af7c
Instruction ID: 4cb89ec4e49ddca92e4a25cc1b56e69d42db17fe812264eb43624f80f08fc63d
Opcode Fuzzy Hash: 58c78003d8c3f5160b33de40e13eb8419a57c43ac108b14c76e22ed65ff8af7c
Instruction Fuzzy Hash: 18814D35A10619CFDB14DF68C488A9DB7F5FF88710B5A81A9E916DB320DB31ED42CB90

Function 012E0860 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57e6e482951797bec5d8e92675b5846ca88fb772203095b7e7132606733d5e5c
Instruction ID: a66faa3d38a49d4d475b7efda94f11b4cdd04334b6bfda7031f5a786251f07ae
Opcode Fuzzy Hash: 57e6e482951797bec5d8e92675b5846ca88fb772203095b7e7132606733d5e5c
Instruction Fuzzy Hash: 6E311275B102099FCF05DFB8C898AED7BF1FB59300B554499E186EB212DA769803CB91

Function 012E0870 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5befce61dad9a9f54c74f4c2b3e0054dafa6c9e1e83253aab7db3732ba67961
Instruction ID: d599fbd6717feacaf78f3700360e877f7fd6173af0d9273aba3ce15378397554
Opcode Fuzzy Hash: d5befce61dad9a9f54c74f4c2b3e0054dafa6c9e1e83253aab7db3732ba67961
Instruction Fuzzy Hash: 1C418E31E0020A8FDB14DFA8C8445EEBBF2FF89711F558569E545FB250D774A942CB90

Function 012E0B30 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef1dbf648fa70b235773eb0351d67f55807ee78bf21c39d278b3cdd686502686
Instruction ID: adacea472a4ec26491275feb19b6c002608cf1943a0582be5f90cb2fe25fc09e
Opcode Fuzzy Hash: ef1dbf648fa70b235773eb0351d67f55807ee78bf21c39d278b3cdd686502686
Instruction Fuzzy Hash: D331BF31B002059FDF14DF68C884A8EFBF2FFC9650B14856AE445AB315DB70AD45CB94

Function 012E0C69 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809dec6472c525868bd87cfb276ee903f5ad82ee88ce8c0e5cd37632def127a1
Instruction ID: 2d2834e470fa056051e6067fa58855db6b38d7cce8671fecf9a2bae5512e3476
Opcode Fuzzy Hash: 809dec6472c525868bd87cfb276ee903f5ad82ee88ce8c0e5cd37632def127a1
Instruction Fuzzy Hash: DD316D74E10219DFCB10DBA8D088AEDBBF1FF48315F548069E459AB211D7B1A881CFA8

Function 012E8D61 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab45f14c48a69ffbca5d0015c00307e84b9ce46d12f09e7c837ce5026923ebb
Instruction ID: c3f45fdc972cb2b0cba76c4e16a40462c532fc31d3551b450bc60507cbad0f9d
Opcode Fuzzy Hash: 7ab45f14c48a69ffbca5d0015c00307e84b9ce46d12f09e7c837ce5026923ebb
Instruction Fuzzy Hash: 2D3114B8910209EFDB04CFA9C88969DBBF1FF89300F5484A5D115EB260DB75A944CF40

Function 012E8D70 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6654ce4a26ca25d8dab6735a85afa2c5d42c7cb7e8356db0c2307dd9128db4f
Instruction ID: 0a62af0cf9fea11d192174aafdc8685c972bdcb9194c320e9256ee394da3b0e7
Opcode Fuzzy Hash: b6654ce4a26ca25d8dab6735a85afa2c5d42c7cb7e8356db0c2307dd9128db4f
Instruction Fuzzy Hash: F93144B4D20209DFDB04CFA9C4896ADBBF5FB89300F5084A9D115EB320DB75A984CF40

Function 0104D048 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506570685.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_104d000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3bd63337ca7bdc789bb33166c8c4a96a71eb7f546f96cc475757ba7b1871b3b
Instruction ID: c188262c69ccfd17d08ba4daf2994c1306379a29db3a73e641b013cf7ab8528f
Opcode Fuzzy Hash: f3bd63337ca7bdc789bb33166c8c4a96a71eb7f546f96cc475757ba7b1871b3b
Instruction Fuzzy Hash: E42125B1504204EFDB15DF94D9C0B2ABBA5FB94714F24C5BDE9490B242C336D406CBA2

Function 012E0A38 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9f6cec76cc6fe9b845aafaec3c96b2fba4d9488c986f8ce8b1b5c7e97e010e
Instruction ID: 19297f899aaac1965e5bd9078a78315c21a23f38cb05ba5d4e1498b6c4906cb8
Opcode Fuzzy Hash: 7b9f6cec76cc6fe9b845aafaec3c96b2fba4d9488c986f8ce8b1b5c7e97e010e
Instruction Fuzzy Hash: E621BD71B003158FDF25DF69C84899EBBF5FF88210B504A2DE4D6AB295DB70A844CB60

Function 012EDEA8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1947a75ffe45d172e1e212eb40b5cb677b0ceafac3163258cad9c9d25cf1b7fb
Instruction ID: 002c825066bb805d8ec593478c602f7976090603bda6be69b54c85647bf82110
Opcode Fuzzy Hash: 1947a75ffe45d172e1e212eb40b5cb677b0ceafac3163258cad9c9d25cf1b7fb
Instruction Fuzzy Hash: 46112671D1420ECFDF04CFAAD4496EEBBFABB99300F14842AD504B3250DB755945CB90

Function 012EFDA8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af61c5c2263a96709684d47424eaec489d0e8f44c2eb2b750a672b0562fa0bb
Instruction ID: aa725defe73166a9b07237f9c61b41a2c8ebb33ab637230e10e0f1922da08647
Opcode Fuzzy Hash: 3af61c5c2263a96709684d47424eaec489d0e8f44c2eb2b750a672b0562fa0bb
Instruction Fuzzy Hash: B9116136310205CFCB6A6B28D51C97E3BE6EBC56617544069FA4ACB355DF3ADC02CB90

Function 0104D043 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506570685.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_104d000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f01e5f1659ed64de2dcc6f226e42ecfc18c18a3f275a02967475ac6a1a18fc9
Instruction ID: 2f41eeaa8d8f5d8cde092f2bddf4afc4745962371194146c4ba612dad83dc672
Opcode Fuzzy Hash: 2f01e5f1659ed64de2dcc6f226e42ecfc18c18a3f275a02967475ac6a1a18fc9
Instruction Fuzzy Hash: 9711D0B6504280DFCB12CF54D9C4B1ABFB2FB84314F24C6A9DC494B656C33AD45ACBA2

Function 012E0A27 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f0510fd9cedd53e05cc7afa27c6c37002b66eaa93b5659ba3092a9730175fe0
Instruction ID: 8725b3ef0777c73f77268904c828fc1269eb58725a8a495caf05e2e708a1bfa8
Opcode Fuzzy Hash: 2f0510fd9cedd53e05cc7afa27c6c37002b66eaa93b5659ba3092a9730175fe0
Instruction Fuzzy Hash: BC11A931A043188FDB25CF69C8449DABBF4FF89310B0042AAE485EB212E770A908CF90

Function 0103D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506535006.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_103d000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84cbe65a2e6fc5976e00ad7dc5280fb8db2f1a3957e4a690ac9497083bc7b06f
Instruction ID: 6fce8c4cac15b915830e89ca256b3656d291b1030fa1601d28ab6c19b8d7e079
Opcode Fuzzy Hash: 84cbe65a2e6fc5976e00ad7dc5280fb8db2f1a3957e4a690ac9497083bc7b06f
Instruction Fuzzy Hash: 3401297240D3809FD7128B658C94752BFA8EF53664F1984DBE9888F2A3C2699C45CB72

Function 0103D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506535006.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_103d000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101e8e3c693e21b5342f83214de5e53262ac0f549ea27935257931effd1237a2
Instruction ID: 2580aff3d21fd96617b753a11b8d6c36ecf59e01ddaf0b4ec651b31991de3af3
Opcode Fuzzy Hash: 101e8e3c693e21b5342f83214de5e53262ac0f549ea27935257931effd1237a2
Instruction Fuzzy Hash: 2401F771404304ABE7104AAAD880B67FFDCEFC1AA0F48C059FD890A283C379D805CBB2

Function 012E09A7 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95f5e6b9f9df8fbda7c26d3e7f745bf4bd80fe8cd605e16a1dc92b9a418c726d
Instruction ID: 3dc6763c2b85a1de71ba4844d9ff45a189786ab795fb6c8da3719be2c108e682
Opcode Fuzzy Hash: 95f5e6b9f9df8fbda7c26d3e7f745bf4bd80fe8cd605e16a1dc92b9a418c726d
Instruction Fuzzy Hash: A9F0C272A2020D9BDF14DB70C4A9AEFBBF69B49300F45856AD502FB280DEB55906C7D1

Function 012E8F70 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd849b5d3fc0aebffb5855787642fe5102a555e17ff9cff2396fcb7463edcc2
Instruction ID: b976edca7dee879b47acf8fb1fe0e9d53a41cfda158b81b062337dcb80ed87eb
Opcode Fuzzy Hash: 8fd849b5d3fc0aebffb5855787642fe5102a555e17ff9cff2396fcb7463edcc2
Instruction Fuzzy Hash: 8B01ADB0A54285EFCB54CBB8C58999DBBF5EF46311F2482D8D155AF3A2CB365901CB01

Function 012E8F18 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0fbab4fd9986c975f53fd24da70fa41d74be542213497de2f58ed7f678d115
Instruction ID: b8cee6568c65e3fd0fc9e8199ae7c751c9932fe547661959955547e312f2cfd6
Opcode Fuzzy Hash: ba0fbab4fd9986c975f53fd24da70fa41d74be542213497de2f58ed7f678d115
Instruction Fuzzy Hash: E6F02770958344CFD751C7B8A2483A93FF09B03302F8404EED2846B142D6360800D301

Function 012EDC90 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cf35d3faff8ed1b906e6057aaec6d3c3887dc512d48546b334ad7f21ba6fd4
Instruction ID: f530fade9dbfab7704934a231067c9d0baa4cfbf1f2b1ac48a852480b71f154c
Opcode Fuzzy Hash: a0cf35d3faff8ed1b906e6057aaec6d3c3887dc512d48546b334ad7f21ba6fd4
Instruction Fuzzy Hash: B1F03974D0420CEFCB84DFA8C544A9CFBF4EB49300F10C1AAAC18A3300D6729A51DF40

Function 012E8F28 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f88c1a40c33b8215cdb362a6e1e6dc832b3846a86efde0e7be73c5b9bd505932
Instruction ID: c3e07fe252e920618819a68e4523e9f92ec0eebacd8e04632e7019c0d215dc6f
Opcode Fuzzy Hash: f88c1a40c33b8215cdb362a6e1e6dc832b3846a86efde0e7be73c5b9bd505932
Instruction Fuzzy Hash: 24E0D8B0959348DFD711DBA4A2487A87FFDD703301F8048D9E38877241D7761904D305

Function 012EE138 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec2efebdacb78b94a36639dc2c06342f499eedf6eb59a64cb5975ac632f8aea
Instruction ID: 43f9c1272214faf84b4b8fd7643090dac709038ed13af33d5af255b47be66b17
Opcode Fuzzy Hash: 0ec2efebdacb78b94a36639dc2c06342f499eedf6eb59a64cb5975ac632f8aea
Instruction Fuzzy Hash: ECE026B5908208EFCB04CF94D940AACBFF8AB46300F10C0ADD84857341C6329E45DB90

Function 012E0820 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ee3b5a70685ca368dc273430da25b66243219d1a332b1edd3180fca57e3d6e
Instruction ID: 94e8611920fea5413ed5145ca70688cddb7e2df69d7b468eb16decbfd871546f
Opcode Fuzzy Hash: c5ee3b5a70685ca368dc273430da25b66243219d1a332b1edd3180fca57e3d6e
Instruction Fuzzy Hash: 28E0866250A3902FDB129B38A9E42D43F606F82108B1900CED0C09E052D51A408AC34A

Function 012ECC30 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47f26aac0c39b8a91d457b796e26eb4a951803213be27b4d4829d660f00d651
Instruction ID: 2aaef03d1cf65a4ab216f1441d021715b64218fe32781db6a2baeda703798bf8
Opcode Fuzzy Hash: b47f26aac0c39b8a91d457b796e26eb4a951803213be27b4d4829d660f00d651
Instruction Fuzzy Hash: 6AE08C72400208EFDB14EFF8D50578E7BFCAB06201F0045A9A50997140EA324A14D792

Function 012ECA98 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7da4450cbb632d882321c82684abe41ff210cf8df6c35f72894cb6de5b9213
Instruction ID: 80fad08bd0564c37b941dacf5b479acf536c314e8cb2f1bb8d84956b9511e14d
Opcode Fuzzy Hash: 0c7da4450cbb632d882321c82684abe41ff210cf8df6c35f72894cb6de5b9213
Instruction Fuzzy Hash: 50C08CB20903048BEB647BE4A60D3287FDC1B0220AF840508D60C151808E658054C22A

Function 012E8E9E Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded99aa46d171bc9bbdbcd3f2068a65bfdf01197c9f89d0c612b1603fd74139c
Instruction ID: 01b9a4b9f06b8f843563da002d97e150496ab37b71ccee8adf4fcf5708f600d9
Opcode Fuzzy Hash: ded99aa46d171bc9bbdbcd3f2068a65bfdf01197c9f89d0c612b1603fd74139c
Instruction Fuzzy Hash: 8BA011300FE20C8ACBB022082E8E0B23BCCAA8B32A3082A80B80E0A0000A2000088208

Non-executed Functions

Function 012E9150 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

%, xrefs: 012EBA08

Memory Dump Source

Source File: 00000000.00000002.1506816968.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e0000_tJzfnaqOxj.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 1244194f30339f4a28aac5f74fe79dcea3589f543a4a86403fe2a1a23493286b
Instruction ID: 1de2ef318a831c60463b137a35635496a60e3774a50b8c612601e84214611aad
Opcode Fuzzy Hash: 1244194f30339f4a28aac5f74fe79dcea3589f543a4a86403fe2a1a23493286b
Instruction Fuzzy Hash: 8171D6B0D15228CFEB68CF6AC8497D9FAF6BB89304F54C0EAD50DA6254DB740A81CF51

Analysis Process: InstallUtil.exePID: 3428, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	16.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	40%
Total number of Nodes:	30
Total number of Limit Nodes:	0

Executed Functions

Function 06D27D90 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b6ff14c416423d6229bebadad4eadda28112aac1dac17a7e6bc9e5950be7503
Instruction ID: 1560d03a67d0a7a53cf68275983e3ce0bdec018ae7bd22175050a01ce10ee081
Opcode Fuzzy Hash: 2b6ff14c416423d6229bebadad4eadda28112aac1dac17a7e6bc9e5950be7503
Instruction Fuzzy Hash: F4F11574E00229CFDB64DFA9D884B9DFBB2BF88304F1481A9D848AB355DB749985CF50

Function 01839868 Relevance: .9, Instructions: 860COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9329835f15c1dc35004754ecc10beda14796f3ce37736f18b486d23ff1903d93
Instruction ID: 0a9f7e62949df8b8a66c75b6c8236c3bece2da93046cbd0aaa184ea1b42896a0
Opcode Fuzzy Hash: 9329835f15c1dc35004754ecc10beda14796f3ce37736f18b486d23ff1903d93
Instruction Fuzzy Hash: AC726271A00609DFCB19CF68C984AAEBBF2FF88314F198559E446DB261D774EE41CB90

Function 06D511A0 Relevance: .7, Instructions: 745
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2bd79d52520f34efb1bd3c3cfb89d8dda7ce54c2d6f6ae5c3992154d3e4609
Instruction ID: bcee81866e1a9aa1a0307a31f392c6d062037a287d324a7f20172e9bddceaf4a
Opcode Fuzzy Hash: ee2bd79d52520f34efb1bd3c3cfb89d8dda7ce54c2d6f6ae5c3992154d3e4609
Instruction Fuzzy Hash: CA827F74E012288FDB64DF69DD94BDDBBB2BB89300F1481EA980DA7260DB345E85CF45

Function 0183F017 Relevance: .7, Instructions: 716
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d871943011b5ccb611939434a0ef5099903e106d484c2068bfe33b0f424f1681
Instruction ID: c49117ae55409c4f19dbf3f4c93f5ec8405adb67bff30d35aa93174cd197c7cc
Opcode Fuzzy Hash: d871943011b5ccb611939434a0ef5099903e106d484c2068bfe33b0f424f1681
Instruction Fuzzy Hash: 0272CF74E01229CFDB65DF69C984BEDBBB2BB89300F1481E9D508A7251DB349E81CF91

Function 01836120 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac8266550a2dfe1ef751046af64999d41bfd0ef15cf3efd5b31fa901bec407f
Instruction ID: 26896520dd3744f0b9ff022f7e673d1b60e95f27fa49070a44a3b0e8ab9010c2
Opcode Fuzzy Hash: 5ac8266550a2dfe1ef751046af64999d41bfd0ef15cf3efd5b31fa901bec407f
Instruction Fuzzy Hash: 90125D70A002199FDB15DFA9D894BAEBBF6BFC8300F248569E405DB355EB34DA41CB90

Function 01836748 Relevance: .5, Instructions: 452
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58b7edaacf0de93ae58ea6bdce851df58f2f0d92fea91f961f4ba5c3b267b528
Instruction ID: 508c080beac00384c627da00acc1b862f575d94a34dac5b4a6da974ac31790cf
Opcode Fuzzy Hash: 58b7edaacf0de93ae58ea6bdce851df58f2f0d92fea91f961f4ba5c3b267b528
Instruction Fuzzy Hash: E4024170A00209EFDB15CF6DC944AADBBB2FF89314F298059E815EB261E734DE41CB90

Function 01833573 Relevance: .4, Instructions: 429
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede0e579bc6517e03cbb340448646937d57cd6ad88b330fae0489d94cd3f8db7
Instruction ID: a8c7bd489304fcdba8533437f9ed98bd5b69975e52610e80075a6caf0837238a
Opcode Fuzzy Hash: ede0e579bc6517e03cbb340448646937d57cd6ad88b330fae0489d94cd3f8db7
Instruction Fuzzy Hash: 35F16D34E01348CFDB18DFB9D4545AEBBB2BF89710B18856AE806EB354CB359D02CB91

Function 0183B338 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0ff7ea21f131912bbdf5d089bb587181b2041d31554f300407c4c1f1cfaa06
Instruction ID: a4ef93daf6559103da53fa208e69b85036b7bac16414f80199aa8257424d6539
Opcode Fuzzy Hash: 5d0ff7ea21f131912bbdf5d089bb587181b2041d31554f300407c4c1f1cfaa06
Instruction Fuzzy Hash: 53E1FB75A00218CFDB15CFA9D884A9DBBB1FF89310F198069D819EB361DB309D41CF95

Function 06D58608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6321855b5c950c3f34b9c3ee6d2e35a6785baee006ee6932655dd3adb0b179b
Instruction ID: 6b082771a196d640f1edcc3360f94a3ab5a91aabb9425726ec9f29dfbe368c7f
Opcode Fuzzy Hash: a6321855b5c950c3f34b9c3ee6d2e35a6785baee006ee6932655dd3adb0b179b
Instruction Fuzzy Hash: 6BE1CF74E01218CFEB64DFA9D944B9DBBB2FF89304F2081A9D819A7394DB355A81CF50

Function 06D50498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9f3af705bfd5af9fe479f10e6362b2bc775dcbf07466da8b61ec291b9a1d0e4
Instruction ID: 6debaaa0de45dc406ba5e65820dd7aafd48f7458a109e9eb636d29759c125506
Opcode Fuzzy Hash: d9f3af705bfd5af9fe479f10e6362b2bc775dcbf07466da8b61ec291b9a1d0e4
Instruction Fuzzy Hash: EEC1AF74E00218CFDB54DFA9D944BADBBB2EF89304F2481A9D819AB354DB359E81CF50

Function 06D20040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a609097571055beed30e22d2ce0b179603dc904c23f4baac351624732961b273
Instruction ID: 353850a7e8fd925500cd6177922b4d95446d38960625b4d0ee8a94c76bd5c39f
Opcode Fuzzy Hash: a609097571055beed30e22d2ce0b179603dc904c23f4baac351624732961b273
Instruction Fuzzy Hash: 5FC1BF74E00218CFDB54DFA9D954BADBBB2FB89305F2081A9D809A7354DB355E81CF50

Function 06D211C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b61e13ee0b41579ad2c28924843f05013a24a6d446117d9b85b5392b0bb3e9e
Instruction ID: a7109ca799d403e65020f1e42fd571b082eda951d6c3195bc3a3ee1b359fcba4
Opcode Fuzzy Hash: 8b61e13ee0b41579ad2c28924843f05013a24a6d446117d9b85b5392b0bb3e9e
Instruction Fuzzy Hash: 8EC1BE74E00218CFDB64DFA9D954BADBBB2FB89304F2081A9D809A7354DB359E81CF50

Function 06D21620 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4df9cbad12420eaf8706f1c5543e5efc21f8c7025c5d1f27c65149a322e5406
Instruction ID: d5aa2a978da22bc682ac6396e15fb0d4d6d89bb7d93491651d9785f404690053
Opcode Fuzzy Hash: f4df9cbad12420eaf8706f1c5543e5efc21f8c7025c5d1f27c65149a322e5406
Instruction Fuzzy Hash: 7DA11470D00219CFEB24DFA9D888BDDBBB1FF88305F208269E518A7291DB749985CF55

Function 06D5B6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4cbbd488a94dd2e2ee8a74ceece50d669a2c860b2df758252559d9e6787de1b
Instruction ID: 6ec40f656b84cb1f78529f3f14f5f3faa8d45761d48060b8a16d2ff421046e06
Opcode Fuzzy Hash: e4cbbd488a94dd2e2ee8a74ceece50d669a2c860b2df758252559d9e6787de1b
Instruction Fuzzy Hash: 4CA1A270E012188FEB68CF6AD944B9DBBF2BF89300F14D0AAD809B7254DB745A85CF51

Function 06D5D670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce6c57a9da539700fa305c878a4a3858532b928e414a9334b37cba7c8bc58bb
Instruction ID: 338d47301322a4b2db58f0df0b2c4c594cbd81c0125dc10bd6094e627887bfc4
Opcode Fuzzy Hash: 3ce6c57a9da539700fa305c878a4a3858532b928e414a9334b37cba7c8bc58bb
Instruction Fuzzy Hash: 81A1A270E012188FEB68CF6AD944B9DBBF2BF89300F14D0AAD409A7254DB745A85CF65

Function 06D5C388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cacef68ede7e36bfb2947e6663227eba6b272a3dd7ff11369f6a49b243a83ca6
Instruction ID: 0c332b6d5e6185c626179049b3f9362401bb71e3e15f2ae5397c85978b037998
Opcode Fuzzy Hash: cacef68ede7e36bfb2947e6663227eba6b272a3dd7ff11369f6a49b243a83ca6
Instruction Fuzzy Hash: 20A194B5E012188FEB68CF6AD944B9DBBF2AF89300F15C0AAD409B7254DB745A85CF50

Function 06D5A408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcfb20ca11fdc213de9136b04dfbce0e60134deedeb87ea3c61d414a2a7847cd
Instruction ID: 9d47e576e9869e18cdd16cd51685b8a062e6279b82f36ff084998974e89cc18a
Opcode Fuzzy Hash: bcfb20ca11fdc213de9136b04dfbce0e60134deedeb87ea3c61d414a2a7847cd
Instruction Fuzzy Hash: BBA1B470E012288FEB68CF6AD944B9DBBF2BF89300F14C1AAD40CA7254DB345A85CF50

Function 06D5C9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d885f9a4175666c82a55aa9d525f78a1c4630bbbfca0934a16082cba09090b
Instruction ID: 9a7cd34bb3eda39505d308726331bc40bac5797f77301721bc38790ff9b7acab
Opcode Fuzzy Hash: 93d885f9a4175666c82a55aa9d525f78a1c4630bbbfca0934a16082cba09090b
Instruction Fuzzy Hash: 83A1A271E012188FEB68CF6AD944B9DBBF2AF89300F14C0AAD809B7254DB745A85CF54

Function 06D5BD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf153c50d5985f64a69b8c2ef74d861bb3a17a6efd7a998bdffe4861b5e128a
Instruction ID: 0acd4c7b4a0ea7a70acdcbb671cb4cb58d1613476acd24d04dc3854045d5bdf4
Opcode Fuzzy Hash: ebf153c50d5985f64a69b8c2ef74d861bb3a17a6efd7a998bdffe4861b5e128a
Instruction Fuzzy Hash: 0CA1A274E012188FEB68CF6AD944B9DBBF2BF89300F14C0AAD809A7254DB345A85CF50

Function 06D5AA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af4d89ad2c27796b64d033998f5890fb9f6e4850fc2711e1469568550943b72
Instruction ID: 467df25c512ae26b819843889206e042de08759ee3a9f2ad84ee24a5bfb312f9
Opcode Fuzzy Hash: 6af4d89ad2c27796b64d033998f5890fb9f6e4850fc2711e1469568550943b72
Instruction Fuzzy Hash: 6FA1A574E012288FEB68CF6AD944B9DBBF2AF89300F14C1AAD409B7254DB745A85CF50

Function 06D5B0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0acfbac5e6184ad8efc92d262cf9be646fcb99bc54311bf320958942c8647e39
Instruction ID: 7897f6f008de8842c95a8f0d3a9fc026e4a41a99073ae57c8f1f15e28b78724e
Opcode Fuzzy Hash: 0acfbac5e6184ad8efc92d262cf9be646fcb99bc54311bf320958942c8647e39
Instruction Fuzzy Hash: 3FA19171E012188FEB68CF6AD944B9DBBF2AF89300F14C1AAD809B7254DB745A85CF50

Function 06D5D028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b123f7a86bbc4055c36ae1df3b4a18764d4c5adbdfe1343575cffc79f75c3fd
Instruction ID: 77c97d6a274a64e346417ea134c23e8b7f65a82db96ae6971df106845c173796
Opcode Fuzzy Hash: 6b123f7a86bbc4055c36ae1df3b4a18764d4c5adbdfe1343575cffc79f75c3fd
Instruction Fuzzy Hash: 93A19471E012188FEB68CF6AD944B9DBBF2AF89300F14C0AAD40CB7254DB745A85CF65

Function 06D21966 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcae6c30474c2d6a40b53c5c43179431a96e5d0d518428af7aa146cbf81d59df
Instruction ID: 62530357e974bb22181c9632c8bf6f92f03b51b6daea1fc92e814cbc48327908
Opcode Fuzzy Hash: dcae6c30474c2d6a40b53c5c43179431a96e5d0d518428af7aa146cbf81d59df
Instruction Fuzzy Hash: 5591F270D00219CFEB24DFA8C888BDCBBB1FF89315F208269E549A7291DB749985CF55

Function 0183C763 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3652585bf982fbe16176d8dfca116789f5dcdd37a83dfe53cfa86fc9b368d99a
Instruction ID: 8079fd1dcc121430c266ca317bd16d580b65d61e71e8981ed0f348c8321c39f3
Opcode Fuzzy Hash: 3652585bf982fbe16176d8dfca116789f5dcdd37a83dfe53cfa86fc9b368d99a
Instruction Fuzzy Hash: F8819174E00218CFEB18DFAAD884A9DBBF2BF89310F15806AD809BB365DB345941CF51

Function 018346D9 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f809a796ea32aefc360c9888d65572a9ab7207600b86c35804f15cef7943d8
Instruction ID: 9b861b04ead470672531638aff5d5f33545d8cbef7406993ad6b3bfff7ee1af4
Opcode Fuzzy Hash: 98f809a796ea32aefc360c9888d65572a9ab7207600b86c35804f15cef7943d8
Instruction Fuzzy Hash: 9E81A174E00258DFEB18DFAAD884A9DBBF2FF89300F1480A9D819AB365DB345941CF51

Function 06D58C51 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 077a5dbe82ace3e0d4a4936eac18b3c37fd0d5ad1762afeba82f1879501591be
Instruction ID: d08f773a5d339e8ac8b93d5ce9aee6b0544dec429e9910a5336e688195eea0cd
Opcode Fuzzy Hash: 077a5dbe82ace3e0d4a4936eac18b3c37fd0d5ad1762afeba82f1879501591be
Instruction Fuzzy Hash: CB81B170E01218CFEF58DFAAD9447ADBBF2BF89300F20816AD819AB254DB355945CF40

Function 0183B7E7 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc8f853e25f77a3babe272b52564243531b3d8abd30ada35b7ab724cf8b2d29
Instruction ID: 830f571ac6b6384c26d40c380293262f9f06c30b95350a840e0a1a816c573cc4
Opcode Fuzzy Hash: 2bc8f853e25f77a3babe272b52564243531b3d8abd30ada35b7ab724cf8b2d29
Instruction Fuzzy Hash: 978183B4E00218DFDB14DFAAD884A9DBBF2BF89301F15C06AD819AB365DB345941CF51

Function 0183BAC0 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265087d28fe3b99e7d3c4a824a45d2e78faf8d43bb4e3e058aa63f0058cf2f14
Instruction ID: ef5384183c06cdedb186cab12e7c3d3eeae6a4b91b7b7a4ba02898e37eadef09
Opcode Fuzzy Hash: 265087d28fe3b99e7d3c4a824a45d2e78faf8d43bb4e3e058aa63f0058cf2f14
Instruction Fuzzy Hash: 738183B4E00218CFEB24DFAAD984A9DBBF2BF89301F148069D419EB365DB345942DF51

Function 0183BDA3 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec90c57bc050561107e437e8b56be4b61964fe995786876f54ccff597c1202e7
Instruction ID: 908e92f72764e3e3c48a81071b24adb14984693fbe6488b604b5dcdc4f997159
Opcode Fuzzy Hash: ec90c57bc050561107e437e8b56be4b61964fe995786876f54ccff597c1202e7
Instruction Fuzzy Hash: B4819374E00218CFEB18DFAAD984A9DBBF2BF89300F14D069E819AB365DB355941CF51

Function 0183CA43 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb0a0a7e11e3406ec5cd6e0ee26530d4dceaf9447b1ac63325b811876fc3f4d
Instruction ID: 45ef5dfd94095bd6b838da7ede2aa6693266b3d8dfd3c053f9372efde6c90ec5
Opcode Fuzzy Hash: ceb0a0a7e11e3406ec5cd6e0ee26530d4dceaf9447b1ac63325b811876fc3f4d
Instruction Fuzzy Hash: 5E817274E00218CFDB18DFAAD984A9DBBB2BF89300F14806AD819AB365DB345941DF51

Function 0183C457 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e367474b2c2036a061a3e32f8a9c648d040c6af3fb008e774e34f3f8f33ef33
Instruction ID: d4fecda77476f92b757c227ad665eff24fb8c9edf526de5f8ff1b0ae5fc5ed4c
Opcode Fuzzy Hash: 0e367474b2c2036a061a3e32f8a9c648d040c6af3fb008e774e34f3f8f33ef33
Instruction Fuzzy Hash: 92819274E01218CFDB14DFAAD884A9DBBB2BF89300F14D06AE809BB365DB349941DF51

Function 06D51191 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143c361f87bbee5dc7040a89faa8c43df0832c3ab523ee0fc96bc1a3234d7a41
Instruction ID: 3abac97379a20b5c51e3e9ea1b682fe661f5d6d113134cf9addc2769f711eb7d
Opcode Fuzzy Hash: 143c361f87bbee5dc7040a89faa8c43df0832c3ab523ee0fc96bc1a3234d7a41
Instruction Fuzzy Hash: 9981C274E422288FDB64DF29D954BEDBBB2BF89300F1081EAD849A7250DB315E81CF44

Function 06D5AA48 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c44dfe9dfa8ff7364341c9da69a293830fc6241fedf3e670bf7182f8750b764
Instruction ID: 45e00a2649f973194bc20aa6f5336c5c03d59ebe4de6312b4ec9febaa74d6eb8
Opcode Fuzzy Hash: 6c44dfe9dfa8ff7364341c9da69a293830fc6241fedf3e670bf7182f8750b764
Instruction Fuzzy Hash: D6719771E006289FEB68CF6AD944B9DFBF2AF89300F14C1AAD40DA7254DB344A85CF51

Function 06D5D018 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b68e1977d7f45a86225dd277d97f33968d91a0d9bfde27e8e1ceee930a7fa9
Instruction ID: f05545b342e80ee879b132067b1c7b6bb48239af8a3cb869045eb11bae8e3009
Opcode Fuzzy Hash: 43b68e1977d7f45a86225dd277d97f33968d91a0d9bfde27e8e1ceee930a7fa9
Instruction Fuzzy Hash: 04718571E016188FEB68CF6AD944B9DFBF2AF89300F14C1AAD40DA7254DB344A85CF65

Function 06D5B09A Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 641ae1ec11c249310e0fdef06b21b3a466e449642d8be3a8ba02ea5c41a1213f
Instruction ID: e4603769bf067e9ae881cd64e7e0d56fd2d86dba1dd88a889e3b7c390090f796
Opcode Fuzzy Hash: 641ae1ec11c249310e0fdef06b21b3a466e449642d8be3a8ba02ea5c41a1213f
Instruction Fuzzy Hash: 8B7184B1E00618CFEB68CF6AD954B9DFAF2AF89300F14C1AAD40DA7254DB345A85CF51

Function 0183C480 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226692616bf31f26c9c02a91a8daf27130a645ce1b60882e77af13b2587ef39f
Instruction ID: 9aa769cdf46b594cc795c4d5d589e0ba36737dc3ac8f434f2e25a4fd4d0ee462
Opcode Fuzzy Hash: 226692616bf31f26c9c02a91a8daf27130a645ce1b60882e77af13b2587ef39f
Instruction Fuzzy Hash: 2661D674E002588FEB18CFAAD984A9DBBF2BF89310F14806AD419BB365DB345941CF51

Function 0183B503 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ffeb72945b1bd060056b3de61dfe0fa7a726f8e30b8834d502af8dd388265f
Instruction ID: e02eda5e33fb57a42ce1677f44665ddde98773342c50968bef55884b9322736f
Opcode Fuzzy Hash: 22ffeb72945b1bd060056b3de61dfe0fa7a726f8e30b8834d502af8dd388265f
Instruction Fuzzy Hash: 266195B4E002189FEB18DFAAD984A9DBBF2FF89300F14C06AD419AB365DB345941DF51

Function 06D5C9C8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 827830b89f1970659adc6ee2867e9e3604960efafe365f5515d0a9b8b052f80c
Instruction ID: ddbd1847e05c92161160d707aa2ee5a227da1e613a3b11726261fd01c0abc60c
Opcode Fuzzy Hash: 827830b89f1970659adc6ee2867e9e3604960efafe365f5515d0a9b8b052f80c
Instruction Fuzzy Hash: 7B4198B1E016188BEB58CF6BDD447D9FAF3AFC9314F04C1AAC50CA6264DB350A868F55

Function 06D5C378 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2a9ed72b8842acae92d54738ef9b85f23b1cc8db733e4defaf8f5ecae68c4b8
Instruction ID: 23154790b9772268ead78071fce74ae7dcc7563558f2015605ea77fe10b44680
Opcode Fuzzy Hash: f2a9ed72b8842acae92d54738ef9b85f23b1cc8db733e4defaf8f5ecae68c4b8
Instruction Fuzzy Hash: 72419A71D016188FEB58CF6BCD44789FAF3AFC9204F04C1AAC40CAA255DB750A868F55

Function 06D58603 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe0de92462adb3c7124f456cf1d19585c620d44e57073efbc43a1eea98e0099
Instruction ID: fcb41c15fc38dba2ebbe4005e8f75cdd129ba366cb34e22c126192bbba0de4f6
Opcode Fuzzy Hash: cfe0de92462adb3c7124f456cf1d19585c620d44e57073efbc43a1eea98e0099
Instruction Fuzzy Hash: 4041D3B1D002188BEB68DFAAD8547DEBBB2AF88300F14C16AC418BB254DB754945CF54

Function 06D5A3F8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b6891cec3cb39666462544c73e573724060296f83efc78f0a6b1a6f6751a7c9
Instruction ID: 5b55f887c4ef8f509007ed0fae642ea7a6092f039ffeaf859502470adb286e1b
Opcode Fuzzy Hash: 2b6891cec3cb39666462544c73e573724060296f83efc78f0a6b1a6f6751a7c9
Instruction Fuzzy Hash: C2419CB1E016188BEB58CF6BC9457DAFAF3AFC9310F14C1AAD50CA6254DB340A858F51

Function 06D5BD28 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c58dcf68d556c904c2569937a7bb168c19fd348eb458a99ad8844755d8d40cf
Instruction ID: 2f6107aa103299781546d94baf632fe99bbed33a16c2fe465c6f0b681154873b
Opcode Fuzzy Hash: 4c58dcf68d556c904c2569937a7bb168c19fd348eb458a99ad8844755d8d40cf
Instruction Fuzzy Hash: 0C416971E016188FEB58CF6BD9457C9FAF3AFC9300F14C1AAC50CA6264DB750A858F55

Function 06D5D661 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b84f4ea65da52a3e58d98cab5ed51962394f7ed638e4e74a6b2fce9cdc3fb8
Instruction ID: 9a8c0f1eb910b2d26ed0142837feaac390181e64860894f3647fdec4c108b210
Opcode Fuzzy Hash: 30b84f4ea65da52a3e58d98cab5ed51962394f7ed638e4e74a6b2fce9cdc3fb8
Instruction Fuzzy Hash: F94177B1E016188FEB58CF6BC9457CAFAF3AFC9300F04C1AAC50CA6264DB750A858F55

Function 06D5B6D9 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db0fc95156acb5faf46e15bba18a9c01b8d6a5c02ca7dbda9cdcb4bf05fdddf
Instruction ID: 88933b121dec48084d161c6b56f7f8dc0257fe935eae1f6dcfe10c933fef131d
Opcode Fuzzy Hash: 1db0fc95156acb5faf46e15bba18a9c01b8d6a5c02ca7dbda9cdcb4bf05fdddf
Instruction Fuzzy Hash: 3A4177B1E016188FEB58CF6BC9447CAFAF3AFC9310F14C1AAC40CA6264DB750A858F55

Function 06D50488 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a5122bc84cfde5367349296216bd0ad28c7894eddb899b6597c227190d7ac69
Instruction ID: 757632be8d49dc06bde5c7443b557274a6b1b2c5d3a467bc30bde1f32fa402cd
Opcode Fuzzy Hash: 8a5122bc84cfde5367349296216bd0ad28c7894eddb899b6597c227190d7ac69
Instruction Fuzzy Hash: 8741E370D01248CBEB58DFA6D9546AEBBF2EF89300F24D129C815AB254DB354946CF94

Function 06D28174 Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 06D282B6

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 05b1479611a5a9a6114640c207b3cdcd76da612ac8312c690feeb4218975373e
Instruction ID: 3cc0d66e6b995776bf94464452d0c09b7f946f8bce1dd22c4668c96a82c6457e
Opcode Fuzzy Hash: 05b1479611a5a9a6114640c207b3cdcd76da612ac8312c690feeb4218975373e
Instruction Fuzzy Hash: DD11AFB4E0122A8FEB54DBA8D484AADBBF5FF98309F148118E844E7241D770DD05DBA0

Function 06D59999 Relevance: 1.3, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xS, xrefs: 06D599BA

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID: xS
API String ID: 0-110539814
Opcode ID: 09a60bb5a29d0e4f7844d0ab4ee604e304f8774614810c748d8ee41bea390939
Instruction ID: 40e7da2381e8c7ced2577cb0bceb8be13842b9d736bbfc312ee4ade308c28b08
Opcode Fuzzy Hash: 09a60bb5a29d0e4f7844d0ab4ee604e304f8774614810c748d8ee41bea390939
Instruction Fuzzy Hash: 431123B6800389EFDB10CF9AC845BDEBFF5EB48320F158419E918AB650C339A550DFA5

Function 06D59328 Relevance: 1.3, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xS, xrefs: 06D599BA

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID: xS
API String ID: 0-110539814
Opcode ID: f04cd62a46ca5cc98585eee51562b50c2941a8cc41e9b917a347c3c8c5ba48f2
Instruction ID: e739c8aecddefd8642b75f29e1bc78c8eda848938dd752b32ae974476d8c6fbb
Opcode Fuzzy Hash: f04cd62a46ca5cc98585eee51562b50c2941a8cc41e9b917a347c3c8c5ba48f2
Instruction Fuzzy Hash: 141137B680038DEFDB10CF99C844BDEBBF5EB48320F158419E914A7611C379A550DFA5

Function 01837808 Relevance: .7, Instructions: 702
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8d92feef13aeeed114f1d204e5b57c0ff0cfe064d4b5bc60e586132a36e93d
Instruction ID: 5390112ff6460344aac18a36e24df6b88e3d78568c9b750e6b2938baea3bcbb7
Opcode Fuzzy Hash: 1f8d92feef13aeeed114f1d204e5b57c0ff0cfe064d4b5bc60e586132a36e93d
Instruction Fuzzy Hash: 36523E34A0021D8FEB14DBE9C850BAEBB72FB99301F1085A9D10AAB365CF355E85DF51

Function 01832150 Relevance: .7, Instructions: 653
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f182256ce277a2ce86d1d8aafe98a473de0a5477c6ea04021156d337e06de1c9
Instruction ID: 195df8418030e6c5ca6ffb0936f50c09b69fd2e5e74873c7c80df26b9a6080aa
Opcode Fuzzy Hash: f182256ce277a2ce86d1d8aafe98a473de0a5477c6ea04021156d337e06de1c9
Instruction Fuzzy Hash: BC52B673C01702CBCB564FB889E81A47B70AF56338B68439ED4B4D95EAE7355B42CB81

Function 01836E70 Relevance: .5, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4ecd63b1cb21c667d19ecd626386623610d2829cb2585fb794330d490d4489
Instruction ID: d9683e4df5e47769a2d6a9ddcf13aa80d12accfc43081784cef761dc9919cd7c
Opcode Fuzzy Hash: 9a4ecd63b1cb21c667d19ecd626386623610d2829cb2585fb794330d490d4489
Instruction Fuzzy Hash: 36126E70A00209DFDB15DFA8D984A9EBBF2BF89314F188559E906DB361D730EE41CB90

Function 0183A828 Relevance: .4, Instructions: 412
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d5b932b985d93ced342a69e113681e068582512b1094036020902805f349d4c
Instruction ID: aba5e875ba93f9adf05c6a3340fff5c3a4ef2bd957a3ab816e1c52d2f3858110
Opcode Fuzzy Hash: 6d5b932b985d93ced342a69e113681e068582512b1094036020902805f349d4c
Instruction Fuzzy Hash: 06F14B75A002148FCB19CF6CD984AADBBF6FF88310B1A8459E555EB361CB35ED42CB90

Function 01830C8F Relevance: .4, Instructions: 399
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe5b0d0e9becf7e4b2945eb8b43c151984d06d5e499dfe4603f9e0358997e01
Instruction ID: b586d8c5255b667d33d973eaa2b9ac2b137b155f2777ca06991dd6978b557059
Opcode Fuzzy Hash: efe5b0d0e9becf7e4b2945eb8b43c151984d06d5e499dfe4603f9e0358997e01
Instruction Fuzzy Hash: B822A474A11219CFCB54EF68E888ADDBBB2FF88701F1086AAD809A7354DB345D45CF91

Function 01830CA0 Relevance: .4, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39b8e8b3cceb58ac54eb8092deb9221a03452901567f1501c555401aecdc586
Instruction ID: cfcae121da91c5811a5c1378ec7848dc7e3fac20ac3cb2aa9eb0aecb24e53f64
Opcode Fuzzy Hash: a39b8e8b3cceb58ac54eb8092deb9221a03452901567f1501c555401aecdc586
Instruction Fuzzy Hash: 4222A474A11219CFCB54EF68E888ADDBBB1FF88701F1086AAD809A7354DB346D45CF91

Function 01838801 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2f6cc04fd77575e5ba165a19417b00f9bb515c3c74b7f8eab5e04f308804c5
Instruction ID: acee069c1515fc86cb2c840535d5a56bc5f9cc96150833ed64f23f284514ee8f
Opcode Fuzzy Hash: 8a2f6cc04fd77575e5ba165a19417b00f9bb515c3c74b7f8eab5e04f308804c5
Instruction Fuzzy Hash: 4FB140703051068FEB2A9B2DD4547393AA6EFC6704F1D05A6F552CF3B6DA29CE4287C2

Function 018356B0 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583c142288491a1b95cbdfcbdd5aa20e1887179aeddaa45ea171e867357e1c39
Instruction ID: 46fd2e0fbbebd4fb48d371238b1f23a9657657e308be087d96b9e744f0a4ad22
Opcode Fuzzy Hash: 583c142288491a1b95cbdfcbdd5aa20e1887179aeddaa45ea171e867357e1c39
Instruction Fuzzy Hash: DC91C1317052488FDB169F68D898B6E7BE2BBC8304F188469E846CB395CF389D41CBD1

Function 06D523E0 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dfa2571e9d862c38c75dfc48b7bc9b4f7bc9644a28a562bbb84cc163b900f5e
Instruction ID: bc8a81575068118a8eafb745398e3ed1e53c23f13de43aaf9f532eef57164216
Opcode Fuzzy Hash: 6dfa2571e9d862c38c75dfc48b7bc9b4f7bc9644a28a562bbb84cc163b900f5e
Instruction Fuzzy Hash: 4781BF31B002068FCB58DF78D854A6E77F6AF88710B1685AAE806DB3A1DB31DD05CB91

Function 01835C10 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86aceb7ce21c7b91bf0dcaa4d0ad2ca85dc70abb9e694e2d4bfad40fdf84693
Instruction ID: e0f75c1a4019af0f4ddfc7d7bd4c657858a3025eea47733efe0b7fac43dcb2c5
Opcode Fuzzy Hash: d86aceb7ce21c7b91bf0dcaa4d0ad2ca85dc70abb9e694e2d4bfad40fdf84693
Instruction Fuzzy Hash: 04817034A005098FDB14DF6DC488A6ABBB2BFC9314B588169D506EB365DB31DA42CBE1

Function 06D59510 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16fe5d39a3099f5c33e1823b1da473059c797dc04ed99451efc974105e49a256
Instruction ID: 2198e9024248b267b1a357998b7cadd14e58b8ac767798c745cb3ef0bdc1ccc4
Opcode Fuzzy Hash: 16fe5d39a3099f5c33e1823b1da473059c797dc04ed99451efc974105e49a256
Instruction Fuzzy Hash: 8A71BF71F002599BDF55DFA9D860AEEBBB2AFC8600F154429E406AB380DF709D46CBD1

Function 01837450 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6153b03f3d5bf774a95b0d426712ebfcbf0a24d63d09895c7b73cf4e65569d6
Instruction ID: dc5b8fac043f0f75b9fb3584abdf1bb760714d9910dea3715e5400008b94aa39
Opcode Fuzzy Hash: f6153b03f3d5bf774a95b0d426712ebfcbf0a24d63d09895c7b73cf4e65569d6
Instruction Fuzzy Hash: C3713C747002458FDB15DF2CC498A6E7BE5AF89310F1940A9E906CB3B1EB75DE41DB90

Function 0183CED7 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc9a43e537be7f3711574cc5d5c71c002679e28bce790d26d1b8ef2c86e70c55
Instruction ID: abdba07db5b6ca1fccb27a0cb0efc7ef3b69a2b05aa54992ac78b9463f447c60
Opcode Fuzzy Hash: fc9a43e537be7f3711574cc5d5c71c002679e28bce790d26d1b8ef2c86e70c55
Instruction Fuzzy Hash: D051CD300323028FD3117F60E2AC16EBBA1FB6F3177156D66B10E89429DB385059CB28

Function 0183CEE8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82355e289fffc5de6a659374ba9c0d261adcd8d611081f1d65e8201ee33d5bfd
Instruction ID: b138ed7ebbedc65a50d7f74e4160ad3cab21e1fab81660170d83e983737fcd16
Opcode Fuzzy Hash: 82355e289fffc5de6a659374ba9c0d261adcd8d611081f1d65e8201ee33d5bfd
Instruction Fuzzy Hash: 3051BB700723038FD3117F60E2AC16EBBA5FB6F3277156D66B10E89429DB386059DB28

Function 0183E2E9 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f695525de43fe97594eef379f5f003227b77edc3f06f88b8fa264d55c53a965
Instruction ID: a6ad30104b08c5b175964d75e8f7e7ffdfe895d10f89558a208e83904cb28d34
Opcode Fuzzy Hash: 2f695525de43fe97594eef379f5f003227b77edc3f06f88b8fa264d55c53a965
Instruction Fuzzy Hash: DF610074D01318CFDB25DFA9D884BADBBB2FF89300F608529D805AB254DB395A85CF40

Function 0183CD20 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175fdf9d10f6413654f91e521fda19d4efba38f2148493a15e4cdb066d1e62cf
Instruction ID: 0ba24b72955812c0120d2ed098036e9424a19241da8adcc502be952e873c317b
Opcode Fuzzy Hash: 175fdf9d10f6413654f91e521fda19d4efba38f2148493a15e4cdb066d1e62cf
Instruction Fuzzy Hash: 14519374E01208DFDB54DFAAD5849DDBBF2BF89300F24816AE805AB365DB31A905CF50

Function 06D5DCC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ae2448fafbb176b1e31cebfe4fcbfc29371798b8f76ff8eeab7c8a17898f96
Instruction ID: 26f5ef20300fc7c5586cb92a42739a93cb5597b905e3dbfe6dc3373af665c01c
Opcode Fuzzy Hash: 49ae2448fafbb176b1e31cebfe4fcbfc29371798b8f76ff8eeab7c8a17898f96
Instruction Fuzzy Hash: 88415B31901319DFEB14AFA4D45C7FEBBB1FB5A312F20586AD501A62A4CB790A44CFA4

Function 01833908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dde247c1144e3ef466606adeda549511b8a8a38ed08ff17051c5a5583fd348b
Instruction ID: 3417e10cda70b708a5ab8f76941d9c4a9e5a9f677fad0d65d12d709c7e94164a
Opcode Fuzzy Hash: 6dde247c1144e3ef466606adeda549511b8a8a38ed08ff17051c5a5583fd348b
Instruction Fuzzy Hash: 3151A375E01208CFCB08DFA9E59499DBBF2FF89310B249069E805AB324DB35AD42CF51

Function 0183F0F9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe89616e3b737b3521f8345bf937a4b87e4926e1f5ef4d62cff6e212e8ebeaf1
Instruction ID: 23d4e23cf54146db5c774d5536cf7d7fe9f7107ec75311db609161f4cdb98241
Opcode Fuzzy Hash: fe89616e3b737b3521f8345bf937a4b87e4926e1f5ef4d62cff6e212e8ebeaf1
Instruction Fuzzy Hash: 7F51C074E01228CFDB64DF68D984BEDBBB1BB89301F1455A9D409A7350D7359E81CF90

Function 06D59A49 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a0e966a212cb63b4601c07c0a96b3107cd346a05c78471980410af030d90a7
Instruction ID: 5467a822af2776c32c938a54f87c334321c708f0f815af25c2866ce9ecbdc99e
Opcode Fuzzy Hash: 70a0e966a212cb63b4601c07c0a96b3107cd346a05c78471980410af030d90a7
Instruction Fuzzy Hash: CA510075E00208CFDF54DFA9E594AEDBBB1EF89310F24812AD805AB294DB395A46CF50

Function 01839A73 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e8094600d798ae12ffec9e142d4971aee6cad9be342c4ade9281ca97d0d3ff5
Instruction ID: 9f42971a21ce0eb4079575b4387f1b238d5e78c6423e2bef7f1aa360ffd7f4ed
Opcode Fuzzy Hash: 9e8094600d798ae12ffec9e142d4971aee6cad9be342c4ade9281ca97d0d3ff5
Instruction Fuzzy Hash: 7951A131E04249DFCF16CFA8C844A9DBFB6EF89318F088555E905DB291D3B4EA55CB90

Function 0183A660 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac0080bdb99640f969adcd49b3882e32c16e72c3d538e7dde2535460a5784f19
Instruction ID: 316eb9f659b197405e4c50bcb86bf131889680af78929f6e35e57bd51c0c8d06
Opcode Fuzzy Hash: ac0080bdb99640f969adcd49b3882e32c16e72c3d538e7dde2535460a5784f19
Instruction Fuzzy Hash: DB41E1357002489FCB1AABB9D854BAEBBF6ABC9710F18406DE546D7391CE349D05CBE0

Function 06D59500 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97fa52ea18b127da55a849f3c8a90225aee0e794635e8c7a400c5bd030aff7b3
Instruction ID: 0249c0d5b183e8b60f39e57babd716dfc752a48821ce5cef8b38db5120db6061
Opcode Fuzzy Hash: 97fa52ea18b127da55a849f3c8a90225aee0e794635e8c7a400c5bd030aff7b3
Instruction Fuzzy Hash: 06415071E00319DBDF14DFA5C890ADEB7F6AF88710F158129E815BB240EB71A946CBD0

Function 0183D7DE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10e0457f4ea93fe20d2a125dff8524895689514a4391de25a558e36521c8929
Instruction ID: 003e8a8c26bf83f1a516760cf0af467f8308edd1320b18f172afa49b252cd37a
Opcode Fuzzy Hash: e10e0457f4ea93fe20d2a125dff8524895689514a4391de25a558e36521c8929
Instruction Fuzzy Hash: A3415870D01248CFCB15DFE8E4846EDBBB1FB89305FA89619D419EB245D734AA41CF94

Function 06D59A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb6fd0b34855a491fb89e7c97787b2bbec340d505c44ffb624df7ce2419a01b
Instruction ID: 67d88ec472bebc8307cf6225b3a4d49c6048e88b011b35df6f37bc4cf3ee2ece
Opcode Fuzzy Hash: adb6fd0b34855a491fb89e7c97787b2bbec340d505c44ffb624df7ce2419a01b
Instruction Fuzzy Hash: 2F41DE74E01208CFDF54DFA9E5946EDBBF2AF89300F24912AD805A7294DB395A46CF50

Function 0183D77E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f51439d7535dc69f86d4c78fd67cfa2c7466c9b91f15b46fc40ee259172d0fd
Instruction ID: bc932c6fe864afc24922890f2d3703593470f4c2fd659a4abe3146f2cfa2ba0d
Opcode Fuzzy Hash: 8f51439d7535dc69f86d4c78fd67cfa2c7466c9b91f15b46fc40ee259172d0fd
Instruction Fuzzy Hash: 55411170D01208CFDB15DFA8E4886ADBBB1FB89305FA89619E409F7245D7349A41CF94

Function 0183D630 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00dd726b4fd05586c806938b77b690b0e6ea3542271c709732e9f78d78983a00
Instruction ID: b7ba73308f936fb74f1b61330a4deea18107d522a942a4e1054d43b1ea9a5f55
Opcode Fuzzy Hash: 00dd726b4fd05586c806938b77b690b0e6ea3542271c709732e9f78d78983a00
Instruction Fuzzy Hash: DB414770D00208CFDB19DFA9D4486AEFBB2BB89301F58D229D818B7255DB749A41CF94

Function 01834DD0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd707af807a7519bef1b319ea41b3e8731c6be9e5117a31326da576f6b32ff86
Instruction ID: e3e077123518e8866625342b3cec23485335e7d6960e1f6584d50f37d49bc2be
Opcode Fuzzy Hash: dd707af807a7519bef1b319ea41b3e8731c6be9e5117a31326da576f6b32ff86
Instruction Fuzzy Hash: 3C316E3170514A9FCB069FA9D858AAE3BA6FB88310F044029F916C7255CB39CD61DFE1

Function 06D5DCB1 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31aaa6addf8391cc2cd5459e32339319a0b9918b417d60bc16d5baa61a74358f
Instruction ID: 6883153d348e2d2aa4e7c120abbb5c6b0462303e1df06618120e756ecc5de1f5
Opcode Fuzzy Hash: 31aaa6addf8391cc2cd5459e32339319a0b9918b417d60bc16d5baa61a74358f
Instruction Fuzzy Hash: D3318030901319DFEB14AFA4D45C7FEBBB1EF5A312F10985AD511662A5CB790A44CF60

Function 018376E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc15677e2f7cb78a6cc64bee8ade287065191968250f7bb479e2c83d869d57e
Instruction ID: c0677b8d5e24dd3e446a93c332d4c9da69b51bab4db99e17a84201096d757168
Opcode Fuzzy Hash: 1dc15677e2f7cb78a6cc64bee8ade287065191968250f7bb479e2c83d869d57e
Instruction Fuzzy Hash: E121D0743052018BEB17673DC89427D3AD7AFC9B5472C407AD902CB7A6EE29CD42A7C1

Function 0183A819 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7326a37de93b1941a0b01081cb7b92ef349e4f15378a5784a6a0f4df965514f4
Instruction ID: 18d0439d0ee38e74de7520cc32b6b163ddeb80f5cab9097c79c8862f792e26f1
Opcode Fuzzy Hash: 7326a37de93b1941a0b01081cb7b92ef349e4f15378a5784a6a0f4df965514f4
Instruction Fuzzy Hash: AE31A434A006058FCB18CF6DC8849AEBBB7BFC5310B198559E595EB3A5CB349D02CBD0

Function 0183DF89 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488ade2b4f3944b4b4a3403be01241b3bfcd8f27c7b61be478185525a21aba3f
Instruction ID: 7590746ade3cba20195e8bc6a7f59f2cda599682564bfa5aa7ffe61231cf6b15
Opcode Fuzzy Hash: 488ade2b4f3944b4b4a3403be01241b3bfcd8f27c7b61be478185525a21aba3f
Instruction Fuzzy Hash: 2921A271D042488FEB19CFAAD8446EDBFB2AFCA310F48D16AC404F72A5D7708605CB95

Function 018376F8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61ce5544e20ae0d4ad17e64970a8deff5ff9257b3baf3dfb918d6ea5a4e81299
Instruction ID: bd304decb62cf27f60e4d6147c114cb91a7c1e89e6403a698116900a381af4db
Opcode Fuzzy Hash: 61ce5544e20ae0d4ad17e64970a8deff5ff9257b3baf3dfb918d6ea5a4e81299
Instruction Fuzzy Hash: 61219F783012058BEB176739C49467E369BAFC8B54F284039D902CB7A5EE29CD82E7C1

Function 0149D006 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3980424509.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_149d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538c8211ecde43cc543f8fe7c10aab859a18ee48ab240790b3cef19e4839f8a2
Instruction ID: 9ab3a9b8c815e42a210d695432f60fefd005c779363515916412ebabb1564102
Opcode Fuzzy Hash: 538c8211ecde43cc543f8fe7c10aab859a18ee48ab240790b3cef19e4839f8a2
Instruction Fuzzy Hash: 7F312B7154D3C09FDB078B64C994711BF71AB47214F2985DBD8898F2A7C63A980ACB62

Function 01832060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 178bf1d762d788971022c6bdcbab8067c8c4b848e34dfc44f3d56bc671c563d1
Instruction ID: ea1fbb5a5d4ae05241e06648b11aa5f6c8a74566d99bf9fb3aa097c3e61f62e7
Opcode Fuzzy Hash: 178bf1d762d788971022c6bdcbab8067c8c4b848e34dfc44f3d56bc671c563d1
Instruction Fuzzy Hash: 31219C75A00215DBCF14EA28D8509AEB7A6EBD9360F14C059E90ADB340DF36EA46CBD1

Function 01835A6B Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d65f826181b6cc6209c3bd33e5823ec0d4ef0812ccd6d3634e6ff5a78103a8c
Instruction ID: f55f98f777088d9f2c622fe927f316c400619d63493701e5bbda1e83a1bd0255
Opcode Fuzzy Hash: 7d65f826181b6cc6209c3bd33e5823ec0d4ef0812ccd6d3634e6ff5a78103a8c
Instruction Fuzzy Hash: 8321B035306616CFC7199B69D4A892AB7A2FFC9750709416AE906CB364CF34DD02CBC0

Function 06D596F0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d97aacbf8b4339807a4cf571e7c5be86fb2d9dc96c1c8d06f4980d47fe9bb70a
Instruction ID: 570be71ba6d698184ba5852a0e3895236350781f93977af8c0bed7e42d78875e
Opcode Fuzzy Hash: d97aacbf8b4339807a4cf571e7c5be86fb2d9dc96c1c8d06f4980d47fe9bb70a
Instruction Fuzzy Hash: C6115C327083546FDF466EA86C242AE3BA7EBC5220B51446AD505CF380CE754D46C3E5

Function 0147D404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3980206026.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_147d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062ec2d04bab47b6746b40695af925f1d2ea2042483691d3131c1f4e4b6b7cc8
Instruction ID: 7084102d53523570917d32a98d1aa2c9dde2284c442fc49527752c3a76bf971b
Opcode Fuzzy Hash: 062ec2d04bab47b6746b40695af925f1d2ea2042483691d3131c1f4e4b6b7cc8
Instruction Fuzzy Hash: 4A210372910244EFDB15DF94D9C0BA7BB65FF88314F24C17AE9090B266C336E456CAA2

Function 0149D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3980424509.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_149d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd7e2dba2b8681b56910a3178ec70adfef07deff49d795bd7b4bbda1961a125
Instruction ID: 286b4bee85b3f7021653ce897f68f780c7ad2dac553d33a4acd929ca880007b8
Opcode Fuzzy Hash: cfd7e2dba2b8681b56910a3178ec70adfef07deff49d795bd7b4bbda1961a125
Instruction Fuzzy Hash: 142103B1904204EFDF15DF64D980B26BF61FB84318F20C56AE8490B362C736D447CA62

Function 018339ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8a125313d9cdc9d1b4e4c7e404a429a00ed6831a6980f081c8fb30429ef9bd1
Instruction ID: a586b7da6cba9a278d8cf8ad2bd733fbf86dfff94be369ea437ecd397e133756
Opcode Fuzzy Hash: d8a125313d9cdc9d1b4e4c7e404a429a00ed6831a6980f081c8fb30429ef9bd1
Instruction Fuzzy Hash: 0231B378E11309CFCB04DFA8E59489DBBB2FF49301B2040A9E819AB324DB35AD01CF51

Function 01834DC3 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a7f49e2b6fed8359c7d7725a9539cac3aff21d0aa0ad9da39c1f11869bdeb8b
Instruction ID: 1d710cf2b739895a4815c0c05da0bfe944c5753885c73bdef27ac7e1d7b7648b
Opcode Fuzzy Hash: 3a7f49e2b6fed8359c7d7725a9539cac3aff21d0aa0ad9da39c1f11869bdeb8b
Instruction Fuzzy Hash: 96219F327092499FCB15DF68D848BAA3BA2FBD8320F144429E906CB255CB38DD55CFE1

Function 06D5E0C0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a1933e77339380fda772b3f9b6a5ec956ceab012e6a822d97d2db9839b45b22
Instruction ID: 806de9585cbf6e9fd5da5cec9d407a8b57922d1b6d30fb98ce632e08f89cc17f
Opcode Fuzzy Hash: 5a1933e77339380fda772b3f9b6a5ec956ceab012e6a822d97d2db9839b45b22
Instruction Fuzzy Hash: 02112B313053449FD7042B7AAC14ABBBBABAFCA210F558477E546C3386DE388D068775

Function 0183D61F Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac5b5f36447636b43c2d6db4f89653aaadfc53d6c212e6263e394ad076cf212
Instruction ID: a9bf000327e407e4f53c2fdb5ab08c145c552e492a6ebdb72312f1cae7727bfd
Opcode Fuzzy Hash: fac5b5f36447636b43c2d6db4f89653aaadfc53d6c212e6263e394ad076cf212
Instruction Fuzzy Hash: B1116D75D002488BDF19CFAAD4486EEBBB2AFCA311F18C16AD418B6269D7344905CF90

Function 0183E20B Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea05042ff4f186bff8a3685482a10eb0281213a7a29bbcbcd58b49f5f919cb1
Instruction ID: 53c2bd25646d0c0fd86f1ea533bf04b96d20170e8d57cbbd7f8e5deb9f12d982
Opcode Fuzzy Hash: 7ea05042ff4f186bff8a3685482a10eb0281213a7a29bbcbcd58b49f5f919cb1
Instruction Fuzzy Hash: DC216D30A0020D9FEB15DFB9E5446DEBFF1FB86300F14C5AAC0449B225EB745A06CB82

Function 01831EF8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5773a49cad721595ff77060310f1bdbb3f64be48a7b98ecbe6d2013ce5b4a74
Instruction ID: d8ece58209c8f484bf505c72c5660ca4b161320aa895820be5cd7da7fd4a6007
Opcode Fuzzy Hash: d5773a49cad721595ff77060310f1bdbb3f64be48a7b98ecbe6d2013ce5b4a74
Instruction Fuzzy Hash: 38212374C1520A8FCB41EFA8D8545EDBFF0FF89300F1481AAC805B7215EB345A45CBA1

Function 01835A78 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec7e96a22233975da46fc253b499ffbea76af15e199696576749379cc4cebbf
Instruction ID: 5911d025886768c767897f089c3c8803a3a94d57d18fbe321b9106ba20bcad2f
Opcode Fuzzy Hash: 9ec7e96a22233975da46fc253b499ffbea76af15e199696576749379cc4cebbf
Instruction Fuzzy Hash: 0911E1353026128FD719AB2ED8A892EB7A6BFC87503080079E906CB354CF34DC028BC0

Function 0147D3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3980206026.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_147d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction ID: bd29cb4c607e52d0aa0b3dc441dfd329855a1353b5ce6b52bc0affb4f5aa0cf2
Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction Fuzzy Hash: 5F11C072804240DFCB12CF54D9C4B56BF61FB84214F24C1AAD9090A667C336E456CB92

Function 06D58EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d70c6ef9cb865e17fcf7b2087f9d5325caa8101d9273a112312a812385ee726
Instruction ID: 27689312d2af22b07db4a1d39afeb437dc8721958c1f92d34a6829698359601a
Opcode Fuzzy Hash: 6d70c6ef9cb865e17fcf7b2087f9d5325caa8101d9273a112312a812385ee726
Instruction Fuzzy Hash: 03113C74F002598FEF14DFE8E840BAEBFF2AB58311F018065E908EB749E6719D428B50

Function 0183E218 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f8476730c88741e8486153e526f9538d60af1d038523835412459238d211e2
Instruction ID: 1414288f829e2347f5ba2a8f5b277eaa072244e9cd37f2de07744cb230b25067
Opcode Fuzzy Hash: 49f8476730c88741e8486153e526f9538d60af1d038523835412459238d211e2
Instruction Fuzzy Hash: CB112970A0020D9FEB14DFB9E54469EBBF2FB85305F14C5AAC054AB224EB745A068B82

Function 06D52670 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c49a4f1bb8c835899afb73947a808439d4f76fae885ae411f3e645125fdb38
Instruction ID: 7b3cfb2fbee60415c61a028ce7556ca55de4ea2b771902d00f20712e0bbb7181
Opcode Fuzzy Hash: e0c49a4f1bb8c835899afb73947a808439d4f76fae885ae411f3e645125fdb38
Instruction Fuzzy Hash: ED118B75A112228FCB90EF78E508A5A7BF4EF88711B1105A9E805DB311EB36D909CFD1

Function 01831F61 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7bce85163a34aa86e41ec7dde27a062926161bd920d9acbc346a76b1ee0a0f5
Instruction ID: a1fb496b676c88141390781b6b8e1d754584d31fc4f57a6e42c5052a1d028200
Opcode Fuzzy Hash: b7bce85163a34aa86e41ec7dde27a062926161bd920d9acbc346a76b1ee0a0f5
Instruction Fuzzy Hash: 7121CFB4C1520A8FCB44EFA8D9855EEBFF0FB49311F10916AD805B3254EB345A45CFA1

Function 0183560F Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf3c60b7b6812470824bd0e608faa445d65b8dffcf884a8d64ea89278f182ba6
Instruction ID: 94dd2d1d97217b0fdb073b1c074c708afa9af559d02fa403135b14797966db4f
Opcode Fuzzy Hash: bf3c60b7b6812470824bd0e608faa445d65b8dffcf884a8d64ea89278f182ba6
Instruction Fuzzy Hash: 9601F5B27051495FCB06DF69D810AEF3BE7EFC9751B18806AF905CB2A4DA35CD019BA0

Function 06D525E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 633a0d3d4061666942feaf7d5d89e6c05993e00d5733f94f944e12fbb1e6ee03
Instruction ID: 0e8134bf4b8cac029ca00e65e55e4e281040afaeb83d9f2dfa0b9de8eceff5a5
Opcode Fuzzy Hash: 633a0d3d4061666942feaf7d5d89e6c05993e00d5733f94f944e12fbb1e6ee03
Instruction Fuzzy Hash: 4A01A470E01319DFDF44EFB9D8446AEBBF5AF88200F54856AD859E7250EB399A018BD0

Function 0183D459 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf42e9bee17823f3932e8f064dfea8ad48c17a6de7e182b1319ed71922396a5
Instruction ID: 7d95b1f5193eb36115ac6f57d9dd962b59b8ea7e51be35618ea4f5f14ac82b9a
Opcode Fuzzy Hash: 3cf42e9bee17823f3932e8f064dfea8ad48c17a6de7e182b1319ed71922396a5
Instruction Fuzzy Hash: 17F05530C403949ADF1A8BB6A8043FE7BB4ABC7310F4462AFC400E7196C734120A8B91

Function 0183DF18 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27391896864ce4d8342f098e375a2af84719b5cb1bb607428b2578175bd3bcd6
Instruction ID: 03749185eb86bf221371686289bcab1c56fc1a3c352fce08968ee8d99ab253a6
Opcode Fuzzy Hash: 27391896864ce4d8342f098e375a2af84719b5cb1bb607428b2578175bd3bcd6
Instruction Fuzzy Hash: B0F0E535D083488FDB1A8B65A5443E9BBB1ABCB310F4854AEC104A60A6DB74460E8B91

Function 0183D4C4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccfa4684daa936e4b7d0c8f32024b7f5086ca8bba11827a764ae6c8194aca8df
Instruction ID: ba6640ab0ed8dca0b5aca43af03783d76618c1e643f20a30e5e15873f09b9017
Opcode Fuzzy Hash: ccfa4684daa936e4b7d0c8f32024b7f5086ca8bba11827a764ae6c8194aca8df
Instruction Fuzzy Hash: 0DE0DF92C0D184CFE7118BE6A4620F8BF70E9E3345B88A2CBD049DB122D619E3069B52

Function 01832010 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0e0ec4fb285b6d2d85a50f4464f042e85b580a5659a95761a4f8665d94b043
Instruction ID: ce4eefc402ac6d2999c966c7f9e7b63b0dc6165c882e16693a3671c9b29ef4c6
Opcode Fuzzy Hash: 5c0e0ec4fb285b6d2d85a50f4464f042e85b580a5659a95761a4f8665d94b043
Instruction Fuzzy Hash: 34E02672D2022A9BCB10D7A0EC845FEBF35EFE7311F11462AD02073140EB74620AC790

Function 01832020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2e16220c9515703722265e1b4ecd164f234b494173f516b114e37cfa2d5584
Instruction ID: cadcff72579d7f552519d570ba00b008b5b76ef7f05123bd900fe4f392f2191d
Opcode Fuzzy Hash: 4b2e16220c9515703722265e1b4ecd164f234b494173f516b114e37cfa2d5584
Instruction Fuzzy Hash: CED05E32E2022B97CB00EBA5EC048EFF738EED6661B908626D52537140FB713659C7E1

Function 01838270 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 8fb27bfd87c76bc7bcb31417699a8c07fa04a0f2d533947f1231532b72167037
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: B0C08C3320D5282EAA25108FBC84EA7BB8CE3C27B8E290237F51CC320098429C8001F4

Function 0183A71D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00765932153a527e4a48df9f37d036a8b14e2ed230891af1e1194c22f92132f5
Instruction ID: be529cdf32d63059c592152a63d2155b2eb424cd3286f9e39a22abb80a811369
Opcode Fuzzy Hash: 00765932153a527e4a48df9f37d036a8b14e2ed230891af1e1194c22f92132f5
Instruction Fuzzy Hash: 97D0677BB51008AFCF049F98E8409DDB7B6FB9C221B448116E915A3264C6319965DB50

Function 01835EB0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dfdab4327f8e831715539a2e7eae1355703ad1bcdd26501a763e4a877a537db
Instruction ID: 8f98f9e6256bafb88d10b65dc6e1c041277ccc54c25f0141a28a41c7643ac977
Opcode Fuzzy Hash: 4dfdab4327f8e831715539a2e7eae1355703ad1bcdd26501a763e4a877a537db
Instruction Fuzzy Hash: 1ED02E3020838A0BC602F3BCF8484C83B29BAD0604F8400A6A8050901BFF7C2C86CBA3

Function 0183FBFB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 024bac15d6258da1b4eb308e22593bf14ddafe0e428ccd9c8ecc706da661f61a
Instruction ID: 7abbcdd21d1ad8b7c54afb2db7ad9f5e3b7b7f08196c4eee0db04287221cb0fc
Opcode Fuzzy Hash: 024bac15d6258da1b4eb308e22593bf14ddafe0e428ccd9c8ecc706da661f61a
Instruction Fuzzy Hash: 2FD06CB9D4512C9BCF20EFA8EA542ECB7B0EBC9305F0025E69909B2200D7305E508F62

Function 01835EC0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb7da9f3a9856693a6f5c1a6c91f61fd064abd649661a184150cad2d41fe630
Instruction ID: d9973abe34a9538972328df483a9f80a3b1172e89ccaecd9759554d99b69bfa9
Opcode Fuzzy Hash: ffb7da9f3a9856693a6f5c1a6c91f61fd064abd649661a184150cad2d41fe630
Instruction Fuzzy Hash: D9C0123031030F47D501F7BDF9489D9732AF6D0500F405561A50905116EF7C2C448B93

Non-executed Functions

Function 0183E538 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3b397f9ff572233c0463514e71155ff0acf070b5608f58dea0a1fce35e168bc
Instruction ID: 466c2bafb0e3050332753fa1604353811946f09f6559af8dda1c4c48012073ce
Opcode Fuzzy Hash: b3b397f9ff572233c0463514e71155ff0acf070b5608f58dea0a1fce35e168bc
Instruction Fuzzy Hash: 7B52AD74E01229CFDB68DF69C984BDDBBB2BB89301F1481E9D409A7254DB359E81CF90

Function 06D55EC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ae77e4a05e182b33f521c830b05497e467405cb79fac644241b9388226e918
Instruction ID: bcb1fc07ecea9bb36d71491d058a054def314879e77d5b781f99c58e4f1c7b68
Opcode Fuzzy Hash: 10ae77e4a05e182b33f521c830b05497e467405cb79fac644241b9388226e918
Instruction Fuzzy Hash: 62C1A274E00218CFDB54DFA9D944BADBBB2EF89304F2081A9D819A7355DB359E81CF50

Function 06D55A70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c96491dda7e1ef50e64c864837eedb9fa1f4afc62f9c780d680597f34cea93
Instruction ID: 3fc5cbb07e9dcdbbe765be8e473f676550a571c4d0daab9f02d7687e8016c2fb
Opcode Fuzzy Hash: 91c96491dda7e1ef50e64c864837eedb9fa1f4afc62f9c780d680597f34cea93
Instruction Fuzzy Hash: 39C1AF74E00218CFDB54DFA9D984BADBBB2EF89304F2481A9D819AB354DB355E81CF50

Function 06D55618 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acbbd0e01381ff4feb46985000619b56a649aacd943489b959c474ba5a5af932
Instruction ID: 81ea3b380ef6ed21b205db49e396dc52bfcf6f8dd7cb0c5d2f09547670412fd9
Opcode Fuzzy Hash: acbbd0e01381ff4feb46985000619b56a649aacd943489b959c474ba5a5af932
Instruction Fuzzy Hash: FEC1BF74E00218CFDB54DFA9D984BADBBB2EF88304F2081A9D819AB354DB355E81CF50

Function 06D56BD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa8dfabd8aa2689ec93332cc68899d55a3da31163359a3dc2db113bd99c41a1
Instruction ID: 19276f2c84cd5bacbfb6359b1bfc305b5c74110b0b532e55a4c9162677e84120
Opcode Fuzzy Hash: 9aa8dfabd8aa2689ec93332cc68899d55a3da31163359a3dc2db113bd99c41a1
Instruction Fuzzy Hash: 60C1A174E00218CFDB54DFA9D944BADBBB2EF89304F1481A9D819A7364DB359E81CF50

Function 06D56778 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77ad8797b3b8d76a12462c9ce490c2872c263ba6586aa4b383b456193b528a1
Instruction ID: b178f6f4e8ca169f2df812351ce243b908eb57ec5f16f7e8ae61c42d8839725c
Opcode Fuzzy Hash: e77ad8797b3b8d76a12462c9ce490c2872c263ba6586aa4b383b456193b528a1
Instruction Fuzzy Hash: D1C1B274E00218CFDB54DFA9D944BADBBB2EF89304F2081A9D819A7364DB359E81CF50

Function 06D56320 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 163abb3056b330986f575aa794d8086af0745a757ba836fcb15220b497dffc0b
Instruction ID: b704dca70a94df1f777f19d1ea04afde6e555d0b57b2b6e960ef9ed460e3d36d
Opcode Fuzzy Hash: 163abb3056b330986f575aa794d8086af0745a757ba836fcb15220b497dffc0b
Instruction Fuzzy Hash: DDC1B274E00218CFDB54DFA9D954BADBBB2FB88304F2081A9D819A7354DB359E81CF50

Function 06D508F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0725041b4c73716c88cd5d03ebf2ce88a31ab37a855d67d159639fd80785eade
Instruction ID: 82b33dd11f19e428fc37275d39cfc4cc94ca6b3bfd9b850e66b0a35908f152eb
Opcode Fuzzy Hash: 0725041b4c73716c88cd5d03ebf2ce88a31ab37a855d67d159639fd80785eade
Instruction Fuzzy Hash: B1C1BF74E00218CFDB54DFA9D984BADBBB2FB89304F2481A9D819AB354DB355E81CF50

Function 06D574A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b4bd21484dd1860ea77741e40caaff085347a81cd940bcda62480a231f5a97
Instruction ID: 28500b37e9bc46c396e89a6e3bd83dcd1435cae1c9fd55878a49ef1792232102
Opcode Fuzzy Hash: d2b4bd21484dd1860ea77741e40caaff085347a81cd940bcda62480a231f5a97
Instruction Fuzzy Hash: E3C1BF74E00218CFDB54DFA9D944BADBBB2EF89304F2081A9D819AB354DB359E81CF50

Function 06D57050 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629827368bb12798ebfef405d299fba6eb4ea59aeedec3b7ee7884998c2ec004
Instruction ID: 68bab0de2b211ff020221e317eae47e335f23ff3ace33191675bbee80b80a29c
Opcode Fuzzy Hash: 629827368bb12798ebfef405d299fba6eb4ea59aeedec3b7ee7884998c2ec004
Instruction Fuzzy Hash: EAC1AF74E00218CFDB54DFA9D984BADBBB2EF89304F2081A9D819AB354DB355E81CF50

Function 06D50040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9c3aed4747583d2375bb814dfd19f3c9516c78fabe4235d21ff35f2972ea3d
Instruction ID: c764c046bdd0867be6580c6e3dadd28d38bc60465b187fb44ffa1d67e0a5b4bc
Opcode Fuzzy Hash: 8b9c3aed4747583d2375bb814dfd19f3c9516c78fabe4235d21ff35f2972ea3d
Instruction Fuzzy Hash: 13C1BE74E00218CFDB54DFA9D944BADBBB2EF89304F2481A9D819AB354DB359E81CF50

Function 06D55198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d51481f5fdf6598ea10ad4063ecce8b0b5551b46aef001339051e6efb2babd93
Instruction ID: da70f16761c9a4183d17575f3ee0cef749eeb51d62c7a1508847077314318aaa
Opcode Fuzzy Hash: d51481f5fdf6598ea10ad4063ecce8b0b5551b46aef001339051e6efb2babd93
Instruction Fuzzy Hash: A0C1A074E00218CFDB54DFA9D954BADBBB2EF89304F2081A9D819AB354DB355E81CF50

Function 06D581B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea1e85f5a5ef8014268dbe6fcd58d8907047ad692463175f5736fe3beff3ba1
Instruction ID: 540ec0660c4c74f2ac4586d01e1855d38d9f597728281339c3c7989dfc10b440
Opcode Fuzzy Hash: eea1e85f5a5ef8014268dbe6fcd58d8907047ad692463175f5736fe3beff3ba1
Instruction Fuzzy Hash: E5C1AF74E00218CFDB54DFA9D944BADBBB2EF89304F2081A9D819AB354DB359E81CF50

Function 06D57D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e682cf91f3cb4e3532408920d735574a38681a9894106167d50afb8169a4270
Instruction ID: 789fa08ebdc06c8c56fbd8c2c15237750d3b374fb836d1707810d7a0c25b215e
Opcode Fuzzy Hash: 0e682cf91f3cb4e3532408920d735574a38681a9894106167d50afb8169a4270
Instruction Fuzzy Hash: 43C1AF74E00218CFDB54DFA9D954BADBBB2EF89304F2081A9D819AB354DB359E81CF50

Function 06D50D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed45596fbcef22da247c8c047cc3b015bf1960801a25df4b41dc9d81781e07b
Instruction ID: 29b00fe188fd3d1cec29d5e41b7df2dd377965fb8b5f8730395d0415b70c34a1
Opcode Fuzzy Hash: 9ed45596fbcef22da247c8c047cc3b015bf1960801a25df4b41dc9d81781e07b
Instruction Fuzzy Hash: 9EC1AF74E00218CFDB54DFA9D944BADBBB2FB89304F2481A9D819AB354DB355E81CF50

Function 06D57900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e2fe7f332a6f2c1b07a51516eea8e0fbda9d7c4fa31bba702797f722f69a59a
Instruction ID: 50b052d8ca0629f30f6019f6e6f1b21dc7dbcc87623a7e1570ffa986a65ab594
Opcode Fuzzy Hash: 4e2fe7f332a6f2c1b07a51516eea8e0fbda9d7c4fa31bba702797f722f69a59a
Instruction Fuzzy Hash: 2FC1AF74E00218CFDB54DFA9D944BADBBB2EF88304F2481A9D819AB354DB359E81CF50

Function 06D2CEF8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aebcbbd4d5fa4da7926e6210cec5af73fae651f51c9986fb1bc8fd5727b543f3
Instruction ID: 403322f328928e13a84aec65582325b780946750883e5667ca2113e0293e1114
Opcode Fuzzy Hash: aebcbbd4d5fa4da7926e6210cec5af73fae651f51c9986fb1bc8fd5727b543f3
Instruction Fuzzy Hash: ADC1AF74E00218CFDB54DFA9D994BADBBB2EF89304F2081A9D419AB354DB359E81CF50

Function 06D2B4E8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 560cea9e8319271a115be43aa88a839cd67fcf352172452a0e1054919c1cfc12
Instruction ID: ff1b7619e25897a48dc10a8b61ba28b5c4155658a06189569ad012139a8dddd6
Opcode Fuzzy Hash: 560cea9e8319271a115be43aa88a839cd67fcf352172452a0e1054919c1cfc12
Instruction Fuzzy Hash: DFC1B074E00219CFDB54DFA9D984BADBBB2EF89304F2081AAD419AB354DB355E81CF50

Function 06D2E4B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b0a4ff134b70b870dc91497c7c26a293fc1e8ccb8a68488740bb3ebab056c3
Instruction ID: f08325278dcd29e1f4f77bd644b94e8ce12aaa17c2044b6d95826c3ec40bfa7a
Opcode Fuzzy Hash: 98b0a4ff134b70b870dc91497c7c26a293fc1e8ccb8a68488740bb3ebab056c3
Instruction Fuzzy Hash: B1C1CF74E00218CFDB54DFA9D984BADBBB2EF88304F2081A9D419AB354DB359E81CF50

Function 06D2CAA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7fc365a01c50024fc9bdf2433c274aa2446ca7d483d78660ab3810112f2e64e
Instruction ID: 3f5c5a180438c80a6a2c96c8d38f9b43cdb59f75f20ccca82f2bbe4158c6a533
Opcode Fuzzy Hash: a7fc365a01c50024fc9bdf2433c274aa2446ca7d483d78660ab3810112f2e64e
Instruction Fuzzy Hash: BCC1AF74E00218CFDB54DFA9D944BADBBB2FB89304F2481A9D819AB354DB359E81CF50

Function 06D204A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 376217c958f3a1a947f32215842bb75bc6a018e1dc67f04b39627f09ee3614f0
Instruction ID: fa8cf15c68535af8b61030787b5ec267b74d31813437ae800e934abc15e8beeb
Opcode Fuzzy Hash: 376217c958f3a1a947f32215842bb75bc6a018e1dc67f04b39627f09ee3614f0
Instruction Fuzzy Hash: 19C1CE74E00218CFDB64DFA9D954BADBBB2FB89301F2081A9D809A7354DB359E81CF50

Function 06D2E058 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e554f3a9005c4b4b4b4a6e654ec984296d9fc9653d007bf2fd8e3eedb11504f
Instruction ID: 330b23c8d7b0dab1de5048ff168262a7e89baa4b64b5517931970a0a471130c9
Opcode Fuzzy Hash: 2e554f3a9005c4b4b4b4a6e654ec984296d9fc9653d007bf2fd8e3eedb11504f
Instruction Fuzzy Hash: D5C1BF74E00218CFDB54DFA9D944BADBBB2EF89304F2081A9D419AB354DB359E81CF50

Function 06D2C648 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54383ee8be1d1e2953d0cb5319d58627c40b86bb96b9c8e8387b0e66a3bf76a1
Instruction ID: c4fd59ab12e375c6564f76aa231df0f38c92d1958d9b4799f72b78e97fe58cb3
Opcode Fuzzy Hash: 54383ee8be1d1e2953d0cb5319d58627c40b86bb96b9c8e8387b0e66a3bf76a1
Instruction Fuzzy Hash: 8BC1AE74E00218CFDB54DFA9D994BADBBB2FB89304F2081A9D419AB354DB359E81CF50

Function 06D2FA68 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4aa5fa5142d1e4a8044224626610248fa03a041a85295a598651e1f9046e367
Instruction ID: f9d302707880270395e8e2c5c5b0b5540dd632bc8289857f6a8bb9971917c744
Opcode Fuzzy Hash: b4aa5fa5142d1e4a8044224626610248fa03a041a85295a598651e1f9046e367
Instruction Fuzzy Hash: 05C1C074E00218CFDB54DFA9D984BADBBB2EF88304F2081A9D819AB355DB355E81CF50

Function 06D2F610 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edaf60ffd6e899335f203f070932491e9f9c58c5180e98aeb1ec3a64a7029f81
Instruction ID: 2c0e20ba19d3375c1cfe7e2386382919e5e7e2c50b70401c382ac8b6a0a30e67
Opcode Fuzzy Hash: edaf60ffd6e899335f203f070932491e9f9c58c5180e98aeb1ec3a64a7029f81
Instruction Fuzzy Hash: A1C1BE74E00218CFDB54DFA9D984BADBBB2EB88304F2081A9D419AB354DB359E81CF50

Function 06D2DC00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7825431e0809828cea5d70288f2e255e902b0b41eb74bd3babd02aa1c5d4ff2
Instruction ID: fb2ada78078eef59785ec34cec3f20b48e3a1cc10faebc67c41198d0115c7157
Opcode Fuzzy Hash: c7825431e0809828cea5d70288f2e255e902b0b41eb74bd3babd02aa1c5d4ff2
Instruction Fuzzy Hash: 0AC1BF74E00218CFDB54DFA9D984BADBBB2EF98304F2481A9D419AB354DB359E81CF50

Function 06D2C1F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36a665a89fc84cf99e62df98cee2e5df6b988b3d06074b822b6fa3b744e79354
Instruction ID: c6062128c76ba198e6a5e09a6a0462df27f708ee8debe4bbc855bdca6c41752d
Opcode Fuzzy Hash: 36a665a89fc84cf99e62df98cee2e5df6b988b3d06074b822b6fa3b744e79354
Instruction Fuzzy Hash: EDC1AF74E00218CFDB54DFA9D944BADBBB2EF99304F2081A9D819AB354DB359E81CF50

Function 06D2BD98 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72d3ac8caba8c92c7472e43daa8ab24d9129bca1ab80714f974d3ade7515f1f
Instruction ID: 285dfb4623275d3cd35d6e2d5b4ca4f90d18ddc470e747fe2aba72d31e17ddbf
Opcode Fuzzy Hash: d72d3ac8caba8c92c7472e43daa8ab24d9129bca1ab80714f974d3ade7515f1f
Instruction Fuzzy Hash: 07C1BE74E00219CFDB54DFA9D984BADBBB2EF89304F2081A9D419AB354DB359E81CF50

Function 06D2F1B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a975d1588fb13c029067fc8dfd23be72660a27af4fd1a8d16901c0170f1767b
Instruction ID: 0ea449a84a060c36afa3dde96e886ead8b9de6e4ff61071a573018c38617a116
Opcode Fuzzy Hash: 0a975d1588fb13c029067fc8dfd23be72660a27af4fd1a8d16901c0170f1767b
Instruction Fuzzy Hash: 6AC1BF74E00219CFDB54DFA9D944BADBBB2EF89304F2081A9D819AB354DB359E81CF50

Function 06D2D7A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a80e6200073a9261020d910d43a5ec53b9d87c54b5d17bb7e7c5d266ad5c4110
Instruction ID: ee332b3bf3f8a1f99d0d4ce8888dee56093366cee3b54face62cf766a510778a
Opcode Fuzzy Hash: a80e6200073a9261020d910d43a5ec53b9d87c54b5d17bb7e7c5d266ad5c4110
Instruction Fuzzy Hash: 9CC1BF74E00218CFDB54DFA9D954BADBBB2EF89304F2081A9D819AB354DB359E81CF50

Function 06D2D350 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a975ed66a6575324e476e05e39e5be4cbc153d0fb325cdff3b80dc1c25495ba5
Instruction ID: 289419991de1949149497262b5d21b7fae4a9ef17a2fd508135e9306f31a25f0
Opcode Fuzzy Hash: a975ed66a6575324e476e05e39e5be4cbc153d0fb325cdff3b80dc1c25495ba5
Instruction Fuzzy Hash: 76C1BE74E00218CFDB54DFA9D984BADBBB2EF89304F2081A9D419AB354DB359E81CF50

Function 06D2B940 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9285d5503800317f799744cfd4c7a89ac8aad6ddefba71d8ae08d2bc58f0024
Instruction ID: ac131c34cb6e1a391a678e1485d571f9c183db643ee07737c42cf60906de095e
Opcode Fuzzy Hash: e9285d5503800317f799744cfd4c7a89ac8aad6ddefba71d8ae08d2bc58f0024
Instruction Fuzzy Hash: E9C1A074E00218CFDB54DFA9D994BADBBB2EF88304F2081AAD419AB355DB355E81CF50

Function 06D20D60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c91e916446f8436deb3903d1c59b37348487acf7ebe350f02f6149b1403b51c
Instruction ID: 4b134c74298a574bbc3d3775223eb97fcc0629b60dcbfaa3a4306a265dc4fc22
Opcode Fuzzy Hash: 6c91e916446f8436deb3903d1c59b37348487acf7ebe350f02f6149b1403b51c
Instruction Fuzzy Hash: 8AC1BE74E00218CFDB54DFA9D954BADBBB2FB89300F2081A9D809AB354DB359E81CF50

Function 06D2ED60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67edba5684c9785b4240973a9c93d51a8f5fd093d095aefbebbdf545ac6e5d24
Instruction ID: 8ebcb1e443a177a0ef7c88ba405fc65a86beb17af20fc286ba90039cb70272b5
Opcode Fuzzy Hash: 67edba5684c9785b4240973a9c93d51a8f5fd093d095aefbebbdf545ac6e5d24
Instruction Fuzzy Hash: 3EC1BF74E00218CFDB54DFA9D954BADBBB2EF88304F2481A9D819AB354DB359E81CF50

Function 06D20900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b21edf0e0f43b7b464e14e7a472de82e68181c468a92455110ddc36f8a8a65
Instruction ID: eac65d63be60121d8a002c28c052f3e41465739a2d0793b47a5ff39b3a6918f3
Opcode Fuzzy Hash: f7b21edf0e0f43b7b464e14e7a472de82e68181c468a92455110ddc36f8a8a65
Instruction Fuzzy Hash: EFC1CF74E00218CFDB64DFA9D954BADBBB2FB89304F2081A9D809A7354DB359E81CF50

Function 06D2E908 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3990955776.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d20000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 426e16b8ffe4c53e7f0e172ba6c17f6fc5f76a88332e337d99302aefb63a9574
Instruction ID: 8a5c94836783e97961324be9506969a18449d7feae1b9db927f75e77c25170f8
Opcode Fuzzy Hash: 426e16b8ffe4c53e7f0e172ba6c17f6fc5f76a88332e337d99302aefb63a9574
Instruction Fuzzy Hash: 03C1AE74E00218CFDB54DFA9D944BADBBB2FB89304F2481A9D819AB354DB359E81CF50

Function 06D533B8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60dfa7631dbdd79a9b011e30b1bab2279f777d857864667b7c0599e3e2992705
Instruction ID: 0689a599b9ea669217f89b4d95738522157ee585e668708ac6be8994f41bf4ae
Opcode Fuzzy Hash: 60dfa7631dbdd79a9b011e30b1bab2279f777d857864667b7c0599e3e2992705
Instruction Fuzzy Hash: 93B1C674E00218CFDB54DFA9D984A9DBBB2FF89300F2181A9D819AB365DB31AD41CF51

Function 0183EB6B Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213885536a230ce2aaf485ed7e0ce4840393d6ee0fc86e0522eb55c4012e8336
Instruction ID: 9a598e46ab0acdb3b539cd4836f6c98ae9706f5e7045951cacc6b8646a03977b
Opcode Fuzzy Hash: 213885536a230ce2aaf485ed7e0ce4840393d6ee0fc86e0522eb55c4012e8336
Instruction Fuzzy Hash: 2EA18C74A01228CFDB64DF28D954BDABBB2BF89301F1085EAD40DA7250DB759E81CF51

Function 06D533A8 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3991435634.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84434559931c285b332b1555e0b33e08dae398a53144914314587fb4ffc4646f
Instruction ID: 5523382c40f37a0a185c1e0bca5e55599dbcbc2711ae2b491fb8e1c114001e50
Opcode Fuzzy Hash: 84434559931c285b332b1555e0b33e08dae398a53144914314587fb4ffc4646f
Instruction Fuzzy Hash: 0E51C574E00618CFDB48DFAAD98499DBBF2FF89300F159169D818AB364EB349942CF51

Function 0183ED4C Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3982644815.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1830000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae46801c066827fd745c1ec4b5f14f1ff982f3cba419cc43efdc255acc432668
Instruction ID: 7c3bf64d4d1292533cd0819adfae31216973f5718a31428557498aa5f61ca96b
Opcode Fuzzy Hash: ae46801c066827fd745c1ec4b5f14f1ff982f3cba419cc43efdc255acc432668
Instruction Fuzzy Hash: 1651AF74A11229CFCB64DF24D854BA9B7B2FF8A305F5085E9D40AA7354CB359E81CF50

Analysis Process: SyncRoot.exePID: 5420, Parent PID: 3576COMMON

Executed Functions

Function 00EFCC80 Relevance: 1.0, Instructions: 983COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db95142ad4cbdb2b2603a4306350cf68e87ac5f3f97c873029573c2fbc70225
Instruction ID: 34de033bb68541a7f9c241e3279b1fd75de816d32f61a67522a9b57b958eaa61
Opcode Fuzzy Hash: 9db95142ad4cbdb2b2603a4306350cf68e87ac5f3f97c873029573c2fbc70225
Instruction Fuzzy Hash: 01A2B375A00628DFDB64CF69C984AD9BBB2FF89304F1581E9D509AB325DB319E81CF40

Function 00EF8AAB Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77a8e852602f96115f76715308309e51464519024329865823f59a3d6d04dac0
Instruction ID: 5b767b393443b4522e5fb02c011e27f55b2771d45e83f9a88ea9db8fd75d37bf
Opcode Fuzzy Hash: 77a8e852602f96115f76715308309e51464519024329865823f59a3d6d04dac0
Instruction Fuzzy Hash: D6713B74E01B099FD748EF7AE84469ABBF3BBC8300F14C179D04897369EB705905AB96

Function 00EF8AB8 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d051d453689f0d835fe549ca3d45128d28f8495c5e12db028579aff824c842b
Instruction ID: bd18ec75b67cc220ebb258685d31188138e2b8f2aa1e00f78d3113a0f0a153ee
Opcode Fuzzy Hash: 5d051d453689f0d835fe549ca3d45128d28f8495c5e12db028579aff824c842b
Instruction Fuzzy Hash: A1711A70E01B499FD748EF7AE84469ABBF3BBC8300F14C179D04897369EB705905AB96

Function 00EFE750 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 108828832c889d4bf396989a10d90ab2410a148528cd87b98497032395821c0d
Instruction ID: 2702b4bfc8cd260f290771e39f6a76455340c647b333010deca9c8b1913fb23e
Opcode Fuzzy Hash: 108828832c889d4bf396989a10d90ab2410a148528cd87b98497032395821c0d
Instruction Fuzzy Hash: 2AB1C1323006189FDB19DF68D844BBE3BA6AFC4750B14406AE905DB391DB34EC4287A1

Function 00EFEC20 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a145e9780859408bd34be3abbb1640523358f5c179320e351e225b694f1e45
Instruction ID: 4acffc3ce334e5d2ad44ac3b6e219ae91444f280bd073677a49899af92fc9c60
Opcode Fuzzy Hash: 31a145e9780859408bd34be3abbb1640523358f5c179320e351e225b694f1e45
Instruction Fuzzy Hash: 77811835A00618CFDB14DFA8C484AADB7F5FF88754B1581A9E916AB370DB31ED42CB90

Function 0637BD20 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1637203053.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6360000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc4bc5e1d4869417e4dd1c79997a13c16c6f21b0e84f54371e52629039f572b
Instruction ID: e847f54fe71f149107ef5eb9eafc5c4106c25d0d2a2197f61788b0c92845a056
Opcode Fuzzy Hash: fbc4bc5e1d4869417e4dd1c79997a13c16c6f21b0e84f54371e52629039f572b
Instruction Fuzzy Hash: 4C611174E0120CDFDB54DFA8E584AAEFBB6EF88304F20802AE506A7354CB745E45CB95

Function 00EF0860 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f1c6fc3d0a1db7c5764683f81165c7bd2c2d8ec9dd274c06ad962326c98013b
Instruction ID: f6132b2be3db9e6ec55a9ea742c9482bb75a133ae753fb588a8f16471d9f1179
Opcode Fuzzy Hash: 6f1c6fc3d0a1db7c5764683f81165c7bd2c2d8ec9dd274c06ad962326c98013b
Instruction Fuzzy Hash: 0A311970A00788DFDB05DBB88844ABD7FB1FF86304B594099D595EB353DA359902CB92

Function 00EF0870 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26d4a2153ea5080b7e46c0bfcd075fa4c5903b31d0127fb77729f932536f8eb
Instruction ID: 3d50489dd1fe55b86dac171ec390a0d3d9b81f024ad0bf1c1d7454309fa9f3a3
Opcode Fuzzy Hash: e26d4a2153ea5080b7e46c0bfcd075fa4c5903b31d0127fb77729f932536f8eb
Instruction Fuzzy Hash: 9A417F31E006098FDB04DBA8C8446EEBBB2FFC9710F5585A5E505F7291EB70A945CBA1

Function 00EF8E81 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3d8ddf7102b2a74347470e3ed9fa96dc7d2b6b18515bcb7aebd1761f242c3c
Instruction ID: 7f89dbe0c24174716a523e0ef8a6af27f15e9eb3611ff4b2758f90965eae8b0b
Opcode Fuzzy Hash: ab3d8ddf7102b2a74347470e3ed9fa96dc7d2b6b18515bcb7aebd1761f242c3c
Instruction Fuzzy Hash: 38319974D0020DDFDB04DFA9DA486AEBBF1FF89308F1498A5D219E7222DBB49904CB55

Function 00EF896D Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26178a7e7257ff029d5a5576a04fb6b930ef8059f1cb2093e6736bd4b34550f0
Instruction ID: 1678764f8155ec9c56bf945d4cbe585211e886fd026ac974c8f0a7dab0fdf348
Opcode Fuzzy Hash: 26178a7e7257ff029d5a5576a04fb6b930ef8059f1cb2093e6736bd4b34550f0
Instruction Fuzzy Hash: 68319C7090A3489FDB02DFB8C9593B9BFB0EF86304F14D0E6D509A7252DBB44945DB22

Function 00EF0B30 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cda31d4ecad9105f3dd110f45624088ad89c53686dc56a8f1f5800b00d8933d
Instruction ID: a8cd23b3f946d3534da9f81fb59b34f00089059d242aa8452a538380d70b09ec
Opcode Fuzzy Hash: 7cda31d4ecad9105f3dd110f45624088ad89c53686dc56a8f1f5800b00d8933d
Instruction Fuzzy Hash: B731D131B002089FDB04DF78C840AAEFBF6EFC9750B14856AE845A7355DB30AD85DBA0

Function 00EF8D61 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c327008dfa59e835b0a8fe7d171c1ba06f89c6975ea63535d16442292dee6ee
Instruction ID: 1fb1ac9ba2e5aac838479fd431afa9a0703e86df553d3bee6f384b180e5d3cd6
Opcode Fuzzy Hash: 0c327008dfa59e835b0a8fe7d171c1ba06f89c6975ea63535d16442292dee6ee
Instruction Fuzzy Hash: FB3134B4D00209DFDB00CFA9CA886AEBBF5EF99304F2098A5D615F7261DB759984CF50

Function 00EF0C69 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf799e4b68312678b6bd05d5aead26f0e37c97f169939dc05ccd7c4939597a8
Instruction ID: b3bef0c5575a79f02dce1715cb60882d105d226821e64dcd05b7ddcb77235ade
Opcode Fuzzy Hash: 8bf799e4b68312678b6bd05d5aead26f0e37c97f169939dc05ccd7c4939597a8
Instruction Fuzzy Hash: 18316670A04218CFCB10DBA8D544AADBBF1FF48314F5590AAE959BB252D731AC81CFA5

Function 00EF8D70 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5c263a8a36e475ac66319d6a70232c3640bf9e69fa44c4db782aa83cb1c0b8
Instruction ID: 37ae870820a7104527bd41bfaf0a4a790ae6774ae9746a566b5c651207026e27
Opcode Fuzzy Hash: 3f5c263a8a36e475ac66319d6a70232c3640bf9e69fa44c4db782aa83cb1c0b8
Instruction Fuzzy Hash: 573122B4D00209DFDB04CFA9C9886AEBBF5FF88304F2098A5D515E7260EB719984CF50

Function 00D0D048 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616637538.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d0d000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063e351832d259a3d075293575de4f5e513eb3c285b06ea680f857fe4926cb07
Instruction ID: 125d74477d8f0afe9da491bfad7b9a0532b9c5a6dd34422998119cd58c9771e3
Opcode Fuzzy Hash: 063e351832d259a3d075293575de4f5e513eb3c285b06ea680f857fe4926cb07
Instruction Fuzzy Hash: 7421F2B2504344EFDB14DF94D9C0B26BB66FB84714F24C56AE94D0B286C736D81ACBB2

Function 00EF898D Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9a17b296570598c44818bd65c6ca129d35e8de370765f5d715143f2f20beba7
Instruction ID: c62403dc09bccd264ebef1850eaa2c246e826e7d6a16bab8424e0df42557668e
Opcode Fuzzy Hash: a9a17b296570598c44818bd65c6ca129d35e8de370765f5d715143f2f20beba7
Instruction Fuzzy Hash: 1F217E74909208DFDB01DFA8C5493BDBFF1EB86304F20D1EAE609A3251DBB44945DB22

Function 00EF0A38 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa573c7526fcd375f246199467550b747df81ef5120785a58cd6157b464e819
Instruction ID: b2453edff69e2604e1d5a0bf568c6d4020ed6f8b80ec52e276e34c7079590a96
Opcode Fuzzy Hash: 9fa573c7526fcd375f246199467550b747df81ef5120785a58cd6157b464e819
Instruction Fuzzy Hash: 4B21C131A007199FDF25DF68C804ADEBBF1FF88350B100A29E496EB295DB309844CF60

Function 0636152A Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1637203053.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6360000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce86d6e3e04525268e400b986a7356e7e6674b11ca140c1094da8dcbfe079df
Instruction ID: 65c15eea14b0ad5a569759265be0c4a2b54019fd7dcaf21fdc0e92414f501e7c
Opcode Fuzzy Hash: 7ce86d6e3e04525268e400b986a7356e7e6674b11ca140c1094da8dcbfe079df
Instruction Fuzzy Hash: 3731C474A00228CFDBA4DF14D895BE9BBB5EB88305F1080EAE51DA7685DB705EC4DF42

Function 00EFFE58 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed7c649ae2b2dd6e0779425c1e0e182aecb3dbc3d50be0e22f4a8673ebdff5e
Instruction ID: 1e5f38c1b0297bdd512be2503bb664fa3273f8c24cbaa6482721673e935041dd
Opcode Fuzzy Hash: 0ed7c649ae2b2dd6e0779425c1e0e182aecb3dbc3d50be0e22f4a8673ebdff5e
Instruction Fuzzy Hash: 31212835A002198FDB04DFA8D545AEDB7F2FF8C310F2041A5E505BB2A1DB31AD41CBA0

Function 00EF89A8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ccf7e9567e53807580c38130781ff175e19bca40441c1a4dd639ad349fc8362
Instruction ID: 868ae5704c331da8d905957444aa8f6c897ceea066371d24e5b9e2f8dabbce9e
Opcode Fuzzy Hash: 1ccf7e9567e53807580c38130781ff175e19bca40441c1a4dd639ad349fc8362
Instruction Fuzzy Hash: F2213A7490520CDFDB40DFA9C5497BEBFF1EB89304F20D1AAE609A3241DBB44A44DB52

Function 00EFDEA8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 646cea7118ca4c7226953f76212257834958a4310ce3be74877a870f98d4f0ea
Instruction ID: 6bfe9b9ed375cce20390a2bb39e3cee3f5a507266a9bbc901ef4f44aaa37f062
Opcode Fuzzy Hash: 646cea7118ca4c7226953f76212257834958a4310ce3be74877a870f98d4f0ea
Instruction Fuzzy Hash: E3111271D0821DCFDB04CFAAD8446FEBBBABB99300F10946AD605B7250DB705A45CBA0

Function 00EFFDA8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b1617b061632aede1d11b97a6103985fa5e0c1753cbf00d5df415dd1476e416
Instruction ID: 423134a89c59f49b9a2044475debfb4566902200d0c4973916ddbd352e2f4b55
Opcode Fuzzy Hash: 5b1617b061632aede1d11b97a6103985fa5e0c1753cbf00d5df415dd1476e416
Instruction Fuzzy Hash: 06115E353002189FCB157B29D418ABD7BA6EFC82657158079EA0ACB361DF35DC43CBA1

Function 00D0D043 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616637538.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d0d000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f01e5f1659ed64de2dcc6f226e42ecfc18c18a3f275a02967475ac6a1a18fc9
Instruction ID: 964b2108630bc0fdfc3cd1e0cfe1701d2453961ab33725e168fb441ed7151732
Opcode Fuzzy Hash: 2f01e5f1659ed64de2dcc6f226e42ecfc18c18a3f275a02967475ac6a1a18fc9
Instruction Fuzzy Hash: 3011B676504244DFCB15CF50D9C4B16BF72FB84314F28C5AAD8494B656C33AD85ACBA2

Function 00EF0A27 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 835a7b105b9b05726544d71a0f33149041ac309a75b9dfa94e2ff935022d19bf
Instruction ID: 122a8170000bf22dac334cc2fbf62e20c8f8712327fe918a0d37616f9e75ec43
Opcode Fuzzy Hash: 835a7b105b9b05726544d71a0f33149041ac309a75b9dfa94e2ff935022d19bf
Instruction Fuzzy Hash: 0E118E31A083588FCF15CF69C854AEEBBF4AF49300B0441A9D486E7256D7249808CFA0

Function 063661F1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1637203053.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6360000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b40e0ca86e0448d9527a262e52786b36dd50b9484f557b52e8c64a3bab76cae7
Instruction ID: e909a1f3091fe02addcbf4f4a9b4c92da8a1c17fe95941444800bb6afda606e1
Opcode Fuzzy Hash: b40e0ca86e0448d9527a262e52786b36dd50b9484f557b52e8c64a3bab76cae7
Instruction Fuzzy Hash: 3121D874A04228CFCBA4DF14D895ADABBB1EF89304F1044EAE509A7395DB306EC5DF52

Function 0637F278 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1637203053.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6360000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3360db45e9d417bc22c03a9b118462c0f347649edd68e19b349953ece3d437
Instruction ID: e728a4e8d06425fd50d213b6a43bd5fecf8ae74fb620272a3a880cf871e6dc53
Opcode Fuzzy Hash: 2d3360db45e9d417bc22c03a9b118462c0f347649edd68e19b349953ece3d437
Instruction Fuzzy Hash: AA11F3B4E0020D9FDB48DFA9C8417BEBBF2FF88300F60846A9518A7350DB349A419B91

Function 00EF0928 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84fe3e2d8c73b3eec54d867ced001a9a6b0c0af0c577ed9c68f8836a64c5546a
Instruction ID: 36071eccdb17cefc1e7be30d4ed0fda770a265c0d98c34e6185e8a8eda7d4d90
Opcode Fuzzy Hash: 84fe3e2d8c73b3eec54d867ced001a9a6b0c0af0c577ed9c68f8836a64c5546a
Instruction Fuzzy Hash: 3401F232D0070A8BDB009BA4DC004EFFBB6DFCA720F154611E50177290EBB0259ACBA1

Function 00CFD005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616566029.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cfd000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9094fac3df07910e933ee2c8bb8068bd546bc1a69d164c84eb85e43e68bbb284
Instruction ID: 8d4b314849224fd8be24a9eb4861dcda5b194b987ad070d23be779bac91cf22a
Opcode Fuzzy Hash: 9094fac3df07910e933ee2c8bb8068bd546bc1a69d164c84eb85e43e68bbb284
Instruction Fuzzy Hash: C3014C6100E3C49FD7128B258C94B62BFB49F53224F1981DBD9998F2E3C2695D48CB72

Function 00CFD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616566029.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cfd000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db637136622d131ab56a5e597a7b4bf60c08a7748c1833f9fabafa7c74ad3e4f
Instruction ID: 10d31fffaca780d6a38de5d9f4f9d5b47c520acdbaf6ebe8ce6313989d32a0ee
Opcode Fuzzy Hash: db637136622d131ab56a5e597a7b4bf60c08a7748c1833f9fabafa7c74ad3e4f
Instruction Fuzzy Hash: 0D01F771404308ABE7504A26DC84B77BF98EF81720F18C01AEE1A0B282CB799945CAB3

Function 00EF8F70 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eef3befc8494940bff4e764a02d4d11377be27819c7e6a4d7d15c57296fb4be7
Instruction ID: d17955586235bc4e073892bfd718ecd4dbfc1953d387330e8095d760449bc100
Opcode Fuzzy Hash: eef3befc8494940bff4e764a02d4d11377be27819c7e6a4d7d15c57296fb4be7
Instruction Fuzzy Hash: C6015A70E4424CEFC744DBB5C9469ADBBB6AF4A310F14C0E9D509E7262DA359E04DB11

Function 0636634A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1637203053.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6360000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74920651d8596b1c57edc09206258e74cb9fc7697fdea7c571b74806a01b5e3
Instruction ID: 736dc70828e0118f8cc3df14fb8aff925fc8675fe84df7fb96bbe49961f870d8
Opcode Fuzzy Hash: b74920651d8596b1c57edc09206258e74cb9fc7697fdea7c571b74806a01b5e3
Instruction Fuzzy Hash: 90114C74915119CFDBA4DF24D8A9BD9BBB1EF45308F0080E5E419A7388CB345EC88F51

Function 00EF09A7 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2a28646221ec2a69fdc4a9dc3a232fc107cb6d9d64aafdc9ab4a8d923121187
Instruction ID: 2c23d7b8c02f04e3ebf780b3681115c8fe4655d9f3709af71866a15191bae32f
Opcode Fuzzy Hash: d2a28646221ec2a69fdc4a9dc3a232fc107cb6d9d64aafdc9ab4a8d923121187
Instruction Fuzzy Hash: 9BF02231A0028D8BDF05D770C425AFFBFB68F89300F05886AC402BB682EE74190AC7D1

Function 06365E94 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1637203053.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6360000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1c680b8d2b0bcc3ab24574829cd61d0364ffc39e9e5ebad63d4c323d54c042
Instruction ID: f05a1e25e70dfb1be97740b840a26c898d06c5e3f2aa2e2dc4fc37c92a5cfe70
Opcode Fuzzy Hash: 8e1c680b8d2b0bcc3ab24574829cd61d0364ffc39e9e5ebad63d4c323d54c042
Instruction Fuzzy Hash: 7811BA74A442199FCB94DF18D844B9ABBB1FB48304F1080EAE51DA7384DB346E819F90

Function 063618FF Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1637203053.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6360000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1364753c64924f907883bde9a057ea9b08ae8ad8f9c8d92d1fe122f181fad05f
Instruction ID: 1171718192b8cab12f11bdce881c613db5f43bdc9033d1776a06fef1da0ebcde
Opcode Fuzzy Hash: 1364753c64924f907883bde9a057ea9b08ae8ad8f9c8d92d1fe122f181fad05f
Instruction Fuzzy Hash: 2C014074B141589FCB94EF24C85469ABBB1EB4D300F1084D5A50DA7744CF70AE818F92

Function 00EF8F18 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c773c9dfbeb382eb52d3782c0279faf0eeb32af62c9ea00f1e760d803f6c101f
Instruction ID: 70e7a8a2f9240d22427a745d6ef9e9527986bc2ed5494c68675ef550c4f84fb5
Opcode Fuzzy Hash: c773c9dfbeb382eb52d3782c0279faf0eeb32af62c9ea00f1e760d803f6c101f
Instruction Fuzzy Hash: 68F0B462A0D3CCEED712C77495197B97FA58B03304F04A4EAD549E7253DA714D44D326

Function 063674D8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1637203053.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6360000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0409fa0f57343a7b0b36e4ba33d32250b98d22cbad99d9d00390c02fc22fe78a
Instruction ID: 1d7824ecb99d67f79ddc2fc800204c4cee2cdaa003f65aaa4cf24a19013186c1
Opcode Fuzzy Hash: 0409fa0f57343a7b0b36e4ba33d32250b98d22cbad99d9d00390c02fc22fe78a
Instruction Fuzzy Hash: 0DF04930904219CFD7A49F58D959BAABFB1EF05308F0140EAE009A7685CB366A85CF61

Function 063603DE Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1637203053.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6360000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67def7487b5b52d88f53fd404b2abb1b7d79f9829a59538406d52367b040813b
Instruction ID: fe949cf73115846ea2807cadc2368aca85d29d7529bb1483d495a3304b6131d9
Opcode Fuzzy Hash: 67def7487b5b52d88f53fd404b2abb1b7d79f9829a59538406d52367b040813b
Instruction Fuzzy Hash: 5C016D34A041198FD7A8DF14C899BDABBB1EB44344F1080D5F60CA3388CB345E848FD0

Function 00EFDC90 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9cca05a56c8b86f33943b51bf29ae923ba216d312d1fa164d31ea3ccb7fa1a2
Instruction ID: b8f4b71b100cf7c8c372a8ccdf602d6b31422843a12c98a080f1d7895504cdb0
Opcode Fuzzy Hash: e9cca05a56c8b86f33943b51bf29ae923ba216d312d1fa164d31ea3ccb7fa1a2
Instruction Fuzzy Hash: 63F0C975D0420CEFCB84DFA8D940AACFBF5EB49310F20C1AAAD18A3350D6719A51DF40

Function 06375C00 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1637203053.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6360000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f54537d750ff5030a26ea8585c0815637a91e70da83e34e3cc385fd84199c8
Instruction ID: 73ead0d303dd63ec141612d2cd4c237c1b5ead8fbf6f141dbc57c087b4ef61fc
Opcode Fuzzy Hash: 56f54537d750ff5030a26ea8585c0815637a91e70da83e34e3cc385fd84199c8
Instruction Fuzzy Hash: A5E0ED74D04208EFDB94DFA8D54069CFBF8EB49311F10C4A99918A3350DA359A51DF90

Function 0637BCD0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1637203053.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6360000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f54537d750ff5030a26ea8585c0815637a91e70da83e34e3cc385fd84199c8
Instruction ID: fb11c6ac0ccb304709bacc086e6f2c187b03befa8a87f5b43beb7ff0f4e8c9a0
Opcode Fuzzy Hash: 56f54537d750ff5030a26ea8585c0815637a91e70da83e34e3cc385fd84199c8
Instruction Fuzzy Hash: 2FE0E575E04208EFDB94DFA9D940AACFBF8EB49311F10C0AA9C19A3350DA359A51DF80

Function 0637D998 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1637203053.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6360000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f54537d750ff5030a26ea8585c0815637a91e70da83e34e3cc385fd84199c8
Instruction ID: ca300b58f01eff49c3a52ab97eb7e521bb4839ee02633b92b100797c2111599a
Opcode Fuzzy Hash: 56f54537d750ff5030a26ea8585c0815637a91e70da83e34e3cc385fd84199c8
Instruction Fuzzy Hash: 5FE0E574E04208EFDB94DFA8D940AADFBF9EF59310F10C1AA9C18A3350D6359A51DF80

Function 0637A3D0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1637203053.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6360000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f54537d750ff5030a26ea8585c0815637a91e70da83e34e3cc385fd84199c8
Instruction ID: 22a5d65e7ab123105aff2c18c1c3a8b6bb1ff23a68237a9646e3182b0de79048
Opcode Fuzzy Hash: 56f54537d750ff5030a26ea8585c0815637a91e70da83e34e3cc385fd84199c8
Instruction Fuzzy Hash: A4E0E575E04208EFDB94DFA9D940AACFBF8EB49310F10C0AA9818A3350D6359E51DF80

Function 00EF8F28 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4afa037ff95f8f3c1dbaa4ac9f36b9a76e998b66f5808b5936e055bfb9a93a9
Instruction ID: b5a83d08ce1bfc419529c8dab2e4726343be46a557dd6dba791fc92b6fdf6705
Opcode Fuzzy Hash: f4afa037ff95f8f3c1dbaa4ac9f36b9a76e998b66f5808b5936e055bfb9a93a9
Instruction Fuzzy Hash: B4E09271A4934CDFD740DB75D5047B87BA9D702309F0054E9D509B3251DF710910D319

Function 00EFE138 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce6f0eeca6a836046d5df0369ca105621913ef51b90d94d286828b484c0a1a31
Instruction ID: a5cfc0056606b12c874b243c469e9f2acdda69d32e8edc6915738c070a2b8251
Opcode Fuzzy Hash: ce6f0eeca6a836046d5df0369ca105621913ef51b90d94d286828b484c0a1a31
Instruction Fuzzy Hash: 62E0DF75909208EBCB04CF94D800ABCBBB8AB46300F20C0A9990863350C631AA01EB90

Function 00EF081F Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b73ba990043280dbfc9943550db10088ae9d723788f990fed43db643e3e5bc5
Instruction ID: c93f3b4771c9ab97ca2dba6bba902179fee2a53e02e589942d1efdd9280b05bf
Opcode Fuzzy Hash: 2b73ba990043280dbfc9943550db10088ae9d723788f990fed43db643e3e5bc5
Instruction Fuzzy Hash: 82E01A2140E3D42FDB03977868686583F305D8351874E00CBD4C4DF4A3C95A480AC76B

Function 06378828 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1637203053.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6360000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1507966c86bb9ff17b1d40b11eb8dfa7bb76900da51e3ba5becb448beb8e0d3
Instruction ID: 4692a60b6e106d5e4f86c197400ad151fd725d3394987eeb70467d3c377ac807
Opcode Fuzzy Hash: c1507966c86bb9ff17b1d40b11eb8dfa7bb76900da51e3ba5becb448beb8e0d3
Instruction Fuzzy Hash: 74E01A35D08208EFDB94DF94D5456ACBBF8AB49200F14C1E98818A3341C6359A41DB80

Function 0637C080 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1637203053.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6360000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1507966c86bb9ff17b1d40b11eb8dfa7bb76900da51e3ba5becb448beb8e0d3
Instruction ID: 272005d2549be0f190ef9e8ead72a7c562eead324c5336528a3a26a1cb48d791
Opcode Fuzzy Hash: c1507966c86bb9ff17b1d40b11eb8dfa7bb76900da51e3ba5becb448beb8e0d3
Instruction Fuzzy Hash: BCE04F74D04208EFDB54DFA4D5446ACFBF8EB49200F14C0E9C85853341C6359A12DBC0

Function 0637DFB0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1637203053.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6360000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b395468f582ca347a731126461e1ef2b5c847ea1d57eaa62780a46961e7a75e
Instruction ID: 7023058c2ad58ecd4de305f7a7df9a0bccec7c8c1756e0778936854e2c791c68
Opcode Fuzzy Hash: 6b395468f582ca347a731126461e1ef2b5c847ea1d57eaa62780a46961e7a75e
Instruction Fuzzy Hash: 69E01234D05208EFDB84DF98D9406ACBBF8EF89200F24C4AA9818A3340C631AA12CB80

Function 0637BFC0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1637203053.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6360000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1507966c86bb9ff17b1d40b11eb8dfa7bb76900da51e3ba5becb448beb8e0d3
Instruction ID: 0149ea226f19e34f10bb98355ccc05b3d6484013c336e8c3cf0c4b217039f0bf
Opcode Fuzzy Hash: c1507966c86bb9ff17b1d40b11eb8dfa7bb76900da51e3ba5becb448beb8e0d3
Instruction Fuzzy Hash: DAE04F38D05208EFDB54DF94D5506ACFBF8EB49200F14C0EAD81963341C6359A01DF85

Function 0637E1A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1637203053.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6360000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f42a1107eb9f87110ab8ed6ea7a2775c3364399d26841f69b53e766fd2ed142
Instruction ID: e1c2a0aaa46da19c7bb3235394f328c56d90987420cbde6747f0424b7e1df0da
Opcode Fuzzy Hash: 7f42a1107eb9f87110ab8ed6ea7a2775c3364399d26841f69b53e766fd2ed142
Instruction Fuzzy Hash: 00E0C234908208DFDB44DF94D94266CBBF8EB46300F20C0ECC80863350CA319E02CBC0

Function 063787E0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1637203053.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6360000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc98505a2d566631f713dc802e5b07ac96783d8e91a54345a1655635af11164
Instruction ID: f8c35ef6f9350064ef79a165d9a68d7690b240b3ad0bf649c2e40dc77862573b
Opcode Fuzzy Hash: 3dc98505a2d566631f713dc802e5b07ac96783d8e91a54345a1655635af11164
Instruction Fuzzy Hash: 8FE0C27194120CDFD740EBF4890475E77F8DF05200F2144F59208A7290EA314A10DBA6

Function 00EFCC30 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae1ee5f5a01b84a734b78511bc01b9f043baaf3b3969baed97ffc5118664369
Instruction ID: bfa17f2f8b86988385006829613e50ed4253ab55b744ffcb8c7b05c30c8dd880
Opcode Fuzzy Hash: aae1ee5f5a01b84a734b78511bc01b9f043baaf3b3969baed97ffc5118664369
Instruction Fuzzy Hash: 21E08C3184120CDFD704EBF4990879EB7F8EF06201F1084E59508E3210EE314A10DBA1

Function 0637E578 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1637203053.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6360000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6656ceeb12f4fddad83d301ef57dcd3d5ce6d2d9c44a9f5b08117692d9443cc3
Instruction ID: a21d13e32fa0c4fd0a0ef3940420fac3b57a43bccb05b057ae20dbe6e905d553
Opcode Fuzzy Hash: 6656ceeb12f4fddad83d301ef57dcd3d5ce6d2d9c44a9f5b08117692d9443cc3
Instruction Fuzzy Hash: F2C08C2108A30C8BE2A413847408338B2DC8707322F449C84510C4246197B49420D5D5

Function 00EFCA98 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1616987421.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ef0000_SyncRoot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d48774aa4f6575ae3b2f457d60689a957f97691efcd57f1972c7843f681e4e21
Instruction ID: 59e6ed3d7bcfade38df6968d7ccde2eee677f242f6e4656d86c8eec51b47d495
Opcode Fuzzy Hash: d48774aa4f6575ae3b2f457d60689a957f97691efcd57f1972c7843f681e4e21
Instruction Fuzzy Hash: 11C08C2108270C8BE74473E0660E33872D85F02206F646490D20C711518AB46060CA3B

Analysis Process: InstallUtil.exePID: 3600, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	13.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	39
Total number of Limit Nodes:	2

Executed Functions

Function 06AB7D90 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3990189315.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ab0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47fac26703f76e29f9c600ba516ab7db7423c52f7610b3a41d5ca60a7714b13b
Instruction ID: 42a3aa317b5b9e77ec5ba0b008b50d3a5bdc2ff1bbfab323d59b96e1e14da297
Opcode Fuzzy Hash: 47fac26703f76e29f9c600ba516ab7db7423c52f7610b3a41d5ca60a7714b13b
Instruction Fuzzy Hash: 2EF1E274E01218CFDB64DFA9D884BDDBBB6BF88304F1481A9E808AB355DB749985CF50

Function 014DBBB0 Relevance: 1.5, Strings: 1, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

q^, xrefs: 014DBBB3

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID: q^
API String ID: 0-4214105787
Opcode ID: eea1c7daa6ac1f930cbe6d3b727e6c7b8385f8b974a002a01afb44df3fd1eb8b
Instruction ID: 4f41f651eabb3a3f905b5671fd45360b859b64f1b3c1bbf4bc68fff016055a65
Opcode Fuzzy Hash: eea1c7daa6ac1f930cbe6d3b727e6c7b8385f8b974a002a01afb44df3fd1eb8b
Instruction Fuzzy Hash: 7FA1F774E042488FEF15CFAAD894A9DBBF2FF8A310F1580AAD419AB365DB345941CF11

Function 014D9858 Relevance: .9, Instructions: 860COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe4d44e441bd3fc94faa7985d2ed67210cbadd3f37d2dd8fa6cff8fc7e08683
Instruction ID: a6f6c808df103130eb70cd5144598b092fd229ee3dff01ef4bfcafad03d4ace5
Opcode Fuzzy Hash: 6fe4d44e441bd3fc94faa7985d2ed67210cbadd3f37d2dd8fa6cff8fc7e08683
Instruction Fuzzy Hash: C3725A71A00209DFCF15CF68C994AAEBBB2FF88314F25855AE905DB3A1D734E985CB50

Function 06AE11A0 Relevance: .7, Instructions: 745
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c8ade7e6f776f0f9cda07e0ebe0d2e326240480ab7da60d8f2cd4e7d9f6d48
Instruction ID: 0ca6a6e8b371ec1901bf721d1b8bcd5f5b353e2b6a3fe953fd5152688e500ddc
Opcode Fuzzy Hash: 97c8ade7e6f776f0f9cda07e0ebe0d2e326240480ab7da60d8f2cd4e7d9f6d48
Instruction Fuzzy Hash: 1E825D74E012288FDB64DF69D994BDDBBB2BB89300F1481EAD80DA7261DB345E85CF41

Function 014DEE68 Relevance: .7, Instructions: 716
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44bfbf446e602d085460b19e9d6f29e6fa096d137fe039d94ea607242523a9f9
Instruction ID: dda4d10ba63b12fcbe79be7492acfc1f58c9769348e37472acb99984ac0236ce
Opcode Fuzzy Hash: 44bfbf446e602d085460b19e9d6f29e6fa096d137fe039d94ea607242523a9f9
Instruction Fuzzy Hash: 9172B174E012298FDB65DF69C994BD9BBB2BB49300F1481EAD409A7361DB349EC6CF40

Function 014D6108 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f740c85f64cc8ab6ac412aa5c12081965a93676d910dae99d086cfe55e2816
Instruction ID: a838564501ed5c3523bf50a1fc5ba08258bad704748104a62638ad30234db8ab
Opcode Fuzzy Hash: 53f740c85f64cc8ab6ac412aa5c12081965a93676d910dae99d086cfe55e2816
Instruction Fuzzy Hash: BE129E70A002199FDB14CFA9C854BAEBBF6FF88310F15856AE405DB3A5DB349C86CB50

Function 014D6730 Relevance: .5, Instructions: 452
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d7c8862a08e5b00c5fe4c533e9f397ece62c81f4f647f2ca19a07e5b2cf71d0
Instruction ID: 90ed0f805a36f0fc17e72a30a8f033e8ff330264d7f45d37f015cf0d35d61ed0
Opcode Fuzzy Hash: 4d7c8862a08e5b00c5fe4c533e9f397ece62c81f4f647f2ca19a07e5b2cf71d0
Instruction Fuzzy Hash: AF023A70A00219DFDF15CFA9C994AAEBBB2FF89314F16806AE905AB365D730DC41CB51

Function 06AE8608 Relevance: .3, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3005ca2e845232b0d6692ed80b96f913923c569ea063a46ceb33a718c295acb6
Instruction ID: f53956c46df1a595c134171ce9a46978f757d4d2782bac835ffce55dc6335df1
Opcode Fuzzy Hash: 3005ca2e845232b0d6692ed80b96f913923c569ea063a46ceb33a718c295acb6
Instruction Fuzzy Hash: 00E1D074E01218CFEB64DFA5D944BDDBBB2BF89304F2080A9D409AB294DB355A85CF50

Function 06AE74A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 529abbf38215971197d8c04e0dc014e2939a22e0c1da137f4f08c08689ae298e
Instruction ID: 82eb9b28750637333c4da16484886b8ad3e1026239495e3fdcd6ac972bb24254
Opcode Fuzzy Hash: 529abbf38215971197d8c04e0dc014e2939a22e0c1da137f4f08c08689ae298e
Instruction Fuzzy Hash: 71C1A074E00218CFDB54EFA9D954B9DBBB2EF89300F2080A9D809AB355DB359E85CF50

Function 06AE8BF2 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 499fccc39aa503b75b39336491a900f4083d80df94a4dedd82f01bc32167234d
Instruction ID: 8489678ad4e62a715301b5fa0c69963fd70bbbb660249a1377495976d05b03d6
Opcode Fuzzy Hash: 499fccc39aa503b75b39336491a900f4083d80df94a4dedd82f01bc32167234d
Instruction Fuzzy Hash: 5391F374E01218DFEB68DFAAD844ADEBBF2BF89304F10816AD419AB354DB355941CF90

Function 06AEB6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af14f1069c8b6ab3846b58035f9a81753aaa3edb700098e727e7cc5d75346224
Instruction ID: 985e29a8a2c6e7a02d1a8d6fdce5dae4732b91eeb1914bd1e18c2f72949057ae
Opcode Fuzzy Hash: af14f1069c8b6ab3846b58035f9a81753aaa3edb700098e727e7cc5d75346224
Instruction Fuzzy Hash: E1A19375E012188FEB68DF6AC944B9DBBF2BF89300F14C0AAD409B7254DB745A85CF60

Function 06AED670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c14df85f20e7bf6ea331c362f2bc59329ab0b8de723bb86b9e0d0982d819488
Instruction ID: 017fc9480ccb99aac9e829cda7353072d1bb103a95cb4e3e75bd3327b3628e0f
Opcode Fuzzy Hash: 0c14df85f20e7bf6ea331c362f2bc59329ab0b8de723bb86b9e0d0982d819488
Instruction Fuzzy Hash: ADA19075E012288FEB68DF6AC944B9DBBF2AF89300F14D0AAD40DA7254DB745A85CF50

Function 06AEC388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5be41cfd019983632b07784856c4ef3dbcfa17534c731cc39ebdf3b08c8223b
Instruction ID: 482cc862fe70e07e6c342f05354111060f19115ad0ccdf42c265376c31846189
Opcode Fuzzy Hash: a5be41cfd019983632b07784856c4ef3dbcfa17534c731cc39ebdf3b08c8223b
Instruction Fuzzy Hash: 1BA1A3B5E01218CFEB68DF6AC944B9DBBF2AF89310F14C0AAD409A7255DB345A85CF50

Function 06AEA408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c0f1fed930aa95fd0eef0bc8b4ec7d36062b53db55bba6e9b7b65e5655d62ab
Instruction ID: da13092f55dc1a2ddf1cf00d18f95ac44afc7e05f126ac73f911c89c51bc7a1f
Opcode Fuzzy Hash: 3c0f1fed930aa95fd0eef0bc8b4ec7d36062b53db55bba6e9b7b65e5655d62ab
Instruction Fuzzy Hash: 00A19275E012188FEB68DF6AC944B9DBBF2BF89300F14C0AAD50DA7254DB345A85CF51

Function 06AEC9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fecc5c16fe06999aab415c83528b53e905f5d176222fb3d1763906fa568fd79c
Instruction ID: e2b5ec4a9e50c11990eae842d105ed3b78e66a8fcc301f9f28932c937d248ba7
Opcode Fuzzy Hash: fecc5c16fe06999aab415c83528b53e905f5d176222fb3d1763906fa568fd79c
Instruction Fuzzy Hash: 0CA1B375E012188FEB68DF6AC944B9DBBF2AF89310F14C0AAD40DB7250DB345A85CF50

Function 06AEBD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d01da2cbc49444069a3a3f5922d7875bd1a1098fdbfbc60c838c7fc2433893
Instruction ID: ac153fb1437c24863ebb95f3cf61211ccbfe7195ad27aa3814b7eb6bfae06a12
Opcode Fuzzy Hash: 77d01da2cbc49444069a3a3f5922d7875bd1a1098fdbfbc60c838c7fc2433893
Instruction Fuzzy Hash: 04A19275E012188FEB68DF6AC944B9DFBF2BF89300F14C0AAD409A7255DB345A85CF51

Function 06AEAA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c07e905ad049f22560128d66705cb0997efe9e173441a9a260901e945120d2
Instruction ID: fde0730faed62b851db819f541ba3505cf0b2272c36d519b50057eba2c14e933
Opcode Fuzzy Hash: 70c07e905ad049f22560128d66705cb0997efe9e173441a9a260901e945120d2
Instruction Fuzzy Hash: CDA1A175E012288FEB68DF6AC944B9DBBF2AF89300F14C0AAD509B7254DB745A85CF50

Function 06AEB0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9001afa5994b556941cbdc58548f2ca90004dc3487b2f578ab92f709cac78ce6
Instruction ID: 9828ca5d986d4aa9a368cfda196fcc907d1c75d2bfb979d56a4ded540784701f
Opcode Fuzzy Hash: 9001afa5994b556941cbdc58548f2ca90004dc3487b2f578ab92f709cac78ce6
Instruction Fuzzy Hash: 9CA19275E012188FEB68DF6AC944B9DBBF2AF89300F14C1AAD408B7254DB345A85CF60

Function 06AED028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2af1c0f99cdca73ce959ea4c28b030cf841d653aa71444e971b29cf91799bee7
Instruction ID: 0a598c9937a02080bc88e720a637991c5ae31ced3b24289d3d74a290af108e14
Opcode Fuzzy Hash: 2af1c0f99cdca73ce959ea4c28b030cf841d653aa71444e971b29cf91799bee7
Instruction Fuzzy Hash: 4DA18075E012288FEB68DF6AD944B9DFBF2AF89300F14C0AAD409B7254DB345A85CF51

Function 014DC470 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b83fb2027bba04296753b11dfaad06ea89aa2d2675eacecb70dfce5802380e
Instruction ID: bd640511b2b1db80a9609798ad451aaa4194ad81d6f85bf3b666bc7553882368
Opcode Fuzzy Hash: b0b83fb2027bba04296753b11dfaad06ea89aa2d2675eacecb70dfce5802380e
Instruction Fuzzy Hash: D991C474E00218CFDF14DFAAD994A9DBBF2BF89310F14806AE819AB365DB345941CF51

Function 014DC753 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47ed98121486b6fca4fc1c3eeab615565991e8cda1350bd7f365debd32b58d69
Instruction ID: 4a630beb46943d9d5d07403647d0e178718c40420d01c385ca9a846acc0db0cb
Opcode Fuzzy Hash: 47ed98121486b6fca4fc1c3eeab615565991e8cda1350bd7f365debd32b58d69
Instruction Fuzzy Hash: 1481A474E00218CFDF18DFAAD994A9DBBF2BF89311F1480AAE409AB365DB345941CF51

Function 014D4AD9 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe98dec41b3bfa904804dbfbec8481fc69b82d14d549c6a59961ecd7df17d3b
Instruction ID: f849bb63870dc2716b9fc7530215ed26b514d04e9cb7c4cb27d340317c4ecfbc
Opcode Fuzzy Hash: fbe98dec41b3bfa904804dbfbec8481fc69b82d14d549c6a59961ecd7df17d3b
Instruction Fuzzy Hash: 0781A474E00218CFEB54DFAAD994A9DBBF2BF89300F15C06AD819AB365DB345981CF11

Function 014DC190 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9efbfa2c7bc68c1ee6b11316099d0177c58d84d819a4af711ad0410d0bcd9b51
Instruction ID: c6276489e2926cbbf0cf6eba7291933dd14fede49ad9531afdb905f9cfe656f6
Opcode Fuzzy Hash: 9efbfa2c7bc68c1ee6b11316099d0177c58d84d819a4af711ad0410d0bcd9b51
Instruction Fuzzy Hash: 2E818374E00218CFEB14DFAAD994A9DBBF2BF89310F14C06AE419AB365DB345981CF51

Function 014DBEB0 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428d44cc02163828ce9e94e7fafaba6a30dddc2f9c27c8bb697fa8a60b77a1d9
Instruction ID: 2585929ca23e0fab027b6995fd625096b9517b86eee0548f3381e37f8a7d3585
Opcode Fuzzy Hash: 428d44cc02163828ce9e94e7fafaba6a30dddc2f9c27c8bb697fa8a60b77a1d9
Instruction Fuzzy Hash: E581A4B4E00218CFDF15DFAAD994A9DBBF2BF89300F14806AE419AB365DB305981CF51

Function 014DCA33 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b99ad0d3f4ec6798b3ef1ee77199f481f6b003dbcd5ab8d5f24252afbc7b32
Instruction ID: 46139c9d6b768a3c4377a20a7e5f97ae3619ac1a96b7da92fb6f44c66d236035
Opcode Fuzzy Hash: 36b99ad0d3f4ec6798b3ef1ee77199f481f6b003dbcd5ab8d5f24252afbc7b32
Instruction Fuzzy Hash: 64819474E00218CFDF14DFAAD994A9DBBF2BF89300F14806AE419AB365DB349981DF51

Function 014DB4F7 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e5acfe09c86b1c3259a25fcb6fa86b92453ad81e0a792b1df1ceed325cacfe8
Instruction ID: 07f2d417f79bdb2ed04cd6ec8f2b431165207d0ec9159dbfaebe9af4cdd6700c
Opcode Fuzzy Hash: 3e5acfe09c86b1c3259a25fcb6fa86b92453ad81e0a792b1df1ceed325cacfe8
Instruction Fuzzy Hash: F5817274E002188FEB14DFAAD954A9DBBF2FF89300F15806AE419AB365DB349981CF51

Function 06AE1191 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9018d4a1e021d7015878b84ce57a6995846ab9569d8c66c068f8dc1b5854c224
Instruction ID: 7e0ffcc5d2e673541d54395e5962e094b87360397899ec3e20dffa7c7aca7710
Opcode Fuzzy Hash: 9018d4a1e021d7015878b84ce57a6995846ab9569d8c66c068f8dc1b5854c224
Instruction Fuzzy Hash: CB81A274E412299FDB65DF6AD850BDDBBB2BF89300F1080EAD819A7250DB345E85CF40

Function 06AED018 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b7e926db42e3765ded3cd90629a05c094c683eb5a3dba948f80b142f0d0742a
Instruction ID: 6328d1953d99367c4e031d898a118a49dd942a3e2904e28aa6192ea59487fddf
Opcode Fuzzy Hash: 0b7e926db42e3765ded3cd90629a05c094c683eb5a3dba948f80b142f0d0742a
Instruction Fuzzy Hash: 89719374E016188FEB68DF6AC944B9EFBF2AF89300F14C1AAD40DA7255DB304A85CF51

Function 06AEAA52 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30df671cca74ebbd0448e11d1aa196a05fd9e9c5858c3888ed302c219a39f7e4
Instruction ID: 27248cdf8db983df7bfece2e6b15e7985125c4360271620af93c3ac472198aeb
Opcode Fuzzy Hash: 30df671cca74ebbd0448e11d1aa196a05fd9e9c5858c3888ed302c219a39f7e4
Instruction Fuzzy Hash: BB7194B5E006188FEB68DF6AC944B9DBBF2AF89300F14C0EAD50DA7254DB345A85CF51

Function 06AEC378 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c29e6f2ab044089f34aca08d73c1bfbd86caca7609a38fa7cd2db069f542560b
Instruction ID: e34600702ec0f36c16229cc6ca3b4aeee464b13e4396e483cd7b1123852f1100
Opcode Fuzzy Hash: c29e6f2ab044089f34aca08d73c1bfbd86caca7609a38fa7cd2db069f542560b
Instruction Fuzzy Hash: 5E519A71D016189FEB58CF6BC9447CAFAF3AFC9300F14C1AAD40CAA255DB740A868F51

Function 06AE8602 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f64a9564fe79da4af1cb0bc7f897c8c503664289075bf3a793903110d564a4
Instruction ID: 1a95d85e41777af0d4e5b951313c3b1f8d6efb6ae576cf5c1bacb36c789e0d34
Opcode Fuzzy Hash: 49f64a9564fe79da4af1cb0bc7f897c8c503664289075bf3a793903110d564a4
Instruction Fuzzy Hash: 1641A0B0D002088BEB58DFAAD9547DEFBF6AF88304F24C06AC418BB294DB795945CF54

Function 06AED662 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be9a935381558fa5d2ae72cbdc43839589c3b5df7678d175506f3f430f9572f
Instruction ID: 9f542865e5c8d640a6b25d6c452fc38974c724e3e7dd8de2a313ac6c1a9dc1b3
Opcode Fuzzy Hash: 1be9a935381558fa5d2ae72cbdc43839589c3b5df7678d175506f3f430f9572f
Instruction Fuzzy Hash: 984169B1E016188BEB58DF6BCD447CAFAF3AFC9310F14C1AAD50CA6265DB740A858F51

Function 06AEBD28 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb92b597c03fd26ff82b7876c40fa37c9715e717f8029d6a18cf303bf2c23ee
Instruction ID: 595ff9ad4c9dbb1ec64e54bac963b83e965c759904023db79f93622773fe8678
Opcode Fuzzy Hash: 5cb92b597c03fd26ff82b7876c40fa37c9715e717f8029d6a18cf303bf2c23ee
Instruction Fuzzy Hash: A9417BB1D016188BEB58DF6BC9447CAFAF3AFC9310F14C1AAD50CA6264DB740A858F51

Function 06AEB6D9 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a37af935318a92f01a3251948cf509ad9318b1c993b7950abdb5e537d00d2710
Instruction ID: 80f20b564ed11149270fe9f581d6d746c1cbc66ab2cd70baa4d935db9477ee65
Opcode Fuzzy Hash: a37af935318a92f01a3251948cf509ad9318b1c993b7950abdb5e537d00d2710
Instruction Fuzzy Hash: 104179B1D016188BEB58CF6BCD447CAFAF3AFC9310F14C1AAC50CA6264EB750A858F51

Function 06AEC9C8 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f97bd626cdf384d52a9d7a309a7db9af0f132b4f8d17b9c041cb38cf7a67ed0
Instruction ID: 070a60ebd56e0f0407cc4b1df41f18bf0fa6b22b4cbce81295efa8d4007ea52d
Opcode Fuzzy Hash: 9f97bd626cdf384d52a9d7a309a7db9af0f132b4f8d17b9c041cb38cf7a67ed0
Instruction Fuzzy Hash: B1418A71E016188BEB58DF6BCD457C9FAF3AFC9310F04C1AAC40DA6264DB340A858F54

Function 06AEA3F8 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0223b23fcb1331fa2ba079126232f072dea3f2c23ce4e0cdfd454a1a8006b52c
Instruction ID: b521dc5340247ecbfb3cc7d2bac40850358928911077a6f720e1955eaafe2d85
Opcode Fuzzy Hash: 0223b23fcb1331fa2ba079126232f072dea3f2c23ce4e0cdfd454a1a8006b52c
Instruction Fuzzy Hash: 1F4159B1E016188BEB58CF6BC9457DAFAF3AFC9310F14C1AAD50CA6254DB740A858F51

Function 06AE7497 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb073499d7c151be3522c35639436ed4adfb937efe04739f6ac0c749250dd5ae
Instruction ID: 7c48044d48c33eff737e71c128342ac1af911b8b3dc57863ab872b9c9c5996a4
Opcode Fuzzy Hash: bb073499d7c151be3522c35639436ed4adfb937efe04739f6ac0c749250dd5ae
Instruction Fuzzy Hash: 2141E571D01248CBEB58EFAAD9546EEFBF2AF88300F24D12AC419AB254DB354945CF54

Function 06AB8174 Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 06AB82B6

Memory Dump Source

Source File: 00000005.00000002.3990189315.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ab0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 22af8e5457c4a98f16e5ebbb4d14abfd5fecd236627d13dbd7b2566266d123ab
Instruction ID: afd7309af952a827bdf6d73fd34af11ea2d74367437df410a9b8a0ee1cdd4430
Opcode Fuzzy Hash: 22af8e5457c4a98f16e5ebbb4d14abfd5fecd236627d13dbd7b2566266d123ab
Instruction Fuzzy Hash: D1119A74E002098FEB54EBACD484AEDBBBDFB88314F1491A8E814A7242D7349C41CBA0

Function 014D77F0 Relevance: .7, Instructions: 702
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efea9b675b878004bc86d5dd35879aa86083afe2e7be4df192728d15efb9def4
Instruction ID: 6cd5c148260b681c1165e1c322ee2a617ee82569901923f44775f30451e3e537
Opcode Fuzzy Hash: efea9b675b878004bc86d5dd35879aa86083afe2e7be4df192728d15efb9def4
Instruction Fuzzy Hash: BC523034A002198FEF159BE5D860BAEBB72FF98701F1084AAC10A6B3A5CF355D85DF51

Function 014D6E58 Relevance: .5, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8454e47736900adc9eaa35410d9958df2d3b0a1bf7722e6dd7c1182d652afede
Instruction ID: 59afe7daa833d16f14313aec1c031161c37a5ce4afb61b54cea7b8bed4e6f8c2
Opcode Fuzzy Hash: 8454e47736900adc9eaa35410d9958df2d3b0a1bf7722e6dd7c1182d652afede
Instruction Fuzzy Hash: 3F126B30A002498FDF15DFA9D994A9EBBF2BF88315F15859AE905DB3A1DB30EC41CB50

Function 014DA818 Relevance: .4, Instructions: 411
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 381634e25cfb469dace6a814dc1037983b8b1462cacbca10cfc6abe46ae0b5fe
Instruction ID: 98357c5854db334f50472eba3c179e22b99e9751af3113ab6962d3ce40785def
Opcode Fuzzy Hash: 381634e25cfb469dace6a814dc1037983b8b1462cacbca10cfc6abe46ae0b5fe
Instruction Fuzzy Hash: 43F12E75A002158FCB15CF6DD5949AEBBF6FF88310B2A845AE515AB371CB31EC82CB50

Function 014D0C8F Relevance: .4, Instructions: 401
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da35e5258f6031c2ea2d601371df221f4f07a169c9d8a9acf177beaf85aaf567
Instruction ID: bd463dae91d2d0910cab3756a304bee925fb4232a7d479f32b203349a0aa5896
Opcode Fuzzy Hash: da35e5258f6031c2ea2d601371df221f4f07a169c9d8a9acf177beaf85aaf567
Instruction Fuzzy Hash: 1A22EC78A0021DCFCB64DF69E994A9DBBB1FF88311F1081A9E819AB364DB345D85CF41

Function 014D0CA0 Relevance: .4, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2215b64af2a3186d9567ee73b5aa59ca84b91b903d9a6def24236cd833be8c12
Instruction ID: f98e33720b877c80c1150a2019ce7f9ef0f6a88c15bd8b125718f9306fe8db8c
Opcode Fuzzy Hash: 2215b64af2a3186d9567ee73b5aa59ca84b91b903d9a6def24236cd833be8c12
Instruction Fuzzy Hash: 2E22DC78A0021DCFCB64DF69E994A9DBBB1FF88311F1081A9E819AB364DB345D85CF41

Function 014D87E9 Relevance: .3, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f94353eb051650c56f01b66c7bbc8b5859dca0544175142526cc8d646e03f3
Instruction ID: a3cac73f69dd2abdbfb78783ef4ba99f7dd290951b24570dedae878c3710df2a
Opcode Fuzzy Hash: e5f94353eb051650c56f01b66c7bbc8b5859dca0544175142526cc8d646e03f3
Instruction Fuzzy Hash: 80B13FB03141128FEF159B2DD978B3A36A6EF85614F1544ABF602CF3B2EA75CC428742

Function 014D56A8 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c661922b3f850d445a53db65688de29d3549a1b0d8d266a179595810ff47c1
Instruction ID: acfed8ca960979cedbbd2f05d94aa7fd8d14e846f40f8de29d6fe19026c79e5d
Opcode Fuzzy Hash: 23c661922b3f850d445a53db65688de29d3549a1b0d8d266a179595810ff47c1
Instruction Fuzzy Hash: BC91CF303042408FEF169F28D868B6E7BB2FB89210F14846EE4068F3A5DF758C46CB91

Function 06AE23E0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7fec25622707d923cc013580f8d0577835b1d50a0cb93b5740ee3d1172fcabd
Instruction ID: 1c9fce796a0d0cc0cd02f66f8716798ca9f8b7c6ce6be81f4e7b4d106e75ad68
Opcode Fuzzy Hash: f7fec25622707d923cc013580f8d0577835b1d50a0cb93b5740ee3d1172fcabd
Instruction Fuzzy Hash: 1C81C234B101058FDB48EF79D954A6E77BAFF88710B1581AAE406DB3A1EB34DD01CBA0

Function 014D5C08 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6131ed1c16d95ada8bef007631f722fb8ffefe4ff7bcc1491eaf080651e0fdaa
Instruction ID: 2d87e1f03b33ace9f93cd9175c0581bda02cfe5ce6d54d9c660a4fabf33f6464
Opcode Fuzzy Hash: 6131ed1c16d95ada8bef007631f722fb8ffefe4ff7bcc1491eaf080651e0fdaa
Instruction Fuzzy Hash: DD818134A001058FDF14DFADC4A8A6ABBB2BF89611B14C16AD506DF375DB31E842CBA1

Function 014D7438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef4418f19c5b374d183aa467da2b58a7090919fb73ef6cbeca9a6b1c1757c236
Instruction ID: d9635eb5eefa7341d0438c0734bf49c634e2fa1e6ddff522703e63c4c499fd9f
Opcode Fuzzy Hash: ef4418f19c5b374d183aa467da2b58a7090919fb73ef6cbeca9a6b1c1757c236
Instruction Fuzzy Hash: 64712B347002458FDF15DF2CC4A4A6E7BE5AF4921AF5940AAE906CB3B1DB74DC42CB91

Function 06AE9510 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e019f310903bb6a6edc88d4f90222379bf6b0d475a1516d36fa4ca2a7cc801c
Instruction ID: 5d7d5ebed242fc5fbe0cd6a21d83e61c52500fd818d0107def2c4871bfda97d6
Opcode Fuzzy Hash: 2e019f310903bb6a6edc88d4f90222379bf6b0d475a1516d36fa4ca2a7cc801c
Instruction Fuzzy Hash: AA517C31E003199BDB59EBB5C8506EEBBB2AF89600F54446AE401BB380EF749D46CBD1

Function 014DD36B Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11ebd9b77b3a9c22a03005b1815d8d6b96ce38da32bec08f4893242cba2667cb
Instruction ID: 9175b110810ad24074c2b057bb51f74b479cd65c1bd9c0bf1dd5df325081ab24
Opcode Fuzzy Hash: 11ebd9b77b3a9c22a03005b1815d8d6b96ce38da32bec08f4893242cba2667cb
Instruction Fuzzy Hash: E051BC350756828FC3307FB4E6AC52E7BB1FB0F363745AD49A10E8A029DB34046ACB61

Function 014DD378 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3287a53365bb2e3091c508c24ce6b7b321be1d76dab94f0e726b18ef065fdaf
Instruction ID: 405cf95a0db5381dfd267cc5e0d53b6b7eb3ca8af1c979e44ee961bd47b3e32e
Opcode Fuzzy Hash: d3287a53365bb2e3091c508c24ce6b7b321be1d76dab94f0e726b18ef065fdaf
Instruction Fuzzy Hash: FF5199350756868FC3303FB4E2AC56EBBB1FB0F377745AD09A11E8A0299B35045A8B65

Function 014DE137 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d1db711a048e3fb8a9d6e327522e56185c5fd49c65446a20a3775bca28f54d
Instruction ID: d96542afd626eacc4ff3a2b7467e116584291cec9a5af694b50ef254872c5847
Opcode Fuzzy Hash: 76d1db711a048e3fb8a9d6e327522e56185c5fd49c65446a20a3775bca28f54d
Instruction Fuzzy Hash: FE61E074D01318DFDB25DFA5E854AAEBBB2FF89300F608529D805AB354DB39598ACF40

Function 014DD033 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a5cb0d0058b8372b2ef81ba81235af28c61ca092858b751c6d8c681890c51fb
Instruction ID: f6340913a8bdf375d76f743c02317633844408e18db5025f947f01aeb5fa5250
Opcode Fuzzy Hash: 1a5cb0d0058b8372b2ef81ba81235af28c61ca092858b751c6d8c681890c51fb
Instruction Fuzzy Hash: 22518474E01208DFDB54DFAAD98499DBBF2FF89300F24816AE815AB365DB31A901CF50

Function 06AEDCC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb29db6c700fffc1a5b7f0a75e4591b32b261ed847a5c08aaa3f59945260c2d8
Instruction ID: 70d31271533dfb787eb42eafd0cf49c3c89db56aac59cef3d1ebb459cbd2c35c
Opcode Fuzzy Hash: bb29db6c700fffc1a5b7f0a75e4591b32b261ed847a5c08aaa3f59945260c2d8
Instruction Fuzzy Hash: 93414C3590131ACFDB14AFA1D46C7EEBBB1EB5B312F10486AD1116A2E4CB790A84CF90

Function 014D3908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119b9b14a0b5d0f1d071aca32c6c41e0e8e4ba8f5360d7595823c5649d76325a
Instruction ID: 1e2b7c4a0241068805822b0d1ade1746856c9361e8785d40ef269fdfea7b02db
Opcode Fuzzy Hash: 119b9b14a0b5d0f1d071aca32c6c41e0e8e4ba8f5360d7595823c5649d76325a
Instruction Fuzzy Hash: 55518379E01209CFCB08DFAAD59099DBBB2FF8D311B209069E815AB364DB35AD41CF51

Function 014DEF49 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6d8a8165eb42d26bd42cec4f42b07505ae56fdc849c50101f21f092a0c438e7
Instruction ID: 1a14bbe20fb3c4769d56b9161734a869d82ce68f64ce89c7d5371199f8cc6d67
Opcode Fuzzy Hash: a6d8a8165eb42d26bd42cec4f42b07505ae56fdc849c50101f21f092a0c438e7
Instruction Fuzzy Hash: 8D51CF74D02229CFCB24DF65D994BEDBBB1BB49301F1055AAD409A7360DB35AE85CF40

Function 014D9A63 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5510e3dccbb76a0ffdf4b480bef3875c7f570014abeeea81d60d4818c7f3234
Instruction ID: 12612e467dd17b7e821aa9051d30b199e3465ddfdcb4b5fd22c91b8f327d6bbd
Opcode Fuzzy Hash: f5510e3dccbb76a0ffdf4b480bef3875c7f570014abeeea81d60d4818c7f3234
Instruction Fuzzy Hash: 5151C331A04249DFCF12CFA8C854A9EBFB2BF45318F048156E905DB3A1D330E955CB91

Function 014DA650 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c8d04f233205865f4e71eb6ff3bf460b9f37f6e3302aec1ef21928c2d70f41
Instruction ID: c0c4c81e7dbefc84fdfe43e2557d6ddd9d0f4485c60e93d3972a3626a9bc3559
Opcode Fuzzy Hash: 65c8d04f233205865f4e71eb6ff3bf460b9f37f6e3302aec1ef21928c2d70f41
Instruction Fuzzy Hash: 2341D2357002049FDF159B79D8547AE7BF6BBC9620F24806EE906D73A1DE309C06CB90

Function 06AE9A49 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b747e6f288cc2e3dc2002902d1173be18676ba13ae73785a9bf533a0c4425d12
Instruction ID: 8f2ba814069036220af91d0246e8780bf740560c43bacefdcca50b7b60852b09
Opcode Fuzzy Hash: b747e6f288cc2e3dc2002902d1173be18676ba13ae73785a9bf533a0c4425d12
Instruction Fuzzy Hash: 6341CD74E01208CFDB54DFA9D9847EEBBB2FF89310F20802AD815AB294DB745946CF50

Function 014D3428 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa76eea3fbfd0d273c60bd6445723a90f4735384c6f1d5ae2da1488214e4970b
Instruction ID: 61b5699b16a4877f248fc18e7f6f8cb515c6935b158f0e57545ca29becd84f72
Opcode Fuzzy Hash: aa76eea3fbfd0d273c60bd6445723a90f4735384c6f1d5ae2da1488214e4970b
Instruction Fuzzy Hash: 4D31B6B57003158BEF294EAE597427F6696BBC4650F58403BD906D33A0DF78CC458793

Function 06AE950F Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c6b85ccd0707644df5383a0d79086adfcdf3034c89b66de4bb4afa81290e6f4
Instruction ID: 3e3d5b1cde02a669618cf95425f014f93bac907f7211703c49033f13f7cd688f
Opcode Fuzzy Hash: 6c6b85ccd0707644df5383a0d79086adfcdf3034c89b66de4bb4afa81290e6f4
Instruction Fuzzy Hash: 04412D71E00319DBDB54DFA5C990AEFBBF5AF88700F15812AE415BB240EB71A946CB90

Function 06AE9A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781387a12462215f84cb8ab6ccc94ee75daaea733a9e6704b73ae672a1323b0b
Instruction ID: 169f632624bf80d7538da278687b6b1abc2bd986a67361fecbb9f7dc4b5546b6
Opcode Fuzzy Hash: 781387a12462215f84cb8ab6ccc94ee75daaea733a9e6704b73ae672a1323b0b
Instruction Fuzzy Hash: 8041BE74E01208CFDB54DFA9D5846EEBBF2FF89310F24802AD415AB294DB785A46CF50

Function 014D4DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5da04d3e91f521c4c32beee77c84432cf2ee8a135b9bf1cc3007e5d1c1b4afa
Instruction ID: 3a37662c1c1592ece6d6eba823c504107c3429a565b7090e56f89bbeb2b015d5
Opcode Fuzzy Hash: e5da04d3e91f521c4c32beee77c84432cf2ee8a135b9bf1cc3007e5d1c1b4afa
Instruction Fuzzy Hash: CC31873530814AAFCF159F65E454AAF7BA6FB88220F04842AF91587764CB34CC66DBA1

Function 014D76D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d496bb38a06ebc51e387de3107f6b760f4b7f495182c4411e95d209db7d8a9f7
Instruction ID: 9f12e82a031a3d9ed072c1deebbcf1d80a84318f734c485e9f004c9e0e44e129
Opcode Fuzzy Hash: d496bb38a06ebc51e387de3107f6b760f4b7f495182c4411e95d209db7d8a9f7
Instruction Fuzzy Hash: FA2102343042018BEF26173D88A4A7E3697AFC561EB0A847BD506CB7A6EE35DC429381

Function 014DA809 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 409472aa2e325b7089cef5a0cabc4790870efbc731200ab0541196e05c521a65
Instruction ID: 8fcc70d0eeda57e414123852d27cb5451ebe1f966bfcff2542a097f95f1c77c9
Opcode Fuzzy Hash: 409472aa2e325b7089cef5a0cabc4790870efbc731200ab0541196e05c521a65
Instruction Fuzzy Hash: FC316F74A006098FCB04CF6DC8949AEBBF6FF85260B25859AE5159B3B5CB349C42CB90

Function 06AEDCB1 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a6b2f676f86c61176b26bc148a33cb59303b6e885cdc1bba1804a4c839d677
Instruction ID: 63b2e6cd5a6bcb059b73c85f81a5324d2e0c5715e124248845e329a3a009e792
Opcode Fuzzy Hash: 81a6b2f676f86c61176b26bc148a33cb59303b6e885cdc1bba1804a4c839d677
Instruction Fuzzy Hash: B3315C35D0131ADFDB14AFA5D46C7EEBBB1FF8A316F008869D5116A294CB780A94CF90

Function 014D76E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11dcb479e49305a2a9f2fe0f8135369aee26ff69a81374608bf17b9407080ebe
Instruction ID: daf34b282c4f0af492f07b0a1a57335f6af745cd64de22d8aa824c7f76d713b2
Opcode Fuzzy Hash: 11dcb479e49305a2a9f2fe0f8135369aee26ff69a81374608bf17b9407080ebe
Instruction Fuzzy Hash: DC21B33830020187FF25163998A4A7F76879FC4A1EF15847BD506CB7A5EE35DC439780

Function 0148D006 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3981573704.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_148d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44089aa1604741eed4c4e8a36f08468ef84dd342d073cb13c83d594b09a567c
Instruction ID: 855b96861b538a3b2663e194fa7b8c0390b720c34bed1510430a58b9bb066ea2
Opcode Fuzzy Hash: d44089aa1604741eed4c4e8a36f08468ef84dd342d073cb13c83d594b09a567c
Instruction Fuzzy Hash: E6314D7150E3C09FCB079B64C994715BF71AF47214F2985DBD8858F2A7C23A980ACB62

Function 014D2060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5c375d8d94c36c97fa7d1e9e8a8f0de0440e96db3a75e63472f238159ee2a3
Instruction ID: 426fbb638f882e64dc46fee9507e89c0f9b225528d4d0dacca30eea800828a83
Opcode Fuzzy Hash: 4c5c375d8d94c36c97fa7d1e9e8a8f0de0440e96db3a75e63472f238159ee2a3
Instruction Fuzzy Hash: 0C21A175A00115DFCF15EB24C8509AF37B6EB99250F10C05AE909DB350DB76EE82CB91

Function 014D5A63 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0761ec9b09cd674f8da685cb14b829357d6e2f78b3c5a1eac1995d84f0dc1d
Instruction ID: c323139b0a24fc6aebb55bf856e924379266ee53affa7fd52828db946bf4ba20
Opcode Fuzzy Hash: fc0761ec9b09cd674f8da685cb14b829357d6e2f78b3c5a1eac1995d84f0dc1d
Instruction Fuzzy Hash: 4C2180353056218FDB299B29D8A492FB7A2FF89651705817AE906CF364CF35DC06CBC1

Function 0148D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3981573704.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_148d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfb2a0b484484ba6d57517bdb3561abeff57403f879f591bad5d76720c429e08
Instruction ID: bb7a5eb1c7a5e1377d396ba00735d6cfe20527ae37ebd248a801a869c53e7393
Opcode Fuzzy Hash: cfb2a0b484484ba6d57517bdb3561abeff57403f879f591bad5d76720c429e08
Instruction Fuzzy Hash: 8D2125B1904204EFDB15EF64D8C0B2ABB61FB85318F20C56EE8494B3A2C736D447CA62

Function 014D215C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a1448ca6ec4e8da6683cc9134a8a6e08c78e968dbc46a19db1e4cd001f5b74
Instruction ID: 76a8d4366127919ea8cb3fe64964b1d0bcacd94da101ff58a59cf6b05c15b4d9
Opcode Fuzzy Hash: c5a1448ca6ec4e8da6683cc9134a8a6e08c78e968dbc46a19db1e4cd001f5b74
Instruction Fuzzy Hash: A4119235E042599FCF02DBB89C108DEBB74FFCA210B258797D656B7161EA722846C391

Function 014D39ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488bc2f1e4ed7610e41911d55fbad016bd891b94971475d66b6c03e26a293a4d
Instruction ID: 6c45460e26a8363a0263ea63315d85a2c74af7c5ddf7b88c240590ce06912b08
Opcode Fuzzy Hash: 488bc2f1e4ed7610e41911d55fbad016bd891b94971475d66b6c03e26a293a4d
Instruction Fuzzy Hash: 8F31B378E11209CFCB04DFA9E59489DBBB2FF89315B2080A9E819AB324D735AC45CF41

Function 014D4DBB Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fd122e920039cd0008c8248bfc99468a3473b89d0665f15ea2a9cd2118c115
Instruction ID: d7265a96c8dc1aade819e1c1fa689ad3b20ebbae584d26d542a0e6a7ff0b1ec9
Opcode Fuzzy Hash: 00fd122e920039cd0008c8248bfc99468a3473b89d0665f15ea2a9cd2118c115
Instruction Fuzzy Hash: 7721F631608245EFCF159F68E454A6B3BA2FF88320F14442AF8058B7A1CB38CC56CBE0

Function 06AEE0C0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569ca95079242668a772d30487d8fac5f7603511ecbb78fed75d07a8227e7ca3
Instruction ID: 840817a1c20391f2ad3143bd923157c9c66017e6dda55cdaadedb4ac79e1b180
Opcode Fuzzy Hash: 569ca95079242668a772d30487d8fac5f7603511ecbb78fed75d07a8227e7ca3
Instruction Fuzzy Hash: 1F1108303042485FE7151BBAAC146BBBBABBFDA220B548476E146C3285DE348C4A8772

Function 014DE059 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13cd1fff19377871aed739501f3d0b2ed4e38c2e361298bbce4c3681ec227167
Instruction ID: f46e22fac001080eaa0824ed0ad6d48863dc3ea93ecedd7356a5be95271714c4
Opcode Fuzzy Hash: 13cd1fff19377871aed739501f3d0b2ed4e38c2e361298bbce4c3681ec227167
Instruction Fuzzy Hash: C4215E70A0020E9FEB56EFB9D54079EBBF1FB84300F1085AAC414AB264EB741E469B81

Function 014D5A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb226cf0a3f8452d63f50dc8a7c09a9ed50590c5d3ee5b26aaaa56fd8a2f1a20
Instruction ID: 2d41c7c502ea5ba1025f3830e1645ed6c394262426504304c87e21b530bccb2a
Opcode Fuzzy Hash: fb226cf0a3f8452d63f50dc8a7c09a9ed50590c5d3ee5b26aaaa56fd8a2f1a20
Instruction Fuzzy Hash: 7D11E5353016228FDB295A29C4A892FB7A6FFC5661705407AE906CF360CF30DC028BC0

Function 014D1F61 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 253f9950fcd3733ac6c5857f02c5818dcafbe897e566f850d9f535e5a6f2cb91
Instruction ID: f494e2a0a6fc5ea84329f7d7504ec28e9fbc7962fb1b8e9b782a8de00cc07bfd
Opcode Fuzzy Hash: 253f9950fcd3733ac6c5857f02c5818dcafbe897e566f850d9f535e5a6f2cb91
Instruction Fuzzy Hash: F021B2B4D0420A8FCB54DFA9D5555EDBFF0FF4A311F1481AAD805B7224EB305A46CBA1

Function 06AE9280 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f484f76c57a230aef0bb1eb329b1ca04896859e2e2a19b030b0c2b2250809104
Instruction ID: 66eb4815d5e445cc9423cf9319a5a98b4a9e68adc18ba46f5dd16f372f3300cb
Opcode Fuzzy Hash: f484f76c57a230aef0bb1eb329b1ca04896859e2e2a19b030b0c2b2250809104
Instruction Fuzzy Hash: 2A1123B6800349DFDB10DF9AC845BEEBBF4EF48320F148419EA18A7211C379A950DFA5

Function 06AE2670 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f44719a5c7ee49f0d9b675ed4d539ba7c34702e71188b55c0b9b0b1b8ccd10
Instruction ID: 013b367647244952de914da6ac315de0e00e0fa2344a52a2855c961df55c9e49
Opcode Fuzzy Hash: 08f44719a5c7ee49f0d9b675ed4d539ba7c34702e71188b55c0b9b0b1b8ccd10
Instruction Fuzzy Hash: 5711C475B112118FCB90EB78E908A9A7BF9EF8872570101A9E406DB311D735CE15CBD0

Function 014DE068 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9946ff50286da7eeea68cb57af9d16d4227679eea11290bcc48f0d1ae76220f4
Instruction ID: 1efd0090396861ede3e35c7d3dc74c6feabdb38b381dd0916fe58006a3f96035
Opcode Fuzzy Hash: 9946ff50286da7eeea68cb57af9d16d4227679eea11290bcc48f0d1ae76220f4
Instruction Fuzzy Hash: 86113D74A0020E9FEB45EFB9E54079EBBF2FB84300F1085BAC454AB324EB745A458B91

Function 06AE8EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc214a9c0d29215aef5b68581896c473374dddce067089cd4c98b498a9ec554
Instruction ID: 7aeeba3bc2d8c6a77c205d3e750351f0f6539337137f4d59cb5a86c1b59f9d47
Opcode Fuzzy Hash: 1dc214a9c0d29215aef5b68581896c473374dddce067089cd4c98b498a9ec554
Instruction Fuzzy Hash: DB113C74F401498FEB14DFE8E840BAEBFB2AF59311F018065E808A7359EA74DD428B90

Function 014D1F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a309d5ced6c73219094793e57b7627b653e6f6fc9274c571166fe59b2241de07
Instruction ID: e8f39ce8173c22f40b7ca4b4d58154644a438f4d6fc4a6f8a1ed0fd3c02e025a
Opcode Fuzzy Hash: a309d5ced6c73219094793e57b7627b653e6f6fc9274c571166fe59b2241de07
Instruction Fuzzy Hash: 50210675D0420A8FCB11DFA9D4545EEBFB0FF4A315F1481AAD805B7264EB305A46CBA2

Function 014D5607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e9ba6666f1bd553c194a2ecd363747f0dfd2d245de59065c0572bb2456d2d1
Instruction ID: 871e4dfb3f49c25db8d2be479eefb72953bbe067bd4ff0ac8b64963568db0797
Opcode Fuzzy Hash: e6e9ba6666f1bd553c194a2ecd363747f0dfd2d245de59065c0572bb2456d2d1
Instruction Fuzzy Hash: A80145727041045FCF068E69A810AEF3BE7EFD9651B18806BF908CB2A4CE31C8068B90

Function 06AE999F Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ffc86953459bae3209dd731f266db17e01fa120ecdd522c569f2b95def90860
Instruction ID: 15db49360b05e94f298eb9abbf74eff5efb9cd70bdd10352b65f3cebf2c2f5cc
Opcode Fuzzy Hash: 1ffc86953459bae3209dd731f266db17e01fa120ecdd522c569f2b95def90860
Instruction Fuzzy Hash: 891143B6800349DFDB10CF99C945BEEBBF4EF48320F14841AE618A7210C339A550DFA1

Function 06AE9999 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77108502cc2eb5cc6d764dccaaa479d9c684537016491d9dfea0b9c39b78ed5b
Instruction ID: f8efaccb25ade4f218944f40e31ffa65763d79fa4c57a5eb10fcfa69ee1ef917
Opcode Fuzzy Hash: 77108502cc2eb5cc6d764dccaaa479d9c684537016491d9dfea0b9c39b78ed5b
Instruction Fuzzy Hash: 9E017876800349EFDF00CF98D804BEEBBF1EF88310F148419EA18A7221C3399551DBA1

Function 06AE25E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e25f6ea5e9712735cfb45568d415a14e9c4eb02f8de89d51213842ea70b5f9
Instruction ID: bcc27f1249848601ebbe78d1a9b9ede563d90484ebb01de6c14511dbac6abe9b
Opcode Fuzzy Hash: 63e25f6ea5e9712735cfb45568d415a14e9c4eb02f8de89d51213842ea70b5f9
Instruction Fuzzy Hash: F201B670E00219DFDF54EFB9D8006AEB7F5FF88210F54866AD519E7250EB399A01CB90

Function 06AE9760 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d09c20c8a2074cf67964a9933389a30d3ea0270236f53f6b9d6eece5626780
Instruction ID: 6ced5b1745592629187a1eaa22eef27348447138e2ad65bc469e6206cdbe741e
Opcode Fuzzy Hash: 10d09c20c8a2074cf67964a9933389a30d3ea0270236f53f6b9d6eece5626780
Instruction Fuzzy Hash: A3F0BE723002186B8F069E99A8409EF7BABEBC8620B004829FA0987210CA328C1197A5

Function 06AE975F Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3990649759.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ae0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd433698003633efe832e579c8af71041446f2010a8d980c0b50781d4dd826c9
Instruction ID: cee488177928b86c8726e775a7c5ca6f1dc5395fd33302bb84cc652c345671b3
Opcode Fuzzy Hash: fd433698003633efe832e579c8af71041446f2010a8d980c0b50781d4dd826c9
Instruction Fuzzy Hash: 16F089777001196F8F469FD8A8516FE7BA7EFC8611B044829F605D7350DB314C1197A5

Function 014DDD70 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e72e1e8ae5f5e5e9636dc8e7368abd226bd7c06933464a551a954d131604da9
Instruction ID: b8759ae5fe88b534526cbaf24c004840f1ab97b1d80c421c9510b71e3598bbf5
Opcode Fuzzy Hash: 1e72e1e8ae5f5e5e9636dc8e7368abd226bd7c06933464a551a954d131604da9
Instruction Fuzzy Hash: 83F0E530D442158FEF54DBA8A8183FEB7F0EBCB311F009026C404E71A5D77049068A91

Function 014D2010 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc47178f2536dced767b539f0d0498cc2499e3fb3e08f7ebb455de78ce31a919
Instruction ID: d6e91557dcb02e5cb5f0a45901aebdc941dacc16f142e3715b4fbac18686a1e1
Opcode Fuzzy Hash: dc47178f2536dced767b539f0d0498cc2499e3fb3e08f7ebb455de78ce31a919
Instruction Fuzzy Hash: 04E0D831E143A65AC712A7B09C540FEBF309ED7210B1549AAD09077051E731151BC751

Function 014D2020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb2a8400fca97d4242ce3e9a06d5f2bf29d0612b7b0df28ec1d5ffc787fe0c47
Instruction ID: cadcff72579d7f552519d570ba00b008b5b76ef7f05123bd900fe4f392f2191d
Opcode Fuzzy Hash: eb2a8400fca97d4242ce3e9a06d5f2bf29d0612b7b0df28ec1d5ffc787fe0c47
Instruction Fuzzy Hash: CED05E32E2022B97CB00EBA5EC048EFF738EED6661B908626D52537140FB713659C7E1

Function 014D8258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 8cca86dd57f7ce4ebd9f58f4ea7eb85c9a7924bbf7ddf5cdcf35e4be67e3035a
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: C7C08C3320C1282AAA35108F7C45EB3BB8CC3C13F4A250177F91CE3320A8539C8101F8

Function 014DA70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fef7bdde200db8c78afd09dd4af756efb08a4eae6c4930a8bf61e0d9f019cdc
Instruction ID: 1ed5a62b063f802620d4b1d11e1d01ad58cf957f4092210a3520642c7cb53a52
Opcode Fuzzy Hash: 9fef7bdde200db8c78afd09dd4af756efb08a4eae6c4930a8bf61e0d9f019cdc
Instruction Fuzzy Hash: D9D0677BB41008AFCF149F98E8409DDB7B6FB9C221B448116E915A3264C6319965DB50

Function 014D5EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a63b04ea80c291fd7a1cdc7272fb2d0c897ffbf8d7a216e0dbf858a376f0ed3
Instruction ID: 2bde34d39c00b3e4b1674c393e09b1468dccdb60a8c7265510108eeadef15648
Opcode Fuzzy Hash: 9a63b04ea80c291fd7a1cdc7272fb2d0c897ffbf8d7a216e0dbf858a376f0ed3
Instruction Fuzzy Hash: CDD02B746043894BC713F375F8148D43725BAC1204F4044A5EC040A457FF782C8687D2

Function 014D5EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3982344923.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_14d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f895aef8e0126d57618307771cc0d996f666dde7fb45ecea1ca6691b10b378fa
Instruction ID: adaf1f5df4ef64578cd5cf4c8fd224055af373ad1a66050058917a9957c86a22
Opcode Fuzzy Hash: f895aef8e0126d57618307771cc0d996f666dde7fb45ecea1ca6691b10b378fa
Instruction Fuzzy Hash: C8C0123410034E47D501E7BAF944DD5332AF6C0600F409560A4090A555EF782C8647D2

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tJzfnaqOxj.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncRoot.vbs

C:\Users\user\AppData\Roaming\SyncRoot.exe

C:\Users\user\AppData\Roaming\SyncRoot.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Windows Analysis Report
tJzfnaqOxj.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre