Edit tour

Windows Analysis Report
install_backblaze_bbec75b7f971c02a0.exe

Overview

General Information

Sample name:	install_backblaze_bbec75b7f971c02a0.exe
Analysis ID:	1409718
MD5:	01ec621bc8779d04ffdd06ee380f6669
SHA1:	8c2546b47dcccef81d2fcd90ca3286e6d3d9d278
SHA256:	5ba6d375cd6a7ee8c72a5c37a6da4b203455d999be507e06b0190ea0dde54c74
Infos:

Detection

Score:	36
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Signatures

Antivirus detection for URL or domain

Creates a process in suspended mode (likely to inject code)

Drops PE files

Found dropped PE file which has not been started or loaded

JA3 SSL client fingerprint seen in connection with other malware

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Uses 32bit PE files

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64_ra

install_backblaze_bbec75b7f971c02a0.exe (PID: 5836 cmdline: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe MD5: 01EC621BC8779D04FFDD06EE380F6669)

bzdoinstall.exe (PID: 5724 cmdline: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe" -doinstall "C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir MD5: F10C1327338C2E01503EE7D1D6540E7B)

bztransmit.exe (PID: 5888 cmdline: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe" -fetchurltofile https://ca000.backblaze.com/api/clientversion.xml "C:\Users\user\AppData\Local\Temp\bzt0315155706_0000001_1930_0005724.txt MD5: B3442F00487BC454F45D31D3A95E5079)

conhost.exe (PID: 2932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

bztransmit.exe (PID: 2088 cmdline: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe" -fetchurltofile https://ca001.backblaze.com/api/clientversion.xml "C:\Users\user\AppData\Local\Temp\bzt0315155706_0000002_6385_0005724.txt MD5: B3442F00487BC454F45D31D3A95E5079)

conhost.exe (PID: 1552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

bztransmit.exe (PID: 3928 cmdline: "C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe" -at_install_time_checkuser https://ca000.backblaze.com 626265633735623766393731 MD5: B3442F00487BC454F45D31D3A95E5079)

conhost.exe (PID: 1268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Cryptography
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://f100.backblazeb2.xyz/file/b2-computer-backup-public

Avira URL Cloud: Label: phishing

Source: bztransmit.exe, 00000003.00000002.1075559623.000000000071D000.00000002.00000001.01000000.00000006.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_cbb0f0a8-9

Source: install_backblaze_bbec75b7f971c02a0.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	File created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzinstallername.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	File created: C:\ProgramData\Backblaze\bzdata\bzlogs\bzdoinstall\bzdoinstall15.log	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	File created: C:\ProgramData\Backblaze\bzdata\bzreports\install_history.txt	Jump to behavior

Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe

File created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\license.txt

Jump to behavior

Source: install_backblaze_bbec75b7f971c02a0.exe

Static PE information: certificate valid

Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe

File opened: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.153.233.8:443 -> 192.168.2.17:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.153.233.9:443 -> 192.168.2.17:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.153.233.8:443 -> 192.168.2.17:49710 version: TLS 1.2

Source:	Binary string: C:\work\bz\bzmono\Release\bzfclean.pdb source: bzfclean.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzserv.pdbv source: bzserv.exe.0.dr
Source:	Binary string: oH`pH0qH0sH@sHmemory buffersecure memory buffercrypto\bio\bss_mem.cCERTIFICATE REQUESTNEW CERTIFICATE REQUESTX509 CRLPKCS7CERTIFICATEPUBLIC KEYDH PARAMETERSX9.42 DH PARAMETERScompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICcrypto\rsa\rsa_crpt.ccrypto\bio\bio_lib.c source: bzdownloader.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release64\bzfilelist.pdbh source: bzfilelist64.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bztransmit.pdb source: bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: msvcr100.amd64.pdb source: msvcr100_x64.dll.0.dr
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb`E source: VC_redist.x86.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzselfextractor.pdb source: install_backblaze_bbec75b7f971c02a0.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzdownloader_win32.pdb source: bzdownloader.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzserv.pdb source: bzserv.exe.0.dr
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release64\bzrestore.pdb source: bzrestore.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzfilelist.pdbj source: bzfilelist.exe
Source:	Binary string: msvcr100.i386.pdb source: msvcr100.dll.0.dr
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release64\bzfilelist.pdb source: bzfilelist64.exe
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb source: VC_redist.x86.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzbuitray.pdbl source: bzbuitray.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzwinrt.pdb source: bzwinrt.dll.0.dr
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bztransmit.pdb" source: bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzselfextractor.pdbQ source: install_backblaze_bbec75b7f971c02a0.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzdoinstall.pdb source: bzdoinstall.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzbuitray.pdb source: bzbuitray.exe
Source:	Binary string: dmemory buffersecure memory buffercrypto\bio\bss_mem.cCERTIFICATE REQUESTNEW CERTIFICATE REQUESTX509 CRLPKCS7CERTIFICATERSA PRIVATE KEYPUBLIC KEYDH PARAMETERSX9.42 DH PARAMETERScompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICcrypto\rsa\rsa_crpt.ccrypto\bio\bio_lib.c source: bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzwinrt.pdb source: bzwinrt.dll.0.dr
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzbui_win32.pdb source: bzbui.exe
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: bzdownloader.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzfilelist.pdb source: bzfilelist.exe

Source: Joe Sandbox View

JA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: bzbui.exe

String found in binary or memory: http://www.youtube.com/watch?v=Y01r3jAbwF4&fmt=18 equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: ca000.backblaze.com

Source: bzfclean.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: bzfclean.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: bzfclean.exe	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: bzfclean.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: bzfclean.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: bzfclean.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: bzfclean.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: bzfclean.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: bzfclean.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: bzfclean.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: bzfclean.exe	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfclean.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: bzfclean.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: bzdownloader.exe	String found in binary or memory: http://ul.https://www.http://www.)
Source: bzbui_interface.xml, bzdoinstall.exe	String found in binary or memory: http://www.backblaze.com
Source: bzdownloader.exe	String found in binary or memory: http://www.backblaze.com/
Source: bzdownloader.exe	String found in binary or memory: http://www.backblaze.com/en_us/help-backblaze-downloader-win.html?version=learn_morecompromised_pass
Source: bzbui_interface.xml	String found in binary or memory: http://www.backblaze.com/es_ES/help-transfer-backup-%PLATFORM%.html
Source: bzdoinstall.exe	String found in binary or memory: http://www.backblaze.com/free-trial.html
Source: bzdoinstall.exe	String found in binary or memory: http://www.backblaze.com/free-trial.htmlsign_in_to_existing_accountaccount_surround_labelplease_wait
Source: bzbui_interface.xml	String found in binary or memory: http://www.backblaze.com/help-inherit-backup-%PLATFORM%.html
Source: bzdoinstall.exe	String found in binary or memory: http://www.backblaze.com/help-transfer-backup-win.html
Source: bzbui_interface.xml	String found in binary or memory: http://www.backblaze.com/it_IT/help-transfer-backup-%PLATFORM%.html
Source: bzbui_interface.xml	String found in binary or memory: http://www.backblaze.com/ja_JP/help-transfer-backup-%PLATFORM%.html
Source: InstallerConfig.xml	String found in binary or memory: http://www.backblaze.com/ja_JP/terms.html
Source: bzbui_interface.xml	String found in binary or memory: http://www.backblaze.com/ko_KR/help-transfer-backup-%PLATFORM%.html
Source: bzbui_interface.xml	String found in binary or memory: http://www.backblaze.com/ru_RU/help-transfer-backup-%PLATFORM%.html
Source: InstallerConfig.xml	String found in binary or memory: http://www.backblaze.com/terms
Source: bzbui_interface.xml	String found in binary or memory: http://www.backblaze.com/zh_CN/help-transfer-backup-%PLATFORM%.html
Source: bzbui_interface.xml	String found in binary or memory: http://www.backblaze.com/zh_TW/help-transfer-backup-%PLATFORM%.html
Source: bzfclean.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: license.txt.0.dr	String found in binary or memory: http://www.openssl.org/)
Source: bzdownloader.exe, bzrestore.exe	String found in binary or memory: http://www.winimage.com/zLibDll
Source: install_backblaze_bbec75b7f971c02a0.exe, bzrestore.exe	String found in binary or memory: http://www.winimage.com/zLibDll1.3
Source: bzbui.exe	String found in binary or memory: http://www.youtube.com/watch?v=Y01r3jAbwF4&fmt=18
Source: bzdownloader.exe, bzrestore.exe	String found in binary or memory: https://api.backblazeb2.com
Source: bzrestore.exe	String found in binary or memory: https://api.backblazeb2.com)timstamptracethepermissionsmoveaddedbefore_directory:
Source: bzdoinstall.exe	String found in binary or memory: https://api.backblazeb2.com.backblaze.nethttps://api.backblazeb2.net.backblaze.xyzhttps://api.backbl
Source: bzbui.exe	String found in binary or memory: https://api.backblazeb2.com.backblazeb2.nethttps://api.backblazeb2.net.backblazeb2.xyzhttps://api.ba
Source: bzdoinstall.exe	String found in binary or memory: https://api.backblazeb2.com/
Source: bzdoinstall.exe	String found in binary or memory: https://api.backblazeb2.com/ERROR:
Source: bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://api.backblazeb2.com/b2api/v1/b2_authorize_account
Source: bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://api.backblazeb2.com/b2api/v1/b2_authorize_accountAuthorization:
Source: bzdoinstall.exe, 00000002.00000002.1146178404.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.backblazeb2.com/es
Source: bzdoinstall.exe, bzdownloader.exe	String found in binary or memory: https://api.backblazeb2.net
Source: bzdoinstall.exe, bzdownloader.exe	String found in binary or memory: https://api.backblazeb2.pet
Source: bzdoinstall.exe, bzdownloader.exe	String found in binary or memory: https://api.backblazeb2.xyz
Source: bzdoinstall.exe	String found in binary or memory: https://api000.backblazeb2.com
Source: bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://api001.backblazeb2.com
Source: bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://apihttps://cabackblazeb2.com.backblaze.com/backblazeb2.net.backblaze.net/backblazeb2.xyz.bac
Source: bzdoinstall.exe	String found in binary or memory: https://ca000.Inside
Source: bzdownloader.exe	String found in binary or memory: https://ca000.backblaze.com
Source: bztransmit.exe, 00000007.00000002.1083178162.0000000001526000.00000004.00000020.00020000.00000000.sdmp, bztransmit.exe, 00000007.00000003.1082277723.0000000001523000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ca000.backblaze.com-
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://ca000.backblaze.com/
Source: bzdoinstall.exe, 00000002.00000003.1145052536.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, bzdoinstall.exe, 00000002.00000002.1146178404.0000000000E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ca000.backblaze.com/4
Source: bztransmit.exe, 00000007.00000002.1083178162.0000000001537000.00000004.00000020.00020000.00000000.sdmp, bztransmit.exe, 00000007.00000002.1083037961.0000000001508000.00000004.00000020.00020000.00000000.sdmp, bztransmit.exe, 00000007.00000002.1083178162.0000000001545000.00000004.00000020.00020000.00000000.sdmp, bztransmit15.log.3.dr	String found in binary or memory: https://ca000.backblaze.com/api/at_install_time_checkuser
Source: bztransmit.exe, 00000007.00000002.1083178162.0000000001526000.00000004.00000020.00020000.00000000.sdmp, bztransmit.exe, 00000007.00000003.1082277723.0000000001523000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ca000.backblaze.com/api/at_install_time_checkuserit15.log
Source: bztransmit15.log.3.dr, ConDrv.3.dr, bzdoinstall.exe	String found in binary or memory: https://ca000.backblaze.com/api/clientversion.xml
Source: bztransmit.exe, 00000003.00000002.1075956112.00000000012FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ca000.backblaze.com/api/clientversion.xml32.dll
Source: bztransmit.exe, 00000003.00000002.1075956112.00000000012FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ca000.backblaze.com/api/clientversion.xmlBackblaze
Source: bztransmit.exe, 00000003.00000002.1075956112.00000000012FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ca000.backblaze.com/api/clientversion.xmlC:
Source: bztransmit.exe, 00000003.00000002.1075956112.00000000012FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ca000.backblaze.com/api/clientversion.xmlW
Source: bzdoinstall.exe, 00000002.00000002.1146178404.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ca000.backblaze.com/api/clientversion.xmlmlming
Source: bztransmit.exe, 00000003.00000003.1075079166.0000000001335000.00000004.00000020.00020000.00000000.sdmp, bztransmit.exe, 00000003.00000002.1076101078.0000000001335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ca000.backblaze.com/api/clientversion.xmlsi
Source: bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp, bzserv.exe.0.dr, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://ca000.backblaze.com/https://ca001.backblaze.com/https://ca002.backblaze.com/https://ca003.ba
Source: bzdoinstall.exe, 00000002.00000002.1147832038.0000000005806000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ca000.backblaze.com24
Source: bzdoinstall.exe, 00000002.00000003.1145052536.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, bzdoinstall.exe, 00000002.00000002.1146178404.0000000000E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ca000.backblaze.com5N
Source: bztransmit.exe, 00000007.00000002.1083037961.0000000001508000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ca000.backblaze.com626265633735623766393731
Source: bzdownloader.exe	String found in binary or memory: https://ca001.backblaze.com
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://ca001.backblaze.com/
Source: bztransmit15.log.3.dr, bzdoinstall.exe	String found in binary or memory: https://ca001.backblaze.com/api/clientversion.xml
Source: bztransmit.exe, 00000005.00000002.1076589096.00000000012B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ca001.backblaze.com/api/clientversion.xml.dllq
Source: bztransmit.exe, 00000005.00000002.1076589096.00000000012B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ca001.backblaze.com/api/clientversion.xmlBackblaze
Source: bztransmit.exe, 00000005.00000002.1076589096.00000000012B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ca001.backblaze.com/api/clientversion.xmlC:
Source: bzdoinstall.exe, 00000002.00000002.1146178404.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ca001.backblaze.com/api/clientversion.xmlmlming
Source: bztransmit.exe, 00000005.00000002.1076589096.00000000012B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ca001.backblaze.com/api/clientversion.xml~
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe	String found in binary or memory: https://ca001.backblaze.com/https://ca002.backblaze.com/https://ca003.backblaze.com/https://ca004.ba
Source: bzdownloader.exe	String found in binary or memory: https://ca001.backblaze.comhttps://api.backblazeb2.comNEThttps://ca900.backblaze.nethttps://api.back
Source: bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp, bzrestore.exe	String found in binary or memory: https://ca002.backblaze.com
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://ca002.backblaze.com/
Source: bzdoinstall.exe	String found in binary or memory: https://ca002.backblaze.com/api/clientversion.xml
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://ca003.backblaze.com/
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://ca004.backblaze.com/
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://ca005.backblaze.com/
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://ca006.backblaze.com/
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://ca007.backblaze.com/
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://ca008.backblaze.com/
Source: bzdoinstall.exe, bzdownloader.exe	String found in binary or memory: https://ca100.backblaze.xyz
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://ca100.backblaze.xyz/
Source: bzdoinstall.exe	String found in binary or memory: https://ca101.backblaze.xyz
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://ca101.backblaze.xyz/
Source: bzdoinstall.exe	String found in binary or memory: https://ca101.backblaze.xyz/api/clientversion.xml
Source: bzdownloader.exe	String found in binary or memory: https://ca900.backblaze.net
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://ca900.backblaze.net/
Source: bzdoinstall.exe	String found in binary or memory: https://ca900.backblaze.net/api/clientversion.xml
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://ca901.backblaze.net/
Source: bzdoinstall.exe	String found in binary or memory: https://ca901.backblaze.net/api/clientversion.xml
Source: bzdownloader.exe	String found in binary or memory: https://ca910.backblaze.pet
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://ca910.backblaze.pet/
Source: bzdoinstall.exe	String found in binary or memory: https://ca910.backblaze.pet/api/clientversion.xml
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://ca911.backblaze.pet/
Source: bzdoinstall.exe	String found in binary or memory: https://ca911.backblaze.pet/api/clientversion.xml
Source: bzbui.exe	String found in binary or memory: https://curl.haxx.se/libcurl/
Source: bzbui.exe	String found in binary or memory: https://curl.haxx.se/libcurl/Calibrihttps://www.openssl.org/AboutDialog
Source: bzdownloader.exe, bzrestore.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: bzdownloader.exe, bzrestore.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: bzdownloader.exe, bzrestore.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: bzrestore.exe	String found in binary or memory: https://curl.se/libcurlfmtAboutDlgVersionen_USLocalRestore-
Source: animated_cloud_win_120p_dm.gif	String found in binary or memory: https://ezgif.com/resize
Source: bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://f.backblaze.com/file/
Source: bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp, bzbui.exe	String found in binary or memory: https://f000.backblazeb2.com/file/b2-computer-backup-public
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://f000.backblazeb2.com/file/b2-computer-backup-public/
Source: bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp, bzbui.exe	String found in binary or memory: https://f000.backblazeb2.com/file/b2-computer-backup-publichttps://f900.backblazeb2.net/file/b2-comp
Source: bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp, bzbui.exe	String found in binary or memory: https://f100.backblazeb2.xyz/file/b2-computer-backup-public
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://f100.backblazeb2.xyz/file/b2-computer-backup-public/
Source: bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp, bzbui.exe	String found in binary or memory: https://f900.backblazeb2.net/file/b2-computer-backup-public
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://f900.backblazeb2.net/file/b2-computer-backup-public/
Source: bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp, bzbui.exe	String found in binary or memory: https://f910.backblazeb2.pet/file/b2-computer-backup-public
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://f910.backblazeb2.pet/file/b2-computer-backup-public/
Source: bzdoinstall.exe, bzdownloader.exe	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: bzdoinstall.exe, bzdownloader.exe	String found in binary or memory: https://help.backblaze.com/
Source: bzbui.exe	String found in binary or memory: https://help.backblaze.com/hc/%LANGUAGE%/articles/20956258257819/
Source: bzbui.exe	String found in binary or memory: https://help.backblaze.com/hc/%LANGUAGE%/articles/20956258257819/%LANGUAGE%
Source: bzrestore.exe	String found in binary or memory: https://help.backblaze.com/hc/%s/articles/15383074527771/:
Source: bzrestore.exe	String found in binary or memory: https://help.backblaze.com/hc/%s/articles/15383074527771/fileLocalRestore-
Source: bzrestore.exe	String found in binary or memory: https://help.backblaze.com/hc/en-us/articles/360038171794:
Source: bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://pod-000-0681-00.backblaze.com
Source: bzbui.exe	String found in binary or memory: https://secure.backblaze.com
Source: bzdoinstall.exe, bzdownloader.exe	String found in binary or memory: https://secure.backblaze.com/bzapp_web_assets/public/css/main.css
Source: bzdoinstall.exe, bzdownloader.exe	String found in binary or memory: https://secure.backblaze.com/bzapp_web_assets/public/pics/backblaze-logo.gif
Source: bzdoinstall.exe, bzdownloader.exe	String found in binary or memory: https://secure.backblaze.com/bzapp_web_assets/public/pics/checkmark-blue.jpg
Source: bzdoinstall.exe, bzdownloader.exe	String found in binary or memory: https://secure.backblaze.com/bzapp_web_assets/public/scripts/bootstrap.min.css
Source: bzdoinstall.exe	String found in binary or memory: https://ul.Inside
Source: InstallerConfig.xml, bzbui.exe, bzdoinstall.exe	String found in binary or memory: https://www.backblaze.com
Source: InstallerConfig.xml	String found in binary or memory: https://www.backblaze.com.
Source: bzdoinstall.exe, bzdownloader.exe	String found in binary or memory: https://www.backblaze.com/
Source: bzbui.exe	String found in binary or memory: https://www.backblaze.com/backing-up-external-hard-drives.html
Source: bzrestore.exe	String found in binary or memory: https://www.backblaze.com/forgot_password.htmhttps://www.backblaze.xyz/forgot_password.htmhttps://ww
Source: bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://www.backblaze.com/help.html
Source: bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://www.backblaze.com/remote-backup-everything.html
Source: bzdoinstall.exe	String found in binary or memory: https://www.backblaze.comAn
Source: bzrestore.exe	String found in binary or memory: https://www.backblaze.pet/forgot_password.htm
Source: bzfclean.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: install_backblaze_bbec75b7f971c02a0.exe, 00000000.00000002.1148695462.000000000049E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/re
Source: bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfclean.exe, bzfilelist.exe, bzfilelist64.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.google.com/
Source: bzbui.exe	String found in binary or memory: https://www.google.com/maps/search/?api=1&query=
Source: bzbui.exe	String found in binary or memory: https://www.google.com/maps/search/?api=1&query=%2CNotificationDialog_CheckForUpdate_UpToDate_Msg%VE
Source: bzbui.exe	String found in binary or memory: https://www.openssl.org/
Source: bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.reddit.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown	HTTPS traffic detected: 104.153.233.8:443 -> 192.168.2.17:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.153.233.9:443 -> 192.168.2.17:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.153.233.8:443 -> 192.168.2.17:49710 version: TLS 1.2

Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Section loaded: schannel.dll	Jump to behavior

Source: install_backblaze_bbec75b7f971c02a0.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus36.winEXE@12/68@2/3

Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe

File created: C:\Program Files (x86)\Backblaze

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1552:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2932:120:WilError_03

Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe

File created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir

Jump to behavior

Source: install_backblaze_bbec75b7f971c02a0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: install_backblaze_bbec75b7f971c02a0.exe	String found in binary or memory: -installdir
Source: install_backblaze_bbec75b7f971c02a0.exe	String found in binary or memory: ERROR: -installdir extra arg (
Source: install_backblaze_bbec75b7f971c02a0.exe	String found in binary or memory: ERROR: arg -installdir needs additional argument of <dir>
Source: install_backblaze_bbec75b7f971c02a0.exe	String found in binary or memory: -installdir "C:\Program Files\Backblaze"
Source: install_backblaze_bbec75b7f971c02a0.exe	String found in binary or memory: -installdir
Source: install_backblaze_bbec75b7f971c02a0.exe	String found in binary or memory: -installdir <dir> uses "dir" as final location of install
Source: install_backblaze_bbec75b7f971c02a0.exe	String found in binary or memory: -nogui -installdir "C:\Program Files\Backblaze"
Source: install_backblaze_bbec75b7f971c02a0.exe	String found in binary or memory: DEFAULTselfextractorERROR: invalid arg: -nogui-msi-unpackonly-version-installdirERROR: -installdir extra arg () is not valid (not enough chars)
Source: install_backblaze_bbec75b7f971c02a0.exe	String found in binary or memory: "ERROR: arg -installdir needs additional argument of <dir>
Source: install_backblaze_bbec75b7f971c02a0.exe	String found in binary or memory: Example: -installdir "C:\Program Files\Backblaze"
Source: install_backblaze_bbec75b7f971c02a0.exe	String found in binary or memory: -doinstall " -nogui -msi -installdir -createaccount -signinaccount -createaccount_or_signinaccount Some sort of error occurred:
Source: install_backblaze_bbec75b7f971c02a0.exe	String found in binary or memory: Example 3: -nogui -installdir "C:\Program Files\Backblaze"
Source: install_backblaze_bbec75b7f971c02a0.exe	String found in binary or memory: HKLM/Software/Backblaze/installdir
Source: install_backblaze_bbec75b7f971c02a0.exe	String found in binary or memory: HKLM/Software/Wow6432Node/Backblaze/installdir
Source: install_backblaze_bbec75b7f971c02a0.exe	String found in binary or memory: K@HKCRHKEY_CLASSES_ROOTHKCUHKEY_CURRENT_USERHKLMHKEY_LOCAL_MACHINEHKUHKEY_USERSHKCCHKEY_CURRENT_CONFIGHKDDHKEY_DYN_DATA/()%Y-%m-%d %H:%M:%S %010d - .log.zip0string too longkernel32+IsWow64ProcessUnknownOSUnknownWinWinNTWin2kWinXPC:\WINDOWS\System32\Dfssvc.exeWin2003servWinVistaWinSevenWinEightHKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/CurrentVersion6.1WinSevenX6.26.3WinEightOneHKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/CurrentMajorVersionNumberWinEightDeprecatedAWinNineDeprecatedWinTenHKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/CurrentBuildNumberWinElevenWinTooHighA6.4WinTenDeprecatedAWinUnknownXWinUnknownZWinTenDeprecatedBWinTooHighB6432Win2008servWinTenRare.Win95Win98WinME-bzinstall.xmlbzdata:\\\?\wldp.dllHKLM/Software/Backblaze/installdirHKLM/Software/Wow6432Node/Backblaze/installdirC:\Program Files\Backblaze\C:\Program FilesBackblazedatadirC:\ProgramData\Backblaze\C:\ProgramDataLockDownPermissionsForFolder: AllocateAndInitializeSid (for Users) returned error LockDownPermissionsForFolder: AllocateAndInitializeSid (for Admin) returned error LockDownPermissionsForFolder: Failed SetEntriesInAcl. error=LockDownPermissionsForFolder: '' - SetNamedSecurityInfo1 returned . LastError=/proc/\/'="\)E
Source: VC_redist.x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: VC_redist.x86.exe	String found in binary or memory: CFailed to initialize engine section.Failed to verify elevation state.Failed to re-launch bundle process after RunOnce: %lsFailed to get current process path.Unable to get resume command line from the registryFailed to schedule restart.Failed to adjust token to add shutdown privileges.Failed to get shutdown privilege LUID.SeShutdownPrivilegeFailed to get process token.engine.cppFailed to pump messages from parent process.Failed to create the message window.Failed to set elevated pipe into thread local storage for logging.Failed to allocate thread local storage for logging.Failed to connect to unelevated process.Failed to launch unelevated process.Failed to create implicit elevated connection name and secret.Unexpected return value from message pump.Failed to start bootstrapper application.Failed to load UX.Failed to create engine for UX.Failed while running Failed to set layout directory variable to value provided from command-line.Failed to set registration variables.Failed to set action variables.Failed to query registration.Failed to check global conditionsFailed to connect to elevated parent process.Failed to create pipes to connect to elevated parent process.Failed to initialize internal cache functionality.Failed to open log.Failed to run bootstrapper application embedded.Failed to connect to parent of embedded process.Setup_FailedtxtFailed to run per-user mode.Failed to run per-machine mode.Failed to run embedded mode.Failed to run RunOnce mode.Invalid run mode.Failed to initialize core.3.7.3813.0Failed to get OS info.Failed to initialize XML util.Failed to initialize Wiutil.Failed to initialize Regutil.Failed to initialize COM.Failed to initialize engine state.
Source: bzbui.exe	String found in binary or memory: HKLM/Software/Backblaze/installdir
Source: bzbui.exe	String found in binary or memory: HKLM/Software/Wow6432Node/Backblaze/installdir
Source: bzbui.exe	String found in binary or memory: could_not_write_out_bzvol_id_fileERROR: SetFileAttributes to hidden failed: C:\Temp%07d%04d.bzfNOTE: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, no destinationFile=NOTE: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeededC:\.bzvol), found the Windows src bzvol here=), had to simulate the contents of the bzvol, which are=), bailing because no srcFolder Exists to copy from srcFolder= and srcFolder=/.bzvolBzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded - about to create file from simulation. FileName=ERROR: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, could not write simulated file dstFile=SUCCESS: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, wrote out simulated dstFile=BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded - about to copy file.ERROR: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, srcFile DOES_NOT_EXIST srcFile=, so CANNOT COPY IT to dstFile=ERROR: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, could not copy srcFile=, to dstFile=SUCCESS: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, copied srcFile=ERROR: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, could not copy README srcFile=SUCCESS: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, copied README srcFile=C:\Windows\C:\Windowswldp.dllC:\Documents and Settings\C:\Documents and Settings\foo\Application DataC:\Documents and SettingsHKLM/Software/Wow6432Node/Backblaze/installdirC:\Program Files\Backblaze\C:\Program FilesdatadirC:\ProgramData\Backblaze\C:\ProgramData/proc/ERROR: open to read failed on file: file_does_not_exist..\*ERROR: GetListOfFileInfosInDir (processId=) BzUtf16String::ConvertUtf8BzStringToUtf16_A failed, dirPat=WARNING: GetListOfFileInfosInDir (processId=) FindFirstFile_C failed, dirPat=, GetLastError=, and_a_lastError_of_3_means ERROR_PATH_NOT_FOUND, check if dirPat starts with a letter-colon in this log line.) BzUtf16String::ConvertBzUtf16StringToUtf8_B failed, dirSearch=) - FindNextFile err, dirPat=, Error_3_means=ERROR_PATH_NOT_FOUND, Error_8_means=ERROR_NOT_ENOUGH_MEMORY\/'\"\u="": ","
Source: bzbui.exe	String found in binary or memory: /Library/LaunchDaemons/
Source: bzbui.exe	String found in binary or memory: !KProgramDatabzfilechangesbzflagsbzthreadERROR: InstallerDirInfoLookup failed/Library/LaunchDaemons/ERROR: Invalid top-level directoryERROR: Directory path creation failed?
Source: bzbuitray.exe	String found in binary or memory: HKLM/Software/Backblaze/installdir
Source: bzbuitray.exe	String found in binary or memory: HKLM/Software/Wow6432Node/Backblaze/installdir
Source: bzbuitray.exe	String found in binary or memory: bzdatascratch_vol_guidscratch_mountpointgmunknown:\\\?\C:\Temp%04d%02d%02d%02d%02d%02dwldp.dllC:\Documents and Settings\C:\Documents and Settings\foo\Application DataC:\Documents and SettingsHKLM/Software/Backblaze/installdirHKLM/Software/Wow6432Node/Backblaze/installdirC:\Program Files\Backblaze\C:\Program FilesC:\datadirC:\ProgramData\Backblaze\C:\ProgramData/proc/none\/'="<//><
Source: bzdoinstall.exe	String found in binary or memory: -installdir
Source: bzdoinstall.exe	String found in binary or memory: ERROR: -installdir not supported anymore!
Source: bzdoinstall.exe	String found in binary or memory: point15-reinstall
Source: bzdoinstall.exe	String found in binary or memory: STOP!\r\n\r\nUninstalling removes your backup state from this computer. If you re-install Backblaze on this computer at a later time, you will need to restart your backup and upload all of your files again.\r\n\r\nNOTE: uninstalling will NOT cancel your billing. Visit the website to cancel your billing or transfer your existing license to a new backup.\r\n\r\nMore info at http://www.backblaze.com/help-transfer-backup-win.html\r\n\r\nAre you sure you want to do this?
Source: bzdoinstall.exe	String found in binary or memory: -ssowebserver -ssowebserver command line (processId=) about to run BzNet::RunSingleSignOnWebServerLocally) after BzNet::RunSingleSignOnWebServerLocally, result=-nogui-msi-installdirERROR: -installdir not supported anymore!ERROR: dirName with files to install does not exist: ERROR: dirName with files to install is not a directory: -createaccount_or_signinaccountfound groupId on silent install command line, createAccountGroupId=found groupIdTok on silent install command line, optionalCreateAccountGroupSilentInstallToken=found region on silent install command line, optionalCreateAccountRegion=-createaccount_hexfound hexgroupId on silent install command line, decoded createAccountGroupId=found hex groupIdTok on silent install command line, decoded optionalCreateAccountGroupSilentInstallToken=-signinaccount_hex-douninstallDoing uninstall_where caller specified -noguiPopping up STOP confirmation dialog-unzipERROR: could not find file to unzip: .zip_UNZIPPEDERROR: unzip destination file already exists, NOT UNZIPPING:
Source: bzdoinstall.exe	String found in binary or memory: point7point8point9servERROR: -nogui -createaccount Operating System not supported: point10nonepoint11point12ERROR: -nogui -createaccount failed on Installer_ContactDatacenterAskForEmailAddr, retCode=point13WARNING: -nogui -createaccount_or_signinaccount found this host already has an account. Move to next step for silent installation.ERROR: -nogui -createaccount failed because this host already has an accountERROR: -nogui -createaccount_or_signinaccount failed because no group ID/Tokenpoint14point14-1 - retCode=%d region=%s my_secondTouchCaUrl=%spoint15point15-copy_secondTouchUrlpoint15-reinstallERROR: Fail on reinstallationpoint15.passwordpingERROR: Fail on validation of compromised credentialsWarning : create account password Ping failed with code: point15.zzzzzERROR: -nogui -createaccount failed on _AtInstallTimeCheckAuth, retCode=, could not reach datacenter, bad username or password, invalid email address, account already exists so you cannot create it, account=, during create_account yoda_or_designated_ca_error_A, BzUiUtil::Installer_CallBzTransmit_AtInstallTimeCheckAuth tmp_bztransmit_does_not_exist_C, BzUiUtil::Installer_CallBzTransmit_AtInstallTimeCheckAuth problem_8an unknown zebra_B error during create_accountINFO: email account already exist. Skip to next step for -createaccount_or_signinaccountpoint16ERROR: -nogui -createaccount failed on Installer_CreateNewHguidAndPubPrivKeyERROR: about to call Installer_CallBzTransmit_AtInstallTimeCreateAccountAndAddHost which would fail because no secondTouchUrl! Bailing out!Code path -nogui , about to call Installer_CallBzTransmit_AtInstallTimeCreateAccountAndAddHost with programId = ERROR: -nogui failed on Installer_CallBzTransmit_AtInstallTimeCreateAccountAndAddHostclusterNumInstaller_CallBzTransmit_AtInstallTimeCreateAccountAndAddHost got json back, but did not find clusterNum inside json=://caInstaller_CallBzTransmit_AtInstallTimeCreateAccountAndAddHost provides the new clusterNum before: after:Using second CA URL : ERROR: -nogui -signinaccount Operating System not supported: ERROR: -nogui -signinaccount failed on Installer_ContactDatacenterAskForEmailAddr, retCode=ERROR: -nogui -signinaccount failed because this host already has an accountERROR: -nogui -signinaccount failed on _AtInstallTimeCheckAuth, retCode=, NEVER_SHOULD_HAPPEN_SIGNIN_PATH - account already exists so you cannot create it, account=, yoda_or_MY_designated_ca error,BzUiUtil::Installer_CallBzTransmit_AtInstallTimeCheckAuth bztransmit_does_not_exist_7_B,BzUiUtil::Installer_CallBzTransmit_AtInstallTimeCheckAuth bztransmit_problem_8_KWarning : signin account password Ping failed with code: ERROR: -nogui -signinaccount failed on Installer_CreateNewHguidAndPubPrivKeyERROR: bad global_BzInstallerSecondTouchCa_UrlStr=, so the following call to_A BzUiUtil::Installer_CallBzTransmit_AtInstallTimeAddHost will not work. So Bailing out before!ERROR: -nogui -signinaccount failed - something went badly wrong in_B Installer_CallBzTran
Source: bzdoinstall.exe	String found in binary or memory: point7point8point9servERROR: -nogui -createaccount Operating System not supported: point10nonepoint11point12ERROR: -nogui -createaccount failed on Installer_ContactDatacenterAskForEmailAddr, retCode=point13WARNING: -nogui -createaccount_or_signinaccount found this host already has an account. Move to next step for silent installation.ERROR: -nogui -createaccount failed because this host already has an accountERROR: -nogui -createaccount_or_signinaccount failed because no group ID/Tokenpoint14point14-1 - retCode=%d region=%s my_secondTouchCaUrl=%spoint15point15-copy_secondTouchUrlpoint15-reinstallERROR: Fail on reinstallationpoint15.passwordpingERROR: Fail on validation of compromised credentialsWarning : create account password Ping failed with code: point15.zzzzzERROR: -nogui -createaccount failed on _AtInstallTimeCheckAuth, retCode=, could not reach datacenter, bad username or password, invalid email address, account already exists so you cannot create it, account=, during create_account yoda_or_designated_ca_error_A, BzUiUtil::Installer_CallBzTransmit_AtInstallTimeCheckAuth tmp_bztransmit_does_not_exist_C, BzUiUtil::Installer_CallBzTransmit_AtInstallTimeCheckAuth problem_8an unknown zebra_B error during create_accountINFO: email account already exist. Skip to next step for -createaccount_or_signinaccountpoint16ERROR: -nogui -createaccount failed on Installer_CreateNewHguidAndPubPrivKeyERROR: about to call Installer_CallBzTransmit_AtInstallTimeCreateAccountAndAddHost which would fail because no secondTouchUrl! Bailing out!Code path -nogui , about to call Installer_CallBzTransmit_AtInstallTimeCreateAccountAndAddHost with programId = ERROR: -nogui failed on Installer_CallBzTransmit_AtInstallTimeCreateAccountAndAddHostclusterNumInstaller_CallBzTransmit_AtInstallTimeCreateAccountAndAddHost got json back, but did not find clusterNum inside json=://caInstaller_CallBzTransmit_AtInstallTimeCreateAccountAndAddHost provides the new clusterNum before: after:Using second CA URL : ERROR: -nogui -signinaccount Operating System not supported: ERROR: -nogui -signinaccount failed on Installer_ContactDatacenterAskForEmailAddr, retCode=ERROR: -nogui -signinaccount failed because this host already has an accountERROR: -nogui -signinaccount failed on _AtInstallTimeCheckAuth, retCode=, NEVER_SHOULD_HAPPEN_SIGNIN_PATH - account already exists so you cannot create it, account=, yoda_or_MY_designated_ca error,BzUiUtil::Installer_CallBzTransmit_AtInstallTimeCheckAuth bztransmit_does_not_exist_7_B,BzUiUtil::Installer_CallBzTransmit_AtInstallTimeCheckAuth bztransmit_problem_8_KWarning : signin account password Ping failed with code: ERROR: -nogui -signinaccount failed on Installer_CreateNewHguidAndPubPrivKeyERROR: bad global_BzInstallerSecondTouchCa_UrlStr=, so the following call to_A BzUiUtil::Installer_CallBzTransmit_AtInstallTimeAddHost will not work. So Bailing out before!ERROR: -nogui -signinaccount failed - something went badly wrong in_B Installer_CallBzTran
Source: bzdoinstall.exe	String found in binary or memory: HKLM/Software/Backblaze/installdir
Source: bzdoinstall.exe	String found in binary or memory: HKLM/Software/Wow6432Node/Backblaze/installdir
Source: bzdoinstall.exe	String found in binary or memory: bzserv.exe" -stop_service
Source: bzdoinstall.exe	String found in binary or memory: /Library/LaunchDaemons/com.backblaze.bzserv.plist
Source: bzdoinstall.exe	String found in binary or memory: bzserv.exe" -start_service
Source: bzdoinstall.exe	String found in binary or memory: /sbin/chkconfig --add backblaze
Source: bzdoinstall.exe	String found in binary or memory: INFO: Copying launchd config to /Library/LaunchDaemons
Source: bzdoinstall.exe	String found in binary or memory: /Library/LaunchDaemons
Source: bzdoinstall.exe	String found in binary or memory: /bin/launchctl load -F
Source: bzdoinstall.exe	String found in binary or memory: Successfully unpacked into dir: Now proceeding with installation into dir: PID: tmpdir_logSuccessfully copied tmpdir log file from: , into: FAILED to copy tmpdir log file from: FAILED to read tmpdir log file from: FAILED to find ANY tmpdir log files from dir: bzstat_startinstallmillis.txtbzbui.exe" -quitbzbuiWARNING: BzSystem::RunCommand bzbui.exe -quitbzbui failed for: Stopped bzbui.exe, BzSystem::RunCommand: ERROR: hguid= could not move aside bzbui UI: BZBUITRAYbzbuitraybzrestore.exe" -quitERROR: BzSystem::RunCommand bzrestore.exe -quit failed for: bzserv.exe" -stop_serviceERROR: BzSystem::RunCommand stopBzServ failed for: Stopped bzserv service, BzSystem::RunCommand: could not move aside bzserv service: bzdoinstall.exe could not move aside bzdoinstall service: ERROR: could not move aside bztransmit service: could not move aside bzfilelist binary: bztrans_thread%02d.exebztrans64_thread%02d.exe/etc/rc.d/init.d/backblaze/etc/rc.d/init.d/backblaze stopERROR: BzSystem::RunCommand backblaze stop failed for: /Library/LaunchDaemons/com.backblaze.bzserv.plistINFO: Asking bzfilelist to quitbzfilelistbzdoinstall.exe" -douninstall "menu_item_backblaze_control_panelBackblaze Control Panel...menu_item_helpHelpPrograms\Backblaze/help.htmlmenu_item_backblaze_downloaderBackblaze Downloadermenu_item_backblaze_restore_appBackblaze Restore AppERROR: stopping install, could not create dir: clusternum.txtmsvcr100.dllmsvcr100_x64.dllERROR: could not copy file to dst dir: ERROR: could not copy thread_file to dst dir: ERROR: NOT stopping install, but could not create dir: ERROR: could not copy file to dst dir_x64: ERROR: could not copy thread_file to dst dir_x64: redistVC_redist.x86.exeERROR: could not copy file to dst dir_redist: /q /norestartbzserv.exe" -make_into_serviceERROR: BzSystem::RunCommand regServ failed for: Registered bzserv service, BzSystem::RunCommand: bzserv.exe" -start_serviceERROR: BzSystem::RunCommand startBzServ failed for: Started bzserv service, BzSystem::RunCommand: init_d_backblaze.txtERROR: could not read init.d file from: BACKBLAZE_INSTALLDIR=ERROR: could not find BACKBLAZE_INSTALLDIR in: ERROR: could not write out file: /sbin/chkconfig --add backblazeERROR: BzSystem::RunCommnd chkconfig fld for: chkconfig, BzSystem::RunCommand: /etc/rc.d/init.d/backblaze startERROR: RunCommand backblaze start failed for: startup of backblaze, BzSystem::RunCommand: INFO: Copying launchd config to /Library/LaunchDaemonscom.backblaze.bzserv.plistERROR: launchd config file could not be found in directory /Library/LaunchDaemonsERROR: Could not create LaunchDaemons directoryERROR: Failed chmod on ERROR: Could not copy file /bin/launchctl load -F INFO: Running Command: INFO: launchd said: bzbui.exe" -quietHKCU/Software/Microsoft/Windows/CurrentVersion/Run/BackblazeInstaller_SilentlyInstallAllFiles - after call to BzInfoManager::MakeSureAllEditableExcludeRuleBlocksAreMerged - some_new_blocks were merged!Installer_SilentlyInstallAllFiles - after call to BzInfoM
Source: bzdoinstall.exe	String found in binary or memory: Successfully unpacked into dir: Now proceeding with installation into dir: PID: tmpdir_logSuccessfully copied tmpdir log file from: , into: FAILED to copy tmpdir log file from: FAILED to read tmpdir log file from: FAILED to find ANY tmpdir log files from dir: bzstat_startinstallmillis.txtbzbui.exe" -quitbzbuiWARNING: BzSystem::RunCommand bzbui.exe -quitbzbui failed for: Stopped bzbui.exe, BzSystem::RunCommand: ERROR: hguid= could not move aside bzbui UI: BZBUITRAYbzbuitraybzrestore.exe" -quitERROR: BzSystem::RunCommand bzrestore.exe -quit failed for: bzserv.exe" -stop_serviceERROR: BzSystem::RunCommand stopBzServ failed for: Stopped bzserv service, BzSystem::RunCommand: could not move aside bzserv service: bzdoinstall.exe could not move aside bzdoinstall service: ERROR: could not move aside bztransmit service: could not move aside bzfilelist binary: bztrans_thread%02d.exebztrans64_thread%02d.exe/etc/rc.d/init.d/backblaze/etc/rc.d/init.d/backblaze stopERROR: BzSystem::RunCommand backblaze stop failed for: /Library/LaunchDaemons/com.backblaze.bzserv.plistINFO: Asking bzfilelist to quitbzfilelistbzdoinstall.exe" -douninstall "menu_item_backblaze_control_panelBackblaze Control Panel...menu_item_helpHelpPrograms\Backblaze/help.htmlmenu_item_backblaze_downloaderBackblaze Downloadermenu_item_backblaze_restore_appBackblaze Restore AppERROR: stopping install, could not create dir: clusternum.txtmsvcr100.dllmsvcr100_x64.dllERROR: could not copy file to dst dir: ERROR: could not copy thread_file to dst dir: ERROR: NOT stopping install, but could not create dir: ERROR: could not copy file to dst dir_x64: ERROR: could not copy thread_file to dst dir_x64: redistVC_redist.x86.exeERROR: could not copy file to dst dir_redist: /q /norestartbzserv.exe" -make_into_serviceERROR: BzSystem::RunCommand regServ failed for: Registered bzserv service, BzSystem::RunCommand: bzserv.exe" -start_serviceERROR: BzSystem::RunCommand startBzServ failed for: Started bzserv service, BzSystem::RunCommand: init_d_backblaze.txtERROR: could not read init.d file from: BACKBLAZE_INSTALLDIR=ERROR: could not find BACKBLAZE_INSTALLDIR in: ERROR: could not write out file: /sbin/chkconfig --add backblazeERROR: BzSystem::RunCommnd chkconfig fld for: chkconfig, BzSystem::RunCommand: /etc/rc.d/init.d/backblaze startERROR: RunCommand backblaze start failed for: startup of backblaze, BzSystem::RunCommand: INFO: Copying launchd config to /Library/LaunchDaemonscom.backblaze.bzserv.plistERROR: launchd config file could not be found in directory /Library/LaunchDaemonsERROR: Could not create LaunchDaemons directoryERROR: Failed chmod on ERROR: Could not copy file /bin/launchctl load -F INFO: Running Command: INFO: launchd said: bzbui.exe" -quietHKCU/Software/Microsoft/Windows/CurrentVersion/Run/BackblazeInstaller_SilentlyInstallAllFiles - after call to BzInfoManager::MakeSureAllEditableExcludeRuleBlocksAreMerged - some_new_blocks were merged!Installer_SilentlyInstallAllFiles - after call to BzInfoM
Source: bzdoinstall.exe	String found in binary or memory: Successfully unpacked into dir: Now proceeding with installation into dir: PID: tmpdir_logSuccessfully copied tmpdir log file from: , into: FAILED to copy tmpdir log file from: FAILED to read tmpdir log file from: FAILED to find ANY tmpdir log files from dir: bzstat_startinstallmillis.txtbzbui.exe" -quitbzbuiWARNING: BzSystem::RunCommand bzbui.exe -quitbzbui failed for: Stopped bzbui.exe, BzSystem::RunCommand: ERROR: hguid= could not move aside bzbui UI: BZBUITRAYbzbuitraybzrestore.exe" -quitERROR: BzSystem::RunCommand bzrestore.exe -quit failed for: bzserv.exe" -stop_serviceERROR: BzSystem::RunCommand stopBzServ failed for: Stopped bzserv service, BzSystem::RunCommand: could not move aside bzserv service: bzdoinstall.exe could not move aside bzdoinstall service: ERROR: could not move aside bztransmit service: could not move aside bzfilelist binary: bztrans_thread%02d.exebztrans64_thread%02d.exe/etc/rc.d/init.d/backblaze/etc/rc.d/init.d/backblaze stopERROR: BzSystem::RunCommand backblaze stop failed for: /Library/LaunchDaemons/com.backblaze.bzserv.plistINFO: Asking bzfilelist to quitbzfilelistbzdoinstall.exe" -douninstall "menu_item_backblaze_control_panelBackblaze Control Panel...menu_item_helpHelpPrograms\Backblaze/help.htmlmenu_item_backblaze_downloaderBackblaze Downloadermenu_item_backblaze_restore_appBackblaze Restore AppERROR: stopping install, could not create dir: clusternum.txtmsvcr100.dllmsvcr100_x64.dllERROR: could not copy file to dst dir: ERROR: could not copy thread_file to dst dir: ERROR: NOT stopping install, but could not create dir: ERROR: could not copy file to dst dir_x64: ERROR: could not copy thread_file to dst dir_x64: redistVC_redist.x86.exeERROR: could not copy file to dst dir_redist: /q /norestartbzserv.exe" -make_into_serviceERROR: BzSystem::RunCommand regServ failed for: Registered bzserv service, BzSystem::RunCommand: bzserv.exe" -start_serviceERROR: BzSystem::RunCommand startBzServ failed for: Started bzserv service, BzSystem::RunCommand: init_d_backblaze.txtERROR: could not read init.d file from: BACKBLAZE_INSTALLDIR=ERROR: could not find BACKBLAZE_INSTALLDIR in: ERROR: could not write out file: /sbin/chkconfig --add backblazeERROR: BzSystem::RunCommnd chkconfig fld for: chkconfig, BzSystem::RunCommand: /etc/rc.d/init.d/backblaze startERROR: RunCommand backblaze start failed for: startup of backblaze, BzSystem::RunCommand: INFO: Copying launchd config to /Library/LaunchDaemonscom.backblaze.bzserv.plistERROR: launchd config file could not be found in directory /Library/LaunchDaemonsERROR: Could not create LaunchDaemons directoryERROR: Failed chmod on ERROR: Could not copy file /bin/launchctl load -F INFO: Running Command: INFO: launchd said: bzbui.exe" -quietHKCU/Software/Microsoft/Windows/CurrentVersion/Run/BackblazeInstaller_SilentlyInstallAllFiles - after call to BzInfoManager::MakeSureAllEditableExcludeRuleBlocksAreMerged - some_new_blocks were merged!Installer_SilentlyInstallAllFiles - after call to BzInfoM
Source: bzdoinstall.exe	String found in binary or memory: Successfully unpacked into dir: Now proceeding with installation into dir: PID: tmpdir_logSuccessfully copied tmpdir log file from: , into: FAILED to copy tmpdir log file from: FAILED to read tmpdir log file from: FAILED to find ANY tmpdir log files from dir: bzstat_startinstallmillis.txtbzbui.exe" -quitbzbuiWARNING: BzSystem::RunCommand bzbui.exe -quitbzbui failed for: Stopped bzbui.exe, BzSystem::RunCommand: ERROR: hguid= could not move aside bzbui UI: BZBUITRAYbzbuitraybzrestore.exe" -quitERROR: BzSystem::RunCommand bzrestore.exe -quit failed for: bzserv.exe" -stop_serviceERROR: BzSystem::RunCommand stopBzServ failed for: Stopped bzserv service, BzSystem::RunCommand: could not move aside bzserv service: bzdoinstall.exe could not move aside bzdoinstall service: ERROR: could not move aside bztransmit service: could not move aside bzfilelist binary: bztrans_thread%02d.exebztrans64_thread%02d.exe/etc/rc.d/init.d/backblaze/etc/rc.d/init.d/backblaze stopERROR: BzSystem::RunCommand backblaze stop failed for: /Library/LaunchDaemons/com.backblaze.bzserv.plistINFO: Asking bzfilelist to quitbzfilelistbzdoinstall.exe" -douninstall "menu_item_backblaze_control_panelBackblaze Control Panel...menu_item_helpHelpPrograms\Backblaze/help.htmlmenu_item_backblaze_downloaderBackblaze Downloadermenu_item_backblaze_restore_appBackblaze Restore AppERROR: stopping install, could not create dir: clusternum.txtmsvcr100.dllmsvcr100_x64.dllERROR: could not copy file to dst dir: ERROR: could not copy thread_file to dst dir: ERROR: NOT stopping install, but could not create dir: ERROR: could not copy file to dst dir_x64: ERROR: could not copy thread_file to dst dir_x64: redistVC_redist.x86.exeERROR: could not copy file to dst dir_redist: /q /norestartbzserv.exe" -make_into_serviceERROR: BzSystem::RunCommand regServ failed for: Registered bzserv service, BzSystem::RunCommand: bzserv.exe" -start_serviceERROR: BzSystem::RunCommand startBzServ failed for: Started bzserv service, BzSystem::RunCommand: init_d_backblaze.txtERROR: could not read init.d file from: BACKBLAZE_INSTALLDIR=ERROR: could not find BACKBLAZE_INSTALLDIR in: ERROR: could not write out file: /sbin/chkconfig --add backblazeERROR: BzSystem::RunCommnd chkconfig fld for: chkconfig, BzSystem::RunCommand: /etc/rc.d/init.d/backblaze startERROR: RunCommand backblaze start failed for: startup of backblaze, BzSystem::RunCommand: INFO: Copying launchd config to /Library/LaunchDaemonscom.backblaze.bzserv.plistERROR: launchd config file could not be found in directory /Library/LaunchDaemonsERROR: Could not create LaunchDaemons directoryERROR: Failed chmod on ERROR: Could not copy file /bin/launchctl load -F INFO: Running Command: INFO: launchd said: bzbui.exe" -quietHKCU/Software/Microsoft/Windows/CurrentVersion/Run/BackblazeInstaller_SilentlyInstallAllFiles - after call to BzInfoManager::MakeSureAllEditableExcludeRuleBlocksAreMerged - some_new_blocks were merged!Installer_SilentlyInstallAllFiles - after call to BzInfoM
Source: bzdownloader.exe	String found in binary or memory: id-cmc-addExtensions
Source: bzdownloader.exe	String found in binary or memory: set-addPolicy
Source: bzdownloader.exe	String found in binary or memory: iphlpapi.dllif_nametoindexLoadLibraryExW\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %d
Source: bzdownloader.exe	String found in binary or memory: HKLM/Software/Backblaze/installdir
Source: bzdownloader.exe	String found in binary or memory: HKLM/Software/Wow6432Node/Backblaze/installdir
Source: bzfilelist.exe	String found in binary or memory: HKLM/Software/Backblaze/installdir
Source: bzfilelist.exe	String found in binary or memory: HKLM/Software/Wow6432Node/Backblaze/installdir
Source: bzfilelist.exe	String found in binary or memory: could_not_write_out_bzvol_id_fileERROR: SetFileAttributes to hidden failed: NOTE: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, no destinationFile=NOTE: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeededC:\.bzvol), found the Windows src bzvol here=), had to simulate the contents of the bzvol, which are=), bailing because no srcFolder Exists to copy from srcFolder= and srcFolder=/.bzvolBzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded - about to create file from simulation. FileName=ERROR: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, could not write simulated file dstFile=SUCCESS: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, wrote out simulated dstFile=BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded - about to copy file.ERROR: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, srcFile DOES_NOT_EXIST srcFile=, so CANNOT COPY IT to dstFile=ERROR: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, could not copy srcFile=, to dstFile=SUCCESS: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, copied srcFile=ERROR: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, could not copy README srcFile=SUCCESS: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, copied README srcFile=C:\Windows\C:\Windowswldp.dllC:\Documents and Settings\C:\Documents and Settings\foo\Application DataC:\Documents and SettingsHKLM/Software/Backblaze/installdirHKLM/Software/Wow6432Node/Backblaze/installdirC:\Program Files\Backblaze\C:\Program FilesBackblazedatadirC:\ProgramData\Backblaze\C:\ProgramData/proc/ERROR: open to read failed on file: BZ_FILE_NO_ERRORBZ_FILE_PERMANENT_DOES_NOT_EXISTBZ_FILE_PERMANENT_BAD_PERMISSIONSBZ_FILE_TEMPORARY_FILE_BUSYBZ_FILE_PERMANENT_FILE_NOT_ON_DRIVEBZ_FILE_TEMPORARY_DRIVE_UNPLUGGEDBZ_FILE_TEMPORARY_NOT_ENOUGH_TMP_SPACEBZ_FILE_LARGER_THAN_ONE_GBYTEBZ_FILE_TEMPORARY_OTHERbad_argument: numBytesReturned was NULLbad_argument: fileName was NULLfile_does_not_existerror_file_is_larger_than_one_gigabyteerror_could_not_malloc_rawbuf_of__byteserror_win32_CreateF_failed_Another_Process_Has_File_Open__ERROR_ACCESS_DENIEDerror_win32_ReadFile_failed_GetLastError_INFO: AtomicMoveFileWithRetry attempt failed: ERROR: AtomicMoveFileWithRetry failed after 10 retries: ..\*ERROR: GetListOfFileInfosInDir (processId=) BzUtf16String::ConvertUtf8BzStringToUtf16_A failed, dirPat=WARNING: GetListOfFileInfosInDir (processId=) FindFirstFile_C failed, dirPat=, GetLastError=, and_a_lastError_of_3_means ERROR_PATH_NOT_FOUND, check if dirPat starts with a letter-colon in this log line.) BzUtf16String::ConvertBzUtf16StringToUtf8_B failed, dirSearch=) - FindNextFile err, dirPat=, Error_3_means=ERROR_PATH_NOT_FOUND, Error_8_means=ERROR_NOT_ENOUGH_MEMORY\/'=""
Source: bzfilelist64.exe	String found in binary or memory: HKLM/Software/Backblaze/installdir
Source: bzfilelist64.exe	String found in binary or memory: HKLM/Software/Wow6432Node/Backblaze/installdir
Source: bzfilelist64.exe	String found in binary or memory: could_not_write_out_bzvol_id_fileERROR: SetFileAttributes to hidden failed: NOTE: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, no destinationFile=NOTE: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeededC:\.bzvol), found the Windows src bzvol here=), had to simulate the contents of the bzvol, which are=), bailing because no srcFolder Exists to copy from srcFolder= and srcFolder=/.bzvolBzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded - about to create file from simulation. FileName=ERROR: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, could not write simulated file dstFile=SUCCESS: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, wrote out simulated dstFile=BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded - about to copy file.ERROR: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, srcFile DOES_NOT_EXIST srcFile=, so CANNOT COPY IT to dstFile=ERROR: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, could not copy srcFile=, to dstFile=SUCCESS: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, copied srcFile=ERROR: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, could not copy README srcFile=SUCCESS: BzFile::CloneBzVolFolderOfSystemVolumeIntoDataDir_IfNeeded, copied README srcFile=C:\Windows\C:\Windowswldp.dllC:\Documents and Settings\C:\Documents and Settings\foo\Application DataC:\Documents and SettingsHKLM/Software/Backblaze/installdirHKLM/Software/Wow6432Node/Backblaze/installdirC:\Program Files\Backblaze\C:\Program FilesBackblazedatadirC:\ProgramData\Backblaze\C:\ProgramData/proc/ERROR: open to read failed on file: BZ_FILE_NO_ERRORBZ_FILE_PERMANENT_DOES_NOT_EXISTBZ_FILE_PERMANENT_BAD_PERMISSIONSBZ_FILE_TEMPORARY_FILE_BUSYBZ_FILE_PERMANENT_FILE_NOT_ON_DRIVEBZ_FILE_TEMPORARY_DRIVE_UNPLUGGEDBZ_FILE_TEMPORARY_NOT_ENOUGH_TMP_SPACEBZ_FILE_LARGER_THAN_ONE_GBYTEBZ_FILE_TEMPORARY_OTHERbad_argument: numBytesReturned was NULLbad_argument: fileName was NULLfile_does_not_existerror_file_is_larger_than_one_gigabyteerror_could_not_malloc_rawbuf_of__byteserror_win32_CreateF_failed_Another_Process_Has_File_Open__ERROR_ACCESS_DENIEDerror_win32_ReadFile_failed_GetLastError_INFO: AtomicMoveFileWithRetry attempt failed: ERROR: AtomicMoveFileWithRetry failed after 10 retries: ..\*ERROR: GetListOfFileInfosInDir (processId=) BzUtf16String::ConvertUtf8BzStringToUtf16_A failed, dirPat=WARNING: GetListOfFileInfosInDir (processId=) FindFirstFile_C failed, dirPat=, GetLastError=, and_a_lastError_of_3_means ERROR_PATH_NOT_FOUND, check if dirPat starts with a letter-colon in this log line.) BzUtf16String::ConvertBzUtf16StringToUtf8_B failed, dirSearch=) - FindNextFile err, dirPat=, Error_3_means=ERROR_PATH_NOT_FOUND, Error_8_means=ERROR_NOT_ENOUGH_MEMORY\/'=""
Source: bzrestore.exe	String found in binary or memory: iphlpapi.dllif_nametoindexLoadLibraryExW\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %d
Source: bzrestore.exe	String found in binary or memory: HKLM/Software/Backblaze/installdir
Source: bzrestore.exe	String found in binary or memory: HKLM/Software/Wow6432Node/Backblaze/installdir
Source: bzrestore.exe	String found in binary or memory: .xml%04dhttp%04d%02d%02d%02d%02d%02dwldp.dllHKLM/Software/Backblaze/installdirC:\Program Files\Backblaze\HKLM/Software/Wow6432Node/Backblaze/installdiraBackblazeC:\Program FilesdatadirC:\C:\ProgramDataC:\ProgramData\Backblaze\/proc/..none\n\f\t\r="": /\\"'\\\u\b\/)one

Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe

File read: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Process created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe" -doinstall "C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Process created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe" -fetchurltofile https://ca000.backblaze.com/api/clientversion.xml "C:\Users\user\AppData\Local\Temp\bzt0315155706_0000001_1930_0005724.txt
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Process created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe" -fetchurltofile https://ca001.backblaze.com/api/clientversion.xml "C:\Users\user\AppData\Local\Temp\bzt0315155706_0000002_6385_0005724.txt
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Process created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe "C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe" -at_install_time_checkuser https://ca000.backblaze.com 626265633735623766393731
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Process created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe" -doinstall "C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Process created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe" -fetchurltofile https://ca000.backblaze.com/api/clientversion.xml "C:\Users\user\AppData\Local\Temp\bzt0315155706_0000001_1930_0005724.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Process created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe" -fetchurltofile https://ca001.backblaze.com/api/clientversion.xml "C:\Users\user\AppData\Local\Temp\bzt0315155706_0000002_6385_0005724.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Process created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe "C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe" -at_install_time_checkuser https://ca000.backblaze.com 626265633735623766393731	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: install_backblaze_bbec75b7f971c02a0.exe

Static PE information: certificate valid

Source: install_backblaze_bbec75b7f971c02a0.exe

Static file information: File size 30129600 > 1048576

Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe

File opened: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\msvcr100.dll

Jump to behavior

Source: install_backblaze_bbec75b7f971c02a0.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\work\bz\bzmono\Release\bzfclean.pdb source: bzfclean.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzserv.pdbv source: bzserv.exe.0.dr
Source:	Binary string: oH`pH0qH0sH@sHmemory buffersecure memory buffercrypto\bio\bss_mem.cCERTIFICATE REQUESTNEW CERTIFICATE REQUESTX509 CRLPKCS7CERTIFICATEPUBLIC KEYDH PARAMETERSX9.42 DH PARAMETERScompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICcrypto\rsa\rsa_crpt.ccrypto\bio\bio_lib.c source: bzdownloader.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release64\bzfilelist.pdbh source: bzfilelist64.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bztransmit.pdb source: bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: msvcr100.amd64.pdb source: msvcr100_x64.dll.0.dr
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb`E source: VC_redist.x86.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzselfextractor.pdb source: install_backblaze_bbec75b7f971c02a0.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzdownloader_win32.pdb source: bzdownloader.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzserv.pdb source: bzserv.exe.0.dr
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release64\bzrestore.pdb source: bzrestore.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzfilelist.pdbj source: bzfilelist.exe
Source:	Binary string: msvcr100.i386.pdb source: msvcr100.dll.0.dr
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release64\bzfilelist.pdb source: bzfilelist64.exe
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb source: VC_redist.x86.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzbuitray.pdbl source: bzbuitray.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzwinrt.pdb source: bzwinrt.dll.0.dr
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bztransmit.pdb" source: bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzselfextractor.pdbQ source: install_backblaze_bbec75b7f971c02a0.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzdoinstall.pdb source: bzdoinstall.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzbuitray.pdb source: bzbuitray.exe
Source:	Binary string: dmemory buffersecure memory buffercrypto\bio\bss_mem.cCERTIFICATE REQUESTNEW CERTIFICATE REQUESTX509 CRLPKCS7CERTIFICATERSA PRIVATE KEYPUBLIC KEYDH PARAMETERSX9.42 DH PARAMETERScompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICcrypto\rsa\rsa_crpt.ccrypto\bio\bio_lib.c source: bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzwinrt.pdb source: bzwinrt.dll.0.dr
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzbui_win32.pdb source: bzbui.exe
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: bzdownloader.exe
Source:	Binary string: D:\Jenkins\workspace\WinClientBeta\bzmono\Release\bzfilelist.pdb source: bzfilelist.exe

Source: bzbui.exe.0.dr	Static PE information: section name: _RDATA
Source: VC_redist.x86.exe.0.dr	Static PE information: section name: .wixburn
Source: msvcr100_x64.dll.0.dr	Static PE information: section name: _CONST
Source: msvcr100_x64.dll.0.dr	Static PE information: section name: text

Source: msvcr100.dll.0.dr

Static PE information: section name: .text entropy: 6.9205316640675

Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	File created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzfclean.exe	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	File created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	File created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzfilelist64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	File created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	File created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzserv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	File created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	File created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui.exe	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	File created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbuitray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	File created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\msvcr100_x64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	File created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	File created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdownloader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	File created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	File created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzrestore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	File created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzfilelist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	File created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzwinrt.dll	Jump to dropped file

Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	File created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzinstallername.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	File created: C:\ProgramData\Backblaze\bzdata\bzlogs\bzdoinstall\bzdoinstall15.log	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	File created: C:\ProgramData\Backblaze\bzdata\bzreports\install_history.txt	Jump to behavior

Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe

File created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\license.txt

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzfclean.exe	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzfilelist64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzserv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbuitray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui.exe	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\msvcr100_x64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdownloader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzrestore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzfilelist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzwinrt.dll	Jump to dropped file

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: bztransmit.exe, 00000005.00000002.1076589096.00000000012B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
Source: install_backblaze_bbec75b7f971c02a0.exe, 00000000.00000002.1148695462.000000000049E000.00000004.00000020.00020000.00000000.sdmp, bzdoinstall.exe, 00000002.00000003.1145052536.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, bztransmit.exe, 00000003.00000003.1075138510.000000000131E000.00000004.00000020.00020000.00000000.sdmp, bztransmit.exe, 00000007.00000003.1082277723.0000000001523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe	Process created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe" -doinstall "C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Process created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe" -fetchurltofile https://ca000.backblaze.com/api/clientversion.xml "C:\Users\user\AppData\Local\Temp\bzt0315155706_0000001_1930_0005724.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Process created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe" -fetchurltofile https://ca001.backblaze.com/api/clientversion.xml "C:\Users\user\AppData\Local\Temp\bzt0315155706_0000002_6385_0005724.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	Process created: C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe "C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe" -at_install_time_checkuser https://ca000.backblaze.com 626265633735623766393731	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Software Packing	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
install_backblaze_bbec75b7f971c02a0.exe	8%	ReversingLabs
install_backblaze_bbec75b7f971c02a0.exe	2%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\VC_redist.x86.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\VC_redist.x86.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui.exe	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbuitray.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdownloader.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzfclean.exe	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzfilelist.exe	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzfilelist64.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzrestore.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzserv.exe	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit64.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzwinrt.dll	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\msvcr100.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\msvcr100_x64.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://ca000.backblaze.com5N	0%	Avira URL Cloud	safe
https://api001.backblazeb2.com	0%	Avira URL Cloud	safe
https://api.backblazeb2.com/es	0%	Avira URL Cloud	safe
https://api.backblazeb2.pet	0%	Avira URL Cloud	safe
https://ca000.Inside	0%	Avira URL Cloud	safe
https://f910.backblazeb2.pet/file/b2-computer-backup-public	0%	Avira URL Cloud	safe
https://curl.se/docs/hsts.html	0%	Avira URL Cloud	safe
https://api001.backblazeb2.com	0%	Virustotal		Browse
https://f100.backblazeb2.xyz/file/b2-computer-backup-public	100%	Avira URL Cloud	phishing
https://ca911.backblaze.pet/	0%	Avira URL Cloud	safe
https://api.backblazeb2.pet	0%	Virustotal		Browse
https://ca100.backblaze.xyz/	0%	Avira URL Cloud	safe
http://ul.https://www.http://www.)	0%	Avira URL Cloud	safe
https://f910.backblazeb2.pet/file/b2-computer-backup-public	0%	Virustotal		Browse
https://f100.backblazeb2.xyz/file/b2-computer-backup-public	1%	Virustotal		Browse
https://apihttps://cabackblazeb2.com.backblaze.com/backblazeb2.net.backblaze.net/backblazeb2.xyz.bac	0%	Avira URL Cloud	safe
https://ca910.backblaze.pet/	0%	Avira URL Cloud	safe
https://curl.se/docs/hsts.html	0%	Virustotal		Browse
https://ca101.backblaze.xyz/	0%	Avira URL Cloud	safe
https://ca901.backblaze.net/	0%	Avira URL Cloud	safe
https://ca100.backblaze.xyz/	0%	Virustotal		Browse
https://f000.backblazeb2.com/file/b2-computer-backup-public	0%	Avira URL Cloud	safe
https://ca911.backblaze.pet/	0%	Virustotal		Browse
https://f910.backblazeb2.pet/file/b2-computer-backup-public/	0%	Avira URL Cloud	safe
https://curl.se/libcurlfmtAboutDlgVersionen_USLocalRestore-	0%	Avira URL Cloud	safe
https://curl.se/docs/alt-svc.html	0%	Avira URL Cloud	safe
https://ca910.backblaze.pet/	0%	Virustotal		Browse
https://api.backblazeb2.com/b2api/v1/b2_authorize_accountAuthorization:	0%	Avira URL Cloud	safe
https://f000.backblazeb2.com/file/b2-computer-backup-public	0%	Virustotal		Browse
https://ca101.backblaze.xyz/	1%	Virustotal		Browse
https://ca900.backblaze.net/api/clientversion.xml	0%	Avira URL Cloud	safe
https://ca100.backblaze.xyz	0%	Avira URL Cloud	safe
https://f910.backblazeb2.pet/file/b2-computer-backup-public/	0%	Virustotal		Browse
https://api.backblazeb2.com/b2api/v1/b2_authorize_account	0%	Avira URL Cloud	safe
https://curl.se/docs/alt-svc.html	0%	Virustotal		Browse
https://api000.backblazeb2.com	0%	Avira URL Cloud	safe
https://curl.se/libcurlfmtAboutDlgVersionen_USLocalRestore-	0%	Virustotal		Browse
https://ca100.backblaze.xyz	0%	Virustotal		Browse
https://api.backblazeb2.com/b2api/v1/b2_authorize_account	0%	Virustotal		Browse
https://f000.backblazeb2.com/file/b2-computer-backup-public/	0%	Avira URL Cloud	safe
https://f000.backblazeb2.com/file/b2-computer-backup-publichttps://f900.backblazeb2.net/file/b2-comp	0%	Avira URL Cloud	safe
https://api.backblazeb2.com/b2api/v1/b2_authorize_accountAuthorization:	0%	Virustotal		Browse
https://f900.backblazeb2.net/file/b2-computer-backup-public	0%	Avira URL Cloud	safe
https://ca901.backblaze.net/	0%	Virustotal		Browse
https://api000.backblazeb2.com	0%	Virustotal		Browse
https://ca101.backblaze.xyz	0%	Avira URL Cloud	safe
https://api.backblazeb2.net	0%	Avira URL Cloud	safe
https://api.backblazeb2.com/	0%	Avira URL Cloud	safe
https://api.backblazeb2.xyz	0%	Avira URL Cloud	safe
https://f000.backblazeb2.com/file/b2-computer-backup-public/	0%	Virustotal		Browse
https://f900.backblazeb2.net/file/b2-computer-backup-public	0%	Virustotal		Browse
https://f900.backblazeb2.net/file/b2-computer-backup-public/	0%	Avira URL Cloud	safe
https://ca101.backblaze.xyz	1%	Virustotal		Browse
https://ca001.backblaze.comhttps://api.backblazeb2.comNEThttps://ca900.backblaze.nethttps://api.back	0%	Avira URL Cloud	safe
https://api.backblazeb2.xyz	2%	Virustotal		Browse
https://ca911.backblaze.pet/api/clientversion.xml	0%	Avira URL Cloud	safe
https://ca101.backblaze.xyz/api/clientversion.xml	0%	Avira URL Cloud	safe
https://api.backblazeb2.net	0%	Virustotal		Browse
https://ca900.backblaze.net/api/clientversion.xml	0%	Virustotal		Browse
https://api.backblazeb2.com	0%	Avira URL Cloud	safe
https://www.backblaze.comAn	0%	Avira URL Cloud	safe
https://ca000.backblaze.com-	0%	Avira URL Cloud	safe
https://f900.backblazeb2.net/file/b2-computer-backup-public/	0%	Virustotal		Browse
https://f000.backblazeb2.com/file/b2-computer-backup-publichttps://f900.backblazeb2.net/file/b2-comp	0%	Virustotal		Browse
https://www.backblaze.pet/forgot_password.htm	0%	Avira URL Cloud	safe
https://api.backblazeb2.com	0%	Virustotal		Browse
https://api.backblazeb2.com/	0%	Virustotal		Browse
https://ca101.backblaze.xyz/api/clientversion.xml	0%	Virustotal		Browse
https://ca911.backblaze.pet/api/clientversion.xml	0%	Virustotal		Browse
https://www.backblaze.pet/forgot_password.htm	0%	Virustotal		Browse

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
ca-001-0000.backblaze.com	104.153.233.9	true	false	high
ca-000-0000.backblaze.com	104.153.233.8	true	false	high
ca001.backblaze.com	unknown	unknown	false	high
ca000.backblaze.com	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ca000.backblaze.com/api/at_install_time_checkuser	bztransmit.exe, 00000007.00000002.1083178162.0000000001537000.00000004.00000020.00020000.00000000.sdmp, bztransmit.exe, 00000007.00000002.1083037961.0000000001508000.00000004.00000020.00020000.00000000.sdmp, bztransmit.exe, 00000007.00000002.1083178162.0000000001545000.00000004.00000020.00020000.00000000.sdmp, bztransmit15.log.3.dr	false		high
https://api.backblazeb2.com/es	bzdoinstall.exe, 00000002.00000002.1146178404.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ca000.Inside	bzdoinstall.exe	false	Avira URL Cloud: safe	unknown
https://api.backblazeb2.pet	bzdoinstall.exe, bzdownloader.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ca000.backblaze.com5N	bzdoinstall.exe, 00000002.00000003.1145052536.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, bzdoinstall.exe, 00000002.00000002.1146178404.0000000000E62000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api001.backblazeb2.com	bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ca000.backblaze.com/https://ca001.backblaze.com/https://ca002.backblaze.com/https://ca003.ba	bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp, bzserv.exe.0.dr, bzfilelist.exe, bzfilelist64.exe	false		high
https://ca002.backblaze.com/	bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	false		high
https://ca001.backblaze.com/https://ca002.backblaze.com/https://ca003.backblaze.com/https://ca004.ba	bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe	false		high
https://help.backblaze.com/hc/en-us/articles/360038171794:	bzrestore.exe	false		high
https://f910.backblazeb2.pet/file/b2-computer-backup-public	bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp, bzbui.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://help.backblaze.com/hc/%LANGUAGE%/articles/20956258257819/	bzbui.exe	false		high
https://help.backblaze.com/hc/%s/articles/15383074527771/:	bzrestore.exe	false		high
https://www.backblaze.com/help.html	bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	false		high
https://www.openssl.org/	bzbui.exe	false		high
http://www.backblaze.com/en_us/help-backblaze-downloader-win.html?version=learn_morecompromised_pass	bzdownloader.exe	false		high
https://ca005.backblaze.com/	bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	false		high
http://www.winimage.com/zLibDll1.3	install_backblaze_bbec75b7f971c02a0.exe, bzrestore.exe	false		high
https://help.backblaze.com/hc/%LANGUAGE%/articles/20956258257819/%LANGUAGE%	bzbui.exe	false		high
https://secure.backblaze.com/bzapp_web_assets/public/pics/backblaze-logo.gif	bzdoinstall.exe, bzdownloader.exe	false		high
https://curl.se/docs/hsts.html	bzdownloader.exe, bzrestore.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://f100.backblazeb2.xyz/file/b2-computer-backup-public	bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp, bzbui.exe	false	1%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://www.backblaze.com/es_ES/help-transfer-backup-%PLATFORM%.html	bzbui_interface.xml	false		high
https://ca911.backblaze.pet/	bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ul.https://www.http://www.)	bzdownloader.exe	false	Avira URL Cloud: safe	unknown
http://www.backblaze.com/zh_TW/help-transfer-backup-%PLATFORM%.html	bzbui_interface.xml	false		high
https://www.google.com/maps/search/?api=1&query=	bzbui.exe	false		high
https://ca000.backblaze.com/api/clientversion.xml	bztransmit15.log.3.dr, ConDrv.3.dr, bzdoinstall.exe	false		high
https://curl.haxx.se/libcurl/Calibrihttps://www.openssl.org/AboutDialog	bzbui.exe	false		high
https://ca008.backblaze.com/	bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	false		high
https://ca100.backblaze.xyz/	bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://apihttps://cabackblazeb2.com.backblaze.com/backblazeb2.net.backblaze.net/backblazeb2.xyz.bac	bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	low
https://www.reddit.com/	bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp	false		high
https://ca910.backblaze.pet/	bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.backblaze.com/backing-up-external-hard-drives.html	bzbui.exe	false		high
https://ca101.backblaze.xyz/	bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ca901.backblaze.net/	bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ca001.backblaze.com/api/clientversion.xmlmlming	bzdoinstall.exe, 00000002.00000002.1146178404.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ca000.backblaze.com/api/clientversion.xmlmlming	bzdoinstall.exe, 00000002.00000002.1146178404.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://secure.backblaze.com/bzapp_web_assets/public/pics/checkmark-blue.jpg	bzdoinstall.exe, bzdownloader.exe	false		high
http://www.backblaze.com/free-trial.htmlsign_in_to_existing_accountaccount_surround_labelplease_wait	bzdoinstall.exe	false		high
https://f000.backblazeb2.com/file/b2-computer-backup-public	bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp, bzbui.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://help.backblaze.com/	bzdoinstall.exe, bzdownloader.exe	false		high
https://f910.backblazeb2.pet/file/b2-computer-backup-public/	bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://help.backblaze.com/hc/%s/articles/15383074527771/fileLocalRestore-	bzrestore.exe	false		high
https://ezgif.com/resize	animated_cloud_win_120p_dm.gif	false		high
https://ca000.backblaze.com/4	bzdoinstall.exe, 00000002.00000003.1145052536.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, bzdoinstall.exe, 00000002.00000002.1146178404.0000000000E62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://curl.se/libcurlfmtAboutDlgVersionen_USLocalRestore-	bzrestore.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://curl.se/docs/alt-svc.html	bzdownloader.exe, bzrestore.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ca001.backblaze.com/	bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	false		high
https://api.backblazeb2.com/b2api/v1/b2_authorize_accountAuthorization:	bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://secure.backblaze.com/bzapp_web_assets/public/scripts/bootstrap.min.css	bzdoinstall.exe, bzdownloader.exe	false		high
https://ca900.backblaze.net/api/clientversion.xml	bzdoinstall.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ca100.backblaze.xyz	bzdoinstall.exe, bzdownloader.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ca001.backblaze.com/api/clientversion.xmlBackblaze	bztransmit.exe, 00000005.00000002.1076589096.00000000012B8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.backblaze.com/ko_KR/help-transfer-backup-%PLATFORM%.html	bzbui_interface.xml	false		high
https://api.backblazeb2.com/b2api/v1/b2_authorize_account	bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api000.backblazeb2.com	bzdoinstall.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://f000.backblazeb2.com/file/b2-computer-backup-public/	bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://f000.backblazeb2.com/file/b2-computer-backup-publichttps://f900.backblazeb2.net/file/b2-comp	bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp, bzbui.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ca000.backblaze.com/api/clientversion.xml32.dll	bztransmit.exe, 00000003.00000002.1075956112.00000000012FE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://secure.backblaze.com	bzbui.exe	false		high
https://ca001.backblaze.com/api/clientversion.xmlC:	bztransmit.exe, 00000005.00000002.1076589096.00000000012B8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.backblaze.com/help-inherit-backup-%PLATFORM%.html	bzbui_interface.xml	false		high
https://pod-000-0681-00.backblaze.com	bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp	false		high
https://www.backblaze.com	InstallerConfig.xml, bzbui.exe, bzdoinstall.exe	false		high
https://ca000.backblaze.com/api/at_install_time_checkuserit15.log	bztransmit.exe, 00000007.00000002.1083178162.0000000001526000.00000004.00000020.00020000.00000000.sdmp, bztransmit.exe, 00000007.00000003.1082277723.0000000001523000.00000004.00000020.00020000.00000000.sdmp	false		high
https://f.backblaze.com/file/	bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp	false		high
http://www.openssl.org/)	license.txt.0.dr	false		high
https://ca001.backblaze.com/api/clientversion.xml.dllq	bztransmit.exe, 00000005.00000002.1076589096.00000000012B8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/	bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp	false		high
http://www.backblaze.com/ru_RU/help-transfer-backup-%PLATFORM%.html	bzbui_interface.xml	false		high
https://ca003.backblaze.com/	bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	false		high
https://f900.backblazeb2.net/file/b2-computer-backup-public	bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp, bzbui.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.backblaze.com/remote-backup-everything.html	bzfilelist.exe, bzfilelist64.exe	false		high
https://ca101.backblaze.xyz	bzdoinstall.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.backblaze.com/	bzdownloader.exe	false		high
https://api.backblazeb2.net	bzdoinstall.exe, bzdownloader.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ca000.backblaze.com/api/clientversion.xmlBackblaze	bztransmit.exe, 00000003.00000002.1075956112.00000000012FE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.backblazeb2.com/	bzdoinstall.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.backblazeb2.xyz	bzdoinstall.exe, bzdownloader.exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ca000.backblaze.com/api/clientversion.xmlW	bztransmit.exe, 00000003.00000002.1075956112.00000000012FE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.youtube.com/watch?v=Y01r3jAbwF4&fmt=18	bzbui.exe	false		high
https://ca002.backblaze.com	bztransmit.exe, 00000003.00000000.1067938844.000000000071D000.00000002.00000001.01000000.00000006.sdmp, bzrestore.exe	false		high
https://f900.backblazeb2.net/file/b2-computer-backup-public/	bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://curl.haxx.se/libcurl/	bzbui.exe	false		high
https://ca001.backblaze.comhttps://api.backblazeb2.comNEThttps://ca900.backblaze.nethttps://api.back	bzdownloader.exe	false	Avira URL Cloud: safe	unknown
https://ca002.backblaze.com/api/clientversion.xml	bzdoinstall.exe	false		high
https://ca911.backblaze.pet/api/clientversion.xml	bzdoinstall.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ca101.backblaze.xyz/api/clientversion.xml	bzdoinstall.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.backblaze.com/forgot_password.htmhttps://www.backblaze.xyz/forgot_password.htmhttps://ww	bzrestore.exe	false		high
https://api.backblazeb2.com	bzdownloader.exe, bzrestore.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.backblaze.comAn	bzdoinstall.exe	false	Avira URL Cloud: safe	unknown
https://ca000.backblaze.com/api/clientversion.xmlsi	bztransmit.exe, 00000003.00000003.1075079166.0000000001335000.00000004.00000020.00020000.00000000.sdmp, bztransmit.exe, 00000003.00000002.1076101078.0000000001335000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ca000.backblaze.com-	bztransmit.exe, 00000007.00000002.1083178162.0000000001526000.00000004.00000020.00020000.00000000.sdmp, bztransmit.exe, 00000007.00000003.1082277723.0000000001523000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://secure.backblaze.com/bzapp_web_assets/public/css/main.css	bzdoinstall.exe, bzdownloader.exe	false		high
https://ca000.backblaze.com/	bzbuitray.exe, bzdoinstall.exe, bzdownloader.exe, bzfilelist.exe, bzfilelist64.exe	false		high
https://ca000.backblaze.com/api/clientversion.xmlC:	bztransmit.exe, 00000003.00000002.1075956112.00000000012FE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.backblaze.com	bzbui_interface.xml, bzdoinstall.exe	false		high
https://www.backblaze.pet/forgot_password.htm	bzrestore.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.153.233.8	ca-000-0000.backblaze.com	United States		32354	UNWIREDUS	false
104.153.233.9	ca-001-0000.backblaze.com	United States		32354	UNWIREDUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1409718
Start date and time:	2024-03-15 16:56:30 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	install_backblaze_bbec75b7f971c02a0.exe
Detection:	SUS
Classification:	sus36.winEXE@12/68@2/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNWIREDUS	Voicemail - 6737878.htm	Get hash	malicious	HTMLPhisher	Browse	206.190.208.254
	05E9WsH93Q.elf	Get hash	malicious	Unknown	Browse	206.190.211.69
	Fax 00538471_pdf.html	Get hash	malicious	HTMLPhisher	Browse	206.190.208.254
	cWMnDWBnyQ.xlsx	Get hash	malicious	Unknown	Browse	206.190.215.254
	cWMnDWBnyQ.xlsx	Get hash	malicious	Unknown	Browse	206.190.215.254
	HsYyj0GT5p	Get hash	malicious	Mirai	Browse	104.153.236.212
	Fax-Rec'd - EFT Remittance - Doc -Monday, December 13, 2021-5557.htm	Get hash	malicious	HTMLPhisher	Browse	206.190.208.254
	Fax-Rec'd - EFT Remittance - Doc -Wednesday, November 10, 2021-9678.htm	Get hash	malicious	HTMLPhisher	Browse	206.190.208.254
	Alan W. Karpinski, P.C..xlsx	Get hash	malicious	HTMLPhisher	Browse	206.190.215.254
	New Enclosed Proposal Invitation.html	Get hash	malicious	HTMLPhisher	Browse	206.190.215.254
UNWIREDUS	Voicemail - 6737878.htm	Get hash	malicious	HTMLPhisher	Browse	206.190.208.254
	05E9WsH93Q.elf	Get hash	malicious	Unknown	Browse	206.190.211.69
	Fax 00538471_pdf.html	Get hash	malicious	HTMLPhisher	Browse	206.190.208.254
	cWMnDWBnyQ.xlsx	Get hash	malicious	Unknown	Browse	206.190.215.254
	cWMnDWBnyQ.xlsx	Get hash	malicious	Unknown	Browse	206.190.215.254
	HsYyj0GT5p	Get hash	malicious	Mirai	Browse	104.153.236.212
	Fax-Rec'd - EFT Remittance - Doc -Monday, December 13, 2021-5557.htm	Get hash	malicious	HTMLPhisher	Browse	206.190.208.254
	Fax-Rec'd - EFT Remittance - Doc -Wednesday, November 10, 2021-9678.htm	Get hash	malicious	HTMLPhisher	Browse	206.190.208.254
	Alan W. Karpinski, P.C..xlsx	Get hash	malicious	HTMLPhisher	Browse	206.190.215.254
	New Enclosed Proposal Invitation.html	Get hash	malicious	HTMLPhisher	Browse	206.190.215.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bd0bf25947d4a37404f0424edf4db9ad	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse	104.153.233.8 104.153.233.9
	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse	104.153.233.8 104.153.233.9
	SecuriteInfo.com.Win64.MalwareX-gen.31381.20021.exe	Get hash	malicious	Unknown	Browse	104.153.233.8 104.153.233.9
	SecuriteInfo.com.Win64.MalwareX-gen.32147.15984.exe	Get hash	malicious	Unknown	Browse	104.153.233.8 104.153.233.9
	file.exe	Get hash	malicious	MicroClip	Browse	104.153.233.8 104.153.233.9
	infected.zip	Get hash	malicious	Unknown	Browse	104.153.233.8 104.153.233.9
	SecuriteInfo.com.W64.Trojan.GKA.gen.Eldorado.9795.9321.exe	Get hash	malicious	Unknown	Browse	104.153.233.8 104.153.233.9
	uNa2pw53jv.hta	Get hash	malicious	Unknown	Browse	104.153.233.8 104.153.233.9
	s9TxGkesMo.exe	Get hash	malicious	Unknown	Browse	104.153.233.8 104.153.233.9
	happy new year.png.lnk	Get hash	malicious	Unknown	Browse	104.153.233.8 104.153.233.9

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\VC_redist.x86.exe	DownloadManager_21_2_1_1_JaltestUS.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Backblaze\bzdata\bzlogs\bzdoinstall\bzdoinstall15.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe
File Type:	ASCII text, with very long lines (367), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	6904
Entropy (8bit):	5.141137725361051
Encrypted:	false
SSDEEP:	192:fvB8xLotmT4p2j0ZoiPAl+r8hK3I2n32n32n32n32n32n3yNzPIP7POPbPiPhPxD:50rqLGhxcYjfz
MD5:	25134E9584A581E6B4CB5C1186725692
SHA1:	77BE2485A62624A4A4BA62535B15E72C0159FD55
SHA-256:	121F6787A44B56B62203F9322EA868773015AB0AB470F371205F1CA53FAFE100
SHA-512:	815C9DC29CA2582860A0C2BB4085F5C59C14CA9C552A3E760B89CD06EED70AFEC98432262062D6528A57AF572F6B919E5CD9A9A9748EE0147AE58AFE67FF769E
Malicious:	false
Reputation:	low
Preview:	2024-03-15 14:57:05 0000005724 - .2024-03-15 14:57:05 0000005724 - starting bzdoinstall.2024-03-15 14:57:05 0000005724 - bzdoinstall version=9.0.1.767 called with args : arg0=-doinstall arg1=C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir .2024-03-15 14:57:05 0000005724 - Entering DoInstallFromDirectory, allowGui=TRUE, dir=C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir.2024-03-15 14:57:05 0000005724 - point1.2024-03-15 14:57:05 0000005724 - point2.2024-03-15 14:57:05 0000005724 - point3.2024-03-15 14:57:05 0000005724 - point4.2024-03-15 14:57:05 0000005724 - pointA.2024-03-15 14:57:05 0000005724 - pointB.2.2024-03-15 14:57:05 0000005724 - pointC.2024-03-15 14:57:05 0000005724 - pointD.2024-03-15 14:57:05 0000005724 - pointE.2024-03-15 14:57:05 0000005724 - pointF.2024-03-15 14:57:05 0000005724 - pointF.1.2024-03-15 14:57:05 0000005724 - pointG.2024-03-15 14:57:05 0000005724 - pointH.2024-03-15 14:57:05 0000005724 - pointI.2024-03-15 14:57:05 00000057

C:\ProgramData\Backblaze\bzdata\bzlogs\bztransmit\bztransmit15.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe
File Type:	ASCII text, with very long lines (352)
Category:	modified
Size (bytes):	4087
Entropy (8bit):	5.34991186109066
Encrypted:	false
SSDEEP:	96:fygR8+NXRVD3lk9kYAwK4o9EfnERjBIiD/TQ1:fygR8+NXRVD38kLwKlEfERjBIw/TG
MD5:	45D79A3AFCC3CD4BF83B5DCE294D8AE7
SHA1:	0920E89B38AB8C07D3B8592F37A2DB3DE8C77F1B
SHA-256:	91514D814B9A1C3A118C91CF19547F72D811A010E484860B80647884975EE27C
SHA-512:	8CA048B655BB35F9D15693F547196BADC327B37DD86CB4B3DFBDDA92117381B6FBD44D37D5DB2FE27AE8570C118E3256A6E8961F7AE337C080DDBF86A82A6CC0
Malicious:	false
Reputation:	low
Preview:	2024-03-15 14:57:07 0000005888 - .2024-03-15 14:57:07 0000005888 - bztransmit.cpp:1195 [main()]:.starting bztransmit.2024-03-15 14:57:07 0000005888 - bztransmit_processid=5888, my_bztransmit_version=9.0.1.767, numMBytesStartMemSize=4, called with args: arg1=-fetchurltofile arg2=https://ca000.backblaze.com/api/clientversion.xml arg3=C:\Users\user\AppData\Local\Temp\bzt0315155706_0000001_1930_0005724.txt .2024-03-15 14:57:07 0000005888 - bztransmit.cpp:1528 [main()] ERROR:.BzClientVersionManager::ReadFile - C:\ProgramData\Backblaze\bzdata\bzupdates\clientversion.xml not found.2024-03-15 14:57:07 0000002088 - .2024-03-15 14:57:07 0000002088 - bztransmit.cpp:1195 [main()]:.starting bztransmit.2024-03-15 14:57:07 0000002088 - bztransmit_processid=2088, my_bztransmit_version=9.0.1.767, numMBytesStartMemSize=4, called with args: arg1=-fetchurltofile arg2=https://ca001.backblaze.com/api/clientversion.xml arg3=C:\Users\user\AppData\Local\Temp\bzt0315155706_0000002_6385_0005724.txt .2024-0

C:\ProgramData\Backblaze\bzdata\bzreports\install_history.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	19
Entropy (8bit):	3.3660913291191936
Encrypted:	false
SSDEEP:	3:fbQk:fbQk
MD5:	7FB95037165CBA2CAAE74F7707BB8548
SHA1:	9AE49519F7D50C69E2CC2273CAA95FA897903AE5
SHA-256:	9ADF02654262D39E8E2731445B94D6AA7B6D177DA93F9D0D8841C2DA1C1D440A
SHA-512:	5614A9DB277C17633D37B27D65A0133C74AD11467E48F5DD80655492DCFB8BA66827DE66B6A7EE0F47EA6302207EA1B82D7CD6673198E4868220517C72565AFE
Malicious:	false
Reputation:	low
Preview:	gui_20240315155705.

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\InstallerConfig.xml

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (361), with CRLF line terminators
Category:	dropped
Size (bytes):	114452
Entropy (8bit):	6.020530429080198
Encrypted:	false
SSDEEP:	1536:UucIu8HOSOXtL6RDCXiFioHGPB5/VKPenpqS+pyQZZ102hYwBKtVApVAr6x9UoMl:U4yLkTQp5/V+e8T02hLBKApHnUoMyCfT
MD5:	E98982BC81B82B074D12DE0E1FC99E53
SHA1:	619D8C777A6C224B313933EBB4E0D0B5C6543612
SHA-256:	618969F88E5D5A0DD29805A1437B923737394DA0E244B2A4C9606B23FFF426D2
SHA-512:	0F0DAC703AEFFEAE70E25302F335CA5A344ADC13A839F3F7B29918B457EACF9F5D0BC98B33FFBF1D42B9B17BDC26842ECBE51FAE915547274D060F836F10F77E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<bzinst>..<installertext lang="en_US" .. not_admin_err="This installer must be run as Administrator. Installation Failed." .. operating_system_not_supported="Backblaze has detected that this is a server operating system. This is not supported. However, we would love to have you as a customer for your desktop and notebook computers running Windows Vista, Windows XP, Windows 7, or Mac OS X.".. no_username_with_gui_cmdline_err="You are not allowed to use the -createaccount or -signinaccount command line options with a GUI install, try '-nogui'. Installation Failed." .. could_not_contact_backblaze_datacenter_err="The installer could not communicate with https://www.backblaze.com so installation failed. Fix your internet connection.".. contacted_backblaze_datacenter_other_err="The installer communicated with https://www.backblaze.com but some error occurred so installation failed. Your PREVIOUSLY installed Public/Private keys probably do no

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\InstallerSkin.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 800 x 544
Category:	dropped
Size (bytes):	46329
Entropy (8bit):	7.929793566924125
Encrypted:	false
SSDEEP:	768:6LRwVFkMlIEuvrd9QxKdrcBm40bNLDbXpU8Ud6npxlsPQyh4JRkMPqud5Y++LY:AwVxduvr6kQBr4d3a8UdipxWPQ9+MPqw
MD5:	A3CE91F588DEAF660D57EC1DA5B92A63
SHA1:	A7EF2877B08F427FC60B108C841B4DB702E122A4
SHA-256:	04A2B4893D58766CA0283C01BB80EE0592317743C984DCF46899D5D75543E728
SHA-512:	B2D8195DF3D59B72A6D7BAD589B2FE489B63F2B0924B69C64FE49007DF44740DA09031B5BD20220005BF6C7F16BA130731F2D3ECF579D307BC0532186B1C560A
Malicious:	false
Reputation:	low
Preview:	GIF89a . .......ef{.....3.......SSi..od.`m........$........:;T......')E......BC[.......6....tt...]..o..IIbjj....[\s...~~.....$&.........-.....).....T..?.................................8......nxx.rsz#%>............q...x................qq...,..._.t.....\|\|........8$.RH``w34O............\|\|........K...efm....9.U.zz.....;B......l$5.....-xF8..!........................2>_.......w1............U$I...XXp................Q.%........TJ..........2>]^eXd.mn.OOe......*-.F...`Fz.........kp.NNh..z.~vvv....el.fv.......Fk......z.............:S................y.....ty....W........WAr7/:......lmt....Y=.[...........y\|.......9.ly}.....y.qs.bX.UUn.........,............`^...3N....MZ....]OdTU[.58...m..xy.rw..!=..i......wx....pI].uq.............q.U{r............!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c003 79.164527, 2020/10/15-17:48:32 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\VC_redist.x86.exe

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14426128
Entropy (8bit):	7.996370711551346
Encrypted:	true
SSDEEP:	393216:4gylp+dkBSuF2SfUfn6M9MlBkEGTPq2KaMgcXaHsky:Kp+Ty2SfUfnpWofMgcKH5y
MD5:	8DAC0E58FDCD659C9DE1715AED297CF2
SHA1:	370583C380C26064885289037380AF7D8D5F4E81
SHA-256:	2DA11E22A276BE85970EAED255DAF3D92AF84E94142EC04252326A882E57303E
SHA-512:	EF9A9430ADE4D511C1514A1EA688871F4B5C010EC886E45D6DF3F3D6D769752F675EAD243E3F1DFD0BB7E48CCD7D085A18484DE3777CC55CAE02B962E384304B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: DownloadManager_21_2_1_1_JaltestUS.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-.}}~.}}~.}}~...~.}}~...~.}}~...~.}}~...~.}}~.}\|~.\|}~...~.}}~...~.}}~.}.~.}}~...~.}}~Rich.}}~........PE..L....S.T.....................6....................@..........................P.......G....@..................................6..@........9..............x>......03.. .......................H/......./..@............................................text............................... ..`.rdata.............................@..@.data....0...`.......:..............@....wixburn8............J..............@..@.tls.................L..............@....rsrc....9.......:...N..............@..@.reloc...D.......F..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\animated_cloud_win_120p.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 214 x 120
Category:	dropped
Size (bytes):	61402
Entropy (8bit):	7.865859459610835
Encrypted:	false
SSDEEP:	1536:kKaZ/T6QBRG0dsg7Z9xHNtA2sbUi/ywjAXoU/Wg36+enIyk9UE2AA7PCSEEaHFrW:kJTvi4sLAPOmAQzkQx4D/
MD5:	DD3AADA7FF4742B1D82AC926ECF844CB
SHA1:	310FED0EFD7F1A657DB523E14307F2A25734C3B2
SHA-256:	2D0C512C5219FE1F38FFDF78366E2AE52ED892A43D47E3501D80F2EAAF896F21
SHA-512:	CF36FF99E8A715838ED3D33EFF62B339DCE5FFC6BE99AA17D61A72416F6EB58F9332939B4D5F9FA8C0BB82737AE8B41DC342D755F416F01B9F88F29B44F1D4BA
Malicious:	false
Reputation:	low
Preview:	GIF89a..x.......ePlgTrkXulYwnZunZvo]nq[wq^st_vu]xvf{zm.{_y.`r...]s.+;.m..MY.^v._x.d..n..Vf.Yn.t..[q.`r.\r.o..9H....N`....Xm.FX.Nb..%.'@.Sh.Xl.Od.G].Mc.]z.n~..........9R.@V.n..~..2H. >.F]..+....."....<T.AY.8R.4Q.......2L....]q.u........Ij.g..(D.c......;.!@....."..?..........?.0S......'..1..8...@Z.Jk..O.;g....).p...-.]q......i...-... A....."...B\|.......=..........<......................Q..... ..%..&......!.9V.....<..!........'..i.....+..R......<.....<........R...!..0...."B.l......=..Q....[t....Hj.......9X.c......?...............@........{............i....................T.......j.......................V.6.................l.........T.............i.................=...............j....'..Y........................{.2..;..z....................t..~....!..NETSCAPE2.0.....!.'GIF resized on https://ezgif.com/resize.!.......,......x........H......\....#J.H....3j.... C..I...(S.\....b.I...8s.....@.....H.*]...P.J.Ju..X..%X...`.z.GP..V.].U.Wy..q.W.n.s.

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\animated_cloud_win_120p_dm.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 214 x 120
Category:	dropped
Size (bytes):	266505
Entropy (8bit):	7.8921648262475745
Encrypted:	false
SSDEEP:	6144:0+5Oolp5XNH14rmsrL3RD9N8b0fUw6HDvD3BUGOe6hpxM5F8D:lYolp5dH+rmsrrRxWb0fUw6HDvD3BUGo
MD5:	80343201CB8C51EABF5D156F7BDB315F
SHA1:	15D4BB8629687C1F6FC7D2BA3B912EDA8766281C
SHA-256:	299B2F51082BE17228E853456A5B8B3841A436AB6B37AC6E55BC99A9EDB78428
SHA-512:	6941F7B47875B022F0353FE4E0B41C430AB7523AED8B4EAE4E5619CEAEF61B72FAAEFFB1F519E33BFC4C352639F4A961EE98943A2B781DA8535D2C02BB01AB2B
Malicious:	false
Reputation:	low
Preview:	GIF89a..x...........................................................................................-..;..'..(..'.... ."".#$.$,!'6(7E..[.!../E(4]#0Y3;D3@E6MI8OW?Vx3@v?N[LZjQ]hWljWskWujXvlYwo[yu\w{\u._wuawxf\|{m...&..3..#..%..$..'.....4.&;.&>.....+..(../..#..'..$..2..1..=..7..:..<.. .."..$..#....,..0..2..?..:..;. ?.<O.#@.G.,H.3L.6O.3N.>V.9Q.8P.<V.?e..G..S..L..J..@..L..K..X..X..X.,I.,L.7X.1L.7Y..g..i..i..j....'g.?d."~.6g.MZ.L_.DZ.Xe.\n.Pf.Uh.Yn.Yo.\r.\s.Mb.J`.J`.Ne.\\|.Wr.`r.Vs.Yu.Nc.Sv.e.\|n........%..4..7..r..p..v..y..b..q..x..u..\|.....\.._..\..`..p..}..q..t..V..}..s........................................................................................................................................_u.."..+..X....~..x.....w.........,..!.$......................!..NETSCAPE2.0.....!.'GIF resized on https://ezgif.com/resize.!.......,......x........H......*\....#J.H....3j.... C..I...(S.\...0cJ.@...8o.....@.n..S@..F.....C.H...J.j..Iy:..`Q.V..j4j.hc..z...p.V.5.].=.

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui.exe

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1883184
Entropy (8bit):	6.494633993879434
Encrypted:	false
SSDEEP:	49152:nfSN1tN3DzUFMkl9ppJ/CLKWJW7uWnysAA8VWcG7Y9jdlqRB:nfSNt3Dk9HEQuWFZ8VEb
MD5:	ECE1E7B975AE00F0CF2E58B3974666E3
SHA1:	D2E2CDD3C15A4ADA4A14F75C7866DBA704568C71
SHA-256:	D7A8D02750F879B3AFAE247FF43794466A89EF6E51FB5A1E9EB9F7A59EFFB97A
SHA-512:	F0B31D177EA8B05F6E96620DFE3AA386243DCBFE16E741F412E58C298A19D88828122B3D2197962261034FEB3DB029C2DEA22494DDA79AA80CA1EABEAA9C7391
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$..........zR..)R..)R..)..!)D..)..#)...)..")p..)...)S..)...(I..)...(...)...(t..)...)P..)...)P..)...)S..)...)M..)R..).~.)...(~..)...(S..)../)S..)R.G)S..)...(S..)RichR..)................PE..L.....e.................t...p......i.............@.......................... ................z.............................H............>..............0,..........P...T...................H...........@............................................text...vr.......t.................. ..`.rdata...v.......x...x..............@..@.data...8........^..................@..._RDATA.. ............N..............@..@.rsrc....>.......@...P..............@..@........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_animation-4x.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 288 x 5000
Category:	dropped
Size (bytes):	35760
Entropy (8bit):	7.985827273657565
Encrypted:	false
SSDEEP:	768:anGkUCLcoFc0GoU9Q2oDIi2yCjJpBRxPSSzPNjAoDH7PanAcx6oh1L:UGkUOcotVyp1zq+HDa4o3
MD5:	05B498AB846CA5AC26D31D5199ABC45F
SHA1:	A13953A8D54B353DDAC2137BEFF9D011730376A2
SHA-256:	F022A43DB9D7E656EC7CD393110AEE1E688A28A16DE5FB4657E4FE01C1C87A3A
SHA-512:	2CCCD4F057EF0BECC0564FFC0BDC78CB925289CA184B3975E1636336D50585444D65E498CE0BC83FE42005DEA6ECB55AC47AD4971F8BA87F31AB1B005986CC87
Malicious:	false
Preview:	GIF89a ............................dz....$A.Ga.............-I. =............Xq...s......2...C]..:.Kd..................Pi.ay.Le....Um...................,G...:U..........4............Tm..........(E........../.5P.......r.......1M...B\.e}.............;U.............z..ez.....%........-.0L.>Y.............6..*.\u.Qj.i.........v..l..{.......\s....m..6Q.......u..y....................<.+G.......i..~..l....Oi...l..............[r.3O...........j........6Q.=X.-H..........l....<U.F`.z........,....`u.}..........q...+...................p.....~..s..\|..y..v. ..'.......................................h.........'................Oh...<W..................3N..........l.................................u...............y..z.....................!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c003 79.164527, 2020/10/15-17:48:32 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_animation-4x_dm.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 288 x 5000
Category:	dropped
Size (bytes):	20911
Entropy (8bit):	7.964033743546647
Encrypted:	false
SSDEEP:	384:k9mAfSiQKoa1tEb/qGN3aD47/QgpFuGKRSmOzIgMlk0HZql9mIJe:Qfoi1saD4T5pFuxSbzIR2lQ
MD5:	02227567CF3EDC2767140F759A4AEA3D
SHA1:	5BB59827E38D46A174A8D71AC4AAB11C57DC3B21
SHA-256:	166495B4F9102517361B46540B5A12735DA0A3DD090F3A663A49EFAF9A68DAD5
SHA-512:	7B962051A471DC230840BCBD4A4B9613B5D236CCC2F1B723AB56C261599620756F127D7CDBD105A387D2FB0EF72E9D9C8EEBA255BBE7FCA204DCD211A36E4C41
Malicious:	false
Preview:	GIF89a .......... =88Bw(9JJU.C]\\lBBM....-IjYkvv........#>...E5@..2k+;.#6.F[22:..:...ddu.\u}}....UUc...qq..Le...QQ\...yy...4ll~.3KNNY,,4.e}.C.:U...;R...$$...iizsSf.Tm.%A../``q.ay...^.<....5P...N.&....1M.Xq.)E-..{{...8rr..y...6p=N......nn......%.. ........2. jj\|zz..l...-.>YT1>.GajHYL3? &..G}L`.....uu..3O...;;E..<.i....FFQ.+G.;T....AWwex.l.??I....Xo=6A.$:~~..Od.&C.9S.bx...==F.Shffx.7N{{..Jc`IX.......4H....l.xx.6+3.......=Xt^qc.-C-8...T"..>Rzl.{s.ss...:....Md...6#+.........XXg''...,..6...aaj.#?ggs....p.,%-.D]D.)..A......XSc..4............!...,A.........#..).$>. ................p.....~..s..\|..v............'....Pi.........aar.......6Q...........................bbscct....h.99C.Oi..'...^^o."?d^ooo..'D.Oh......44=....4O.......f~ddooas...OAMggx....z.mmx..[:H..+up..z...788@!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c003 79.164527, 2020/10/15-17:48:32 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_animation.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 72 x 1250
Category:	dropped
Size (bytes):	8298
Entropy (8bit):	7.9146426002051555
Encrypted:	false
SSDEEP:	192:xErJ+OxyN8KHN9/oUu4YJzH9yP4LeBVyCiv3zmVGIAHE9Rcu:xE1byNDAUurzH9yHBLEzeGIhDcu
MD5:	286F84F41EAD9938DF6AE8C62BF914D2
SHA1:	9248AFA6037758AE5BE8FA5B971C2C67A8EBD932
SHA-256:	322D559A83963891C72CAA38FBF8919F6FFD9880C8C3BC9337497C2740DFE4F3
SHA-512:	02990C2C011CD5DB88FB84E2F932C5FCD807FF5E375D8449D9DFBF18DD2B00C6B3D3C3364AFB700301503EA368DEF0E1825FDCFE50A9FBACA4E4B47C1B825672
Malicious:	false
Preview:	GIF89aH..........HV...k.................,...~~...............x9X....fz.Vj.........dzqq.ee.......w...........C\.........dd....mm....aa}............s.."3..........y..Uo...vv..................444.'GbUrqCa......yy..)C.v..]r........(.Tl.;R.............q.\|\|..............gx..7.3K......jLhhh......:...SSq...8V.,D...\|...l.kk....(G**.......`x...tt........`v.........Xq..7....Kd...............7..........!.F`.......Zq.l......g\|V.........)F.:U^^{.)F.....wZu.o..Zn...OOm.Nb.m.............Pi....j]x ......\\x.......................................\\y==^cc~......[]y.........oo.]]y....\]y``{.......Ne.}.[Xu.\|.ww........Sk......uu.WWW...y.....ss.su....ya{p~........g{........`s..........B\..ga\|.......{.......fOmwOk...y...............QQo...jg........G`uw..0N.........!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c003 79.164527, 2020/10/15-17:48:32 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_interface.xml

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (640), with CRLF line terminators
Category:	dropped
Size (bytes):	552598
Entropy (8bit):	6.092279065991559
Encrypted:	false
SSDEEP:	12288:xTm4+gJuAzNkE8m0/2tl4IeBhfdzMDcoszt2bv:U4+gJhKE8A
MD5:	602A0723A36338505DE0369B29526936
SHA1:	A071B14CD9305D55AE7E35049777A178FBDFBE18
SHA-256:	22E262DD3AA1A6E109B240177FD450370121A41008097BC167DEF008477D6BF9
SHA-512:	5630C87F7F8C373C69E2556E041150A985ED9E49C55F9BF0F20D78DA67FF864A1158F54BC2DA5EA582F823F839F2F739FE27BBE9E6BC24B91AE3539D913C8CEE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<bzinterface>..<bzbui_text lang="en_US" .. TrayMenuItem_BackblazeControlPanel="Backblaze Control Panel...".. MenuBarItem_BackblazePreferences="Backblaze Preferences..." .. TrayMenuItem_Help="Help..." .. TrayMenuItem_CheckForUpdates="Check For Updates..." .. TrayMenuItem_About="About..." .. TrayMenuItem_Quit="Quit" .. TrayMenuItem_Inherit="Inherit Backup State...".. AboutDialog_Caption="About Backblaze".. AboutDialog_Version="Version: %BZ_VERSION_STR% (%BZ_BUILD_STR%)".. AboutDialog_MainText="Backblaze online backup protects your photos, music, and other documents. For help or more information, visit http://www.backblaze.com".. SignInBadUsernamePassword="The username or password was incorrect, please try again.".. SignInCouldNotReachDatacenter="The Backblaze datacenter was unreachable, please check your Internet connection and try again.".. CreateAccountInvalidEmailAddress="Create Account failed. The email address is not valid."..

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_restore-4x.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 1128 x 752
Category:	dropped
Size (bytes):	23101
Entropy (8bit):	7.927851774319565
Encrypted:	false
SSDEEP:	384:F12plxNT/ES+yU5qfXe2pMPyTCBrvb61SdCXBx7LYOaB3jiFy9f:F+ZwSdWqfXe2aymBrWKCf7LYOi38yZ
MD5:	5B443284DCEB209344D32E44CFBD313F
SHA1:	1EEFD674AA8C664CCA0BD54998AF7FB1775DE61D
SHA-256:	418663CB43E9E578BDA9F9DEF8910FEA0963D45BF0165E93B17155AACC9C0EF6
SHA-512:	5877928D94F94C1EEE5730663523933658358866E9656CFDCF1334A23A8EC5B8D3B7C2B0F052C850BB9D700C3E49887B55F77AB11547F36866556291C54DA167
Malicious:	false
Preview:	GIF89ah..........................5.................................................Tj..........)D.................................1K............9R.........l~.z..............................*.D[...................................>V......Lc......r..............................................................!=...............`t..........[p....................../.....fy..%.......n.........................................................................................................................................................................................................................................................'...............................&...................................................w...............!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c003 79.164527, 2020/10/15-17:48:32 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_restore-4x_dm.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 1128 x 752
Category:	dropped
Size (bytes):	22817
Entropy (8bit):	7.940209148622259
Encrypted:	false
SSDEEP:	384:QhuTpi56r95imZZEwjNTbm+Gp/4SD6AdPGyTLGgw8c1uxDC1b8+oeB:WuTjbxTK14a6++yTLGT/B
MD5:	DBBA97300E6B2E986E1ED1F0019C76E8
SHA1:	0BA139A2DEAFC77B44987B50B928DDB146B364AD
SHA-256:	83BFB09C68A26AE4A956A063165741A0FE96E688FEF17B4DDBEFC6555EEA02EC
SHA-512:	2AAF95E12A2E22A72D76A9F50774663C76EBCB57D0AC532C813143662CB3738567BEA070E83BD2C22538A6E4CD6675C739FB16F898F7FF3928CCC1D71EE39732
Malicious:	false
Preview:	GIF89ah.........V......2K........#...........%.Tj..................XXhxx....##)qq.......::D......SSa``q......uu.22;................++3....~.................2.....................................}}.... ...........................MMZ..........5...@@Ki..hhz\\l.................nn........................z.........i\|...EEP............{{.ii\|................HHUddv......... ................)PP^............BY......ffx.....................................................ll~....$@.............................................................................................................................................................................................bbs......VVe...................'__o...........................................!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c003 79.164527, 2020/10/15-17:48:32 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_restore.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 282 x 188
Category:	dropped
Size (bytes):	7711
Entropy (8bit):	7.814562502371301
Encrypted:	false
SSDEEP:	192:CQdZb1CAonLqmwurMBZxyYkiQ4HZRTB+yoBcLqQ:C0BAx2TYeZxyYm4HHTQyoKGQ
MD5:	582B5863D1F645C572A6F0221B3AC4F2
SHA1:	0B3A953E401B04A62F6A2B7F1D729A6687DA04EB
SHA-256:	963AFB7321D2EA8CAF351F8812E03E0FE13A05014A2E78B2815F828DF02ED5F6
SHA-512:	19B8F5E4A7EE8E80041AE699645D76198DCA2598E4DFBFA2F6A48FF81C43A9AB0E301B997782C138BC02673C38F0F57B37AD33EFC9650AB737AD92B5149F6017
Malicious:	false
Preview:	GIF89a.....................yy......8.....%.(A..............\|\|....uu........................................Wi............zz........................................{...&......'B...............................................zz...........................Qg..........I]....................................&. =..........................4L.iw..................~~...................../..........?U....y.........................xx................l....................."......rr.... .....'........+..............ss............~~....~~.}}......................................................................................................{{.}~.....................'....................................................................@X..>......!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c003 79.164527, 2020/10/15-17:48:32 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_restore_arrow.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 660 x 564
Category:	dropped
Size (bytes):	40860
Entropy (8bit):	7.974325155960172
Encrypted:	false
SSDEEP:	768:RvV4j+tNgslRWFTARKbyn+MxK0Gd4zMCDp2tnGjiklTVj2ej+Uf:Rd4KfFkYK4+MxKVu88nlB26H
MD5:	FA93A9EA22943D4885D03CB60F401121
SHA1:	02872CF934F34E555DCC608958A0A2A5EE88176A
SHA-256:	91740C87E7364E2F8ACED911026307A59A566BCB0A2E8A727CCBF5816F7FECE3
SHA-512:	44BC5101A11AA117ED94805C0BF16E3F781979F695F76B54A96A7B8F97732B42A1591BA95FBE63C258E8A92D4ECA1A504CA5385FAA178D8213E650E53A76D65B
Malicious:	false
Preview:	GIF89a..4.`..!..Created with GIMP..!.......,......4.......3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f.........3..3.33.f3..3..3..3+.3+33+f3+.3+.3+.3U.3U33Uf3U.3U.3U.3..3.33.f3..3..3..3..3.33.f3..3..3..3..3.33.f3.3..3..3..3.33.f3..3..3..f..f.3f.ff..f..f..f+.f+3f+ff+.f+.f+.fU.fU3fUffU.fU.fU.f..f.3f.ff..f..f..f..f.3f.ff..f..f..f..f.3f.ff.f..f..f..f.3f.ff..f..f.......3..f.........+..+3.+f.+..+.+..U..U3.Uf.U..U.U......3..f.............3..f.............3..f............3..f.............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U....3.f.........3.f...........3..f.............3..f..............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f...........................H......\....#J.H....3j.... C..I...(S.\...0c.I...8s.....@...J...H.]...P.J.J...X.j....`..K...h.]...p..K...x..........L.....+^....#K.L....3Hk..

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_restore_arrow_dm.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 660 x 564
Category:	dropped
Size (bytes):	40990
Entropy (8bit):	7.974698356429523
Encrypted:	false
SSDEEP:	768:RSV4jhGe5hkCtroghVt/XBkkFx0eU5hvi3B0xynBTktBg999Yj:RU4sejkCaoVt/Xh3Is3B0sBTmg9Aj
MD5:	0008C1E4B17C16324BE10B5157BECC52
SHA1:	A5DFA279B593FF17C30168B8219342D15D4977A2
SHA-256:	A0FB5AC9CDCCAE7BD038DCFA592ABA6CFD9D25C8D54A31219664CEB57F975D63
SHA-512:	77F92111FDD7B3D7CEC582099E270A7D2205B749D9D84C928EB08A7BFA2AC50ADC31DE726303DD9CC5FCD780265FBFA4F4FA209AC754B02E2A245213C0BF2F68
Malicious:	false
Preview:	GIF89a..4.`..!..Created with GIMP..!.......,......4.......3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f.........3..3.33.f3..3..3..3+.3+33+f3+.3+.3+.3U.3U33Uf3U.3U.3U.3..3.33.f3..3..3..3..3.33.f3..3..3..3..3.33.f3.3..3..3..3.33.f3..3..3..f..f.3f.ff..f..f..f+.f+3f+ff+.f+.f+.fU.fU3fUffU.fU.fU.f..f.3f.ff..f..f..f..f.3f.ff..f..f..f..f.3f.ff.f..f..f..f.3f.ff..f..f.......3..f.........+..+3.+f.+..+.+..U..U3.Uf.U..U.U......3..f.............3..f.............3..f............3..f.............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U....3.f.........3.f...........3..f.............3..f..............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f...........................H......\....#J.H....3j.... C..I...(S.\...0c.I...8s.....@...J...H.]...P.J.J...X.j....`..K...h.]...p..K...x..........L.....+^....#K.L....3Hk..

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_restore_opt_app.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 108 x 108
Category:	dropped
Size (bytes):	2797
Entropy (8bit):	7.306317557809903
Encrypted:	false
SSDEEP:	48:EWU+udYG74qA/5mRN+fFPoupn4/PBBwrb0QowO0v8ZhB/nn:EWU+uyGiobCPjpuB+b0rw2
MD5:	57E12A8339CA174F2C58403CA098DA25
SHA1:	C02582F4535889AA48CCC038AB6C15BABB566BEC
SHA-256:	041C8267A31BBB881B1A70F201BE9C1EC4CDFB510FED4E1FA3A123BCF9C3D17A
SHA-512:	FC1F5D01A77FF45339110077D77466CB4639E26F842AD5D0D8D1A8374D5C178945449A4CCF6D09EC1429357C5379A3D7B9D024EFBD53007A145402C619A5DFA2
Malicious:	false
Preview:	GIF89al.l.........3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f.........3..3.33.f3..3..3..3+.3+33+f3+.3+.3+.3U.3U33Uf3U.3U.3U.3..3.33.f3..3..3..3..3.33.f3..3..3..3..3.33.f3.3..3..3..3.33.f3..3..3..f..f.3f.ff..f..f..f+.f+3f+ff+.f+.f+.fU.fU3fUffU.fU.fU.f..f.3f.ff..f..f..f..f.3f.ff..f..f..f..f.3f.ff.f..f..f..f.3f.ff..f..f.......3..f.........+..+3.+f.+..+.+..U..U3.Uf.U..U.U......3..f.............3..f.............3..f............3..f.............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U....3.f.........3.f...........3..f.............3..f..............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f.....................!.......,....l.l........H......*\....#J.H....3j..........I..rw...a.Rec.&.z.P.Zi.g.z....D.Bg.]....iJ.JeX...i<.jEX....[....3.X.N..=...Z.N..};.^.iX.U.).......Lx._M....kv ..#K&.7.A...h......L.8(.v..i.,z...

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_restore_opt_app_dm.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 108 x 108
Category:	dropped
Size (bytes):	3189
Entropy (8bit):	7.419888792315945
Encrypted:	false
SSDEEP:	96:EWU+uyGGVYFOpn2y+hRBdr8bJHwbsgcVEID:E7yGGbAy+hzdq5eS
MD5:	165C400CD07D0B5C09A25F3E019DB56E
SHA1:	6ABDC6448562AA880C976C80D1D1484505E38FD0
SHA-256:	33085B65A127FE15FC907ECD62B53D521522BF9C00531288700EDFA52CF48750
SHA-512:	D1ACBCDF1731267094632F9B8A885C662C6F0D3BB31B7F1F54DAC3BBF6AAC101F2115E5BB84EAF6CA2F44474D1DE6B5CE6328160A981BCB47B42E8E4AD036BE9
Malicious:	false
Preview:	GIF89al.l.........3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f.........3..3.33.f3..3..3..3+.3+33+f3+.3+.3+.3U.3U33Uf3U.3U.3U.3..3.33.f3..3..3..3..3.33.f3..3..3..3..3.33.f3.3..3..3..3.33.f3..3..3..f..f.3f.ff..f..f..f+.f+3f+ff+.f+.f+.fU.fU3fUffU.fU.fU.f..f.3f.ff..f..f..f..f.3f.ff..f..f..f..f.3f.ff.f..f..f..f.3f.ff..f..f.......3..f.........+..+3.+f.+..+.+..U..U3.Uf.U..U.U......3..f.............3..f.............3..f............3..f.............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U....3.f.........3.f...........3..f.............3..f..............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f.....................!.......,....l.l........H......\....#J.H....3j.B.. +.I..J.(....j.I.)c...'UKT0e....f?9w..HE..C.Z.2..J.:d.t...R.&.......L...Y..~.5..e..@...H..S.s.....`......L.0`.8b..;.....o..a.....q...fsg.C.......q,~.m.a.

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_restore_opt_zip.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 108 x 108
Category:	dropped
Size (bytes):	2845
Entropy (8bit):	7.354036868879989
Encrypted:	false
SSDEEP:	48:EWU+udYG74qA/5mGeQhzNwcGfiJnt4WkDLuYj4gTTb8YXJGHhYLw7DwRB2e:EWU+uyGioGeyNRIduYjln8YcHGLwvOBR
MD5:	3DB303C72B533BF42E2E8F7CDAA8CA95
SHA1:	712EAD637BBC6FB6EFB1BD15E9D401658B20489F
SHA-256:	62CCFD5E63D3F6FE0A66222AC391D53E4C173EF4D584995CBFB14017F8501A73
SHA-512:	11ABE6958B862128F03FB68B8E94BA75AE3E30556592D5D4AF3038596CB80471AA5EB31B0D2582A4A515D440BF6B82EF1DECAE5F3E643D0D820377073276CC14
Malicious:	false
Preview:	GIF89al.l.........3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f.........3..3.33.f3..3..3..3+.3+33+f3+.3+.3+.3U.3U33Uf3U.3U.3U.3..3.33.f3..3..3..3..3.33.f3..3..3..3..3.33.f3.3..3..3..3.33.f3..3..3..f..f.3f.ff..f..f..f+.f+3f+ff+.f+.f+.fU.fU3fUffU.fU.fU.f..f.3f.ff..f..f..f..f.3f.ff..f..f..f..f.3f.ff.f..f..f..f.3f.ff..f..f.......3..f.........+..+3.+f.+..+.+..U..U3.Uf.U..U.U......3..f.............3..f.............3..f............3..f.............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U....3.f.........3.f...........3..f.............3..f..............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f.....................!.......,....l.l........H......\....#J.H....3j.... C..I. .L.R.\..K.(......48s...g.I.d..,..H.]...4.2..j..Q.5k..u+W._.y..T...i.J.fH.I....v..z$.)=;.b.4...5..h.}...kwfQJm....X..4..7...q..f.i...e.n...z.2.F

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_restore_opt_zip_dm.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 108 x 108
Category:	dropped
Size (bytes):	2959
Entropy (8bit):	7.3602753786516555
Encrypted:	false
SSDEEP:	48:EWU+udYG74qAGm0sS7+ntx5undACqZKSsPsgZoAepcPAOHIfU8nCPeJEfLb:EWU+uyGS0sSmtx5ysrsPsOoAepmqvCPH
MD5:	4536C383FC2C1DC44BF6BC8AEA66122E
SHA1:	C42D72843794CF24AE322E9A4C8F6D674400812C
SHA-256:	4A98235338785B8FD9A6380CB8A0954129D8B75F527B58E410DA02BCD4D1B247
SHA-512:	9382AA7B5B51F0C374D4966F23EBC108250BA65D4914488DA2596144F577F4E3657FBD2AF2697CF21C877110B4603F39D5112C66F924F3475D5C9E36A3AA965C
Malicious:	false
Preview:	GIF89al.l.........3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f.........3..3.33.f3..3..3..3+.3+33+f3+.3+.3+.3U.3U33Uf3U.3U.3U.3..3.33.f3..3..3..3..3.33.f3..3..3..3..3.33.f3.3..3..3..3.33.f3..3..3..f..f.3f.ff..f..f..f+.f+3f+ff+.f+.f+.fU.fU3fUffU.fU.fU.f..f.3f.ff..f..f..f..f.3f.ff..f..f..f..f.3f.ff.f..f..f..f.3f.ff..f..f.......3..f.........+..+3.+f.+..+.+..U..U3.Uf.U..U.U......3..f.............3..f.............3..f............3..f.............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U....3.f.........3.f...........3..f.............3..f..............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f.....................!.......,....l.l........H......\....#J.H....3j.... C.\....(S.\YR...b..$...8o..3.$1.?..#f.M.3.M....N..8.t#.F.j..+W.8bT.Xtf&eh..K.v-[.o..e.I.S.c+...T..}....L..`ev...#6...}...Ly.2.F.Pu.1..L.+...,.$M.i...PF.I.

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_skin_bg-4x.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 3320 x 2212
Category:	dropped
Size (bytes):	245338
Entropy (8bit):	7.994521419396493
Encrypted:	true
SSDEEP:	6144:f6FARNgWfJuXtlLJdGhsYaMNo3y3yLOYMhnFq+W2IE7bBK:kARertlGhs9Oiy3TY0W25hK
MD5:	4E75C99A0DF6EE8CF4085AAD7CE3AF77
SHA1:	A81686B143B0C06AC58578B13EC86D1DD7491AF8
SHA-256:	B0E476DCB7862970101FC654C781AA28DE2C0B8338D3488D23FB1AD433F05547
SHA-512:	4D8C20AA44D28B5FC04CD717547076A970CC902BEBF043353250A2ED265219538F7278BE4BFC93C21969EF5EE507945240D710F292A122DE16D83DC5BA84FD46
Malicious:	false
Preview:	GIF89a..................%....Nd....q.CBd...........;:\......33TKJl++L.....M.f"#C.....<.............3..........7PY.u..............................................q.............4...HGi.................................................[t...........3............@?a.........FDg.........o...4P...._s...65W............................>=_..9............-.N...................%@.....1..........................................,...z..................................................................................................lw...........#@.........../...... !A......88Y..6...%&F......()I.....................................................>00Q................................................................................................................!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c003 79.164527, 2020/10/15-17:48:32 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_skin_bg-4x_dm.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 3320 x 2212
Category:	dropped
Size (bytes):	81782
Entropy (8bit):	7.987107001549854
Encrypted:	false
SSDEEP:	1536:d6eTuTFAlUkTaCyQJw9LtfYNb4Zi1MUqWPe8k8G1KvW:d1l2kTzyQotgwi6jQY1Ke
MD5:	B4C4335390ABE739E3D9698675E4FDB5
SHA1:	F23ABED958BC6909CE08AB9FC079E378DB36A524
SHA-256:	34D604A74D3046657776B5C59CC46459CA82D4389E3EDD3584C468084578C77D
SHA-512:	1DB590405E78EF148AD0A8770215781EFF3E04D11EBA9C1C3FAFA105EA22EDDA9FDE868FC779E232BEC859CBCC461CF4C626E1E4ADBA9DB3AE979F78020F7A65
Malicious:	false
Preview:	GIF89a................f.$...XXd(((...226...kkk.......Ti77>...L.X...HHR....}\|....0.K..3.t......iiz..%..+SS^&&&......dds......z..AAK...................4.4P................dw.....&...GgQ.............%......q..)Dqq........2H.....1...............>SE...uu......&@@@yy.......'.;.....$.........AO..........F].......<TMMW.......Uk..)........3nn......+...hFI......FFQ...,,-.......3L@vN...aaq<..............S>@......- &%%+.$=................cddvtx...6\?......ffw.....i~.Zs...DEF. <..!......==E.IR.%7...*-MKn.1<\Zd......KLL..-...........4......m.w...lll......lorggh.................'.....@............C#& #...!%#GJP...""#BCb.....................'''..............................................^^m+'&........................jj}iiiHIfghk...hjl.bx..GHf...o`o......WEN......!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c003 79.164527, 2020/10/15-17:48:32 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_skin_bg.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 830 x 553
Category:	dropped
Size (bytes):	46691
Entropy (8bit):	7.986446881503933
Encrypted:	false
SSDEEP:	768:Q86e8is3aZsXOcs2riGWvpQuSBu/LRsW5DOORy67OYBunzSdU/moK4DMa9kWPQev:QatcksecPHn/u/5wOA67O8gz2U+4wadD
MD5:	3782AE3B83250B21DB16455022D1B74D
SHA1:	F7CD150E60CD4DB42C12082F227FDA7DBD113ED1
SHA-256:	9A07D871789105F1BCC3BCCB00DC6A4D279A68D8E693D21FC0A48E241E071E23
SHA-512:	CE3D71EE82F27B0B019F9F7832BACEC4D80C1DCA9D5019163E2B5DDC28A9BF1CFF8AC86D7A78C55BEEFF6C6C2B4E863DEFA4E110F7B30F4FFB6FDBBD717C5DCD
Malicious:	false
Preview:	GIF89a>.)....JHk..........................Zo..2yy.76X................Xr.....t......''H.......................%.....................{.....................................9Q...X.r......Lf......................................................................s.............6.........}..........................................................%?.................8...........+......BAc.>Y...........................................................,,M.....................<;].......................................................................................................................................!"B......................"?..<.................................11R......................................................................!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c003 79.164527, 2020/10/15-17:48:32 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_skin_bg_new-4x.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 3854 x 2800
Category:	dropped
Size (bytes):	98621
Entropy (8bit):	7.993502836197324
Encrypted:	true
SSDEEP:	3072:0EwcXJsFy/CIkHv+H2FGRw968DX47xlu9MHCz:VjJN/CIO2H2FF9HDo7xluKCz
MD5:	93DE0959FBBC980F8489AC639094B8AA
SHA1:	AF1F6D009D198DDB2E9641F73F63E99E6A7004F1
SHA-256:	4276AE2134375F8D12E4B4E3CA917063404AC15950835A0647027AE1CF811C72
SHA-512:	6058AF140DE758CB943E3C8752F4DBF234FBB333D268E3D967F896549716A992E9AD155C75F87977DDF5480620A5681753A2F7097A6F55118105CA8186A2DAFB
Malicious:	false
Preview:	GIF89a........2K............Rg..........................h.r.....t.....^q.cu...O.[...LJm..)..............--N...10R...)J...55V..3(.6%%F..(.........!!BHFi99Z..>.......BX.........9...=<^.....)........A@b...EDf..6...DBe...IHj.q........2.....3........$?.................5.C.........v........@>a................GEh...............KIl...[.f...BAc...4P................BT...........76X22S.............................;:\......>=_..8........4.......EZ.....<..O.....0........................ :....................................G.........................../........3.... @<;]++L......87Y..7#$D...&'G...((I..."#C33T..;...................?//P,,M..........................................................................B.N.............................%......!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 7.1-c000 79.9ccc4de93, 2022/03/14-14:07:22 "> <rdf:RDF xmlns:rdf="http://www.w3.org/

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_skin_bg_new-4x_dm.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 3854 x 2800
Category:	dropped
Size (bytes):	81325
Entropy (8bit):	7.99012709466915
Encrypted:	true
SSDEEP:	1536:CriRlZLAKrFAetAVb/xIQG/z+MpVckMG4cfpyoSS6BRDzrM2wm6UJ4:GyXLAZei1/xIx6a/MGxkBDvMhm6Ue
MD5:	FA686036C9302DAFDC1E81A1035FCB62
SHA1:	E309989BAB3E590AE524F3958423138D333DAEB3
SHA-256:	D4C34E1FBBFF225C11ABF11B5D5D9423B68A2744260296DDEDAD28F686968637
SHA-512:	4FCB35BFCBACE0E1B1A8497B030530667471022483F8190CDA0C48257B0878DD97C00BF8BD7878754B8AC65200091699F952B09A9B39A4B4FC81C43E4DB44300
Malicious:	false
Preview:	GIF89a............)....t....jj}.lq....gy....-........................(((qq....99C.....3bbs.......Th222......#QQ\.DZ.......s.........)@@K......uu.......[[k......D.{.."<........???xx..5OEEE.....................mm..4L33<.q.... &...................d.TTbJ..\|\|.....V.xxy.........fff,,3................HHU.<S...n....!MMZ...........~~....EEQ##...........3zz..............jUX...................Ma.......K..ai...........O\....Zs..........................Vc.......... ........^p.........................MKnMMM......((/XXe....?.........8eew............547...--....ej...lor.........*G...............007..-....~.SGH//0................................................:89.........__p...333MCD..........................76;__f...........~~~hhz...............$$$..%...!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 7.1-c000 79.9ccc4de93, 2022/03/14-14:07:22 "> <rdf:RDF xmlns:rdf="http://www.w3.org/

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_skin_computer.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 84 x 78
Category:	dropped
Size (bytes):	3216
Entropy (8bit):	7.6792012065826425
Encrypted:	false
SSDEEP:	48:Fc13n0UBFpwCxbQbDjeLvnLt390J3Qxy3HhL8rmb0CkAXZvtRrHaCSLNlcD6yAXC:Fcbpwm0CfuxtbFbdWCsUD6fCx2y
MD5:	0347BC6F20C62C8A8AE3C2FEF6552502
SHA1:	9E7D3CF738B760DDA6070185187A8BD896EA7E48
SHA-256:	D4A1B733A8A2CE80C7809DFD85EADE57FC9A01B05FEDB2613A4C7FCC2792DF3C
SHA-512:	F674EB7848B532A31731CD834979296E465D6C55735E43393978C2F784B10A2DF025A6FCEB5285B516EEA8734866BFF986F75D0B82372BB9046604F86284C298
Malicious:	false
Preview:	GIF89aT.N..........................~~............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c003 79.164527, 2020/10/15-17:48:32 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_skin_langmenu-4x.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 1012 x 1012
Category:	dropped
Size (bytes):	96795
Entropy (8bit):	7.9777529499826345
Encrypted:	false
SSDEEP:	1536:Rjmrs2RHhx7jHtMakIlVt3zjpD9wI/xS/EzDtAplxCY5jUGBk/CjE7Kk92GzbsXE:B2s0HD7eakuHw+AplYg9BfEV9KpC
MD5:	FD00BD7AD227C542CF700F13526BEC1B
SHA1:	420454E5AA30251D299F598CFAB0DC2DB26B37B6
SHA-256:	37CF04A8A058F75D7E170073689FDD675FD7284159DF319C3AD18CB260C4FF2B
SHA-512:	65486DDBC77657698E043FE8AE63BB2E1868623D7379E380BB329DB60A0B9FF70A7FD842E6A8B53DA0C6996303F6EB9B532A9B22E047DA38BA03F9D47DA8C0FC
Malicious:	false
Preview:	GIF89a........................yz..........<....tt\|(((..........L........UP.....4..........F4O.....B..........2<]...4....KKK.......(......M..?..7..........7%On......2:.q.77......HLx...&..............1..53...........U........A{...,......."..C'.(..Cj.C...d.-..6o>F.RU..l..F...P.j'.y).S....e...R....<@t....2%.U........(..4....(1.(......-g....my...G....$.i3g.{...!..........O............0..`.2F.--......___..............1..1.........1/.$@....=....>V...2....v8...Hhn.$,........$.......X........;!.%....p.../........._b.....$1.D...(........../......5..../.^........?.!.%.................................&.>.....(...................<^..6.....&.......y<]n.^.......L.....[........us.............................. .g...........:::.......M................!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_skin_langmenu-4x_dm.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 1012 x 1012
Category:	dropped
Size (bytes):	115374
Entropy (8bit):	7.983336257684616
Encrypted:	false
SSDEEP:	3072:djZvuo2c4Um/sMrEiCGx8DR1cz5fCm7bdAJfxrPEp:lIZJ/kmGV1cz5fB75x
MD5:	B435A8E5B93D02A9B26F71D6839EAEBA
SHA1:	D5E48CE56363A52427A1F420A63F6F98C6662B38
SHA-256:	E44F536F21D121F7DE196ED48224938C45B8A367D866212B434FC77757286972
SHA-512:	18DA0DF4229CAF146422B201881E667D46756878F292D5F6045407C6A9E7B4890EAD5B539D3A1B0E69504F40541642A4A1F6977A027AD85D7192D658D2F64BA7
Malicious:	false
Preview:	GIF89a..............\|'..x....xxx..0.-#.'..K888w--2Oo.)..46]d...L.Z-.............e5zi.$$$444....5g.<.......\^....VP...aaa.!]......f..KQx(((-Q.'9f....B.......0<.3..'.03N.L.........?..6........V.:#ZZ[.v..18.o............&..0..63}JS3GFy..Y.............!..D.m.q....'..,..._.!.;D{....Pu........Y...R..2._; .O,fBPfq...'....w\|..3AE^QQM...+g....l!........,!........_ei\|]%2.,,.<F. .MMM.,+."@............\|6".....'.4.0-..2.......!....X....PN...}...,/.......n..O$..Zgzv.........v-................5.f}g...EEE.rPAAA..]...]_t.C........... .<....UUU.8.KU?...($(mmm...,,,>^._i4.O..\.Ag QQQ...III.........iiiUUQ.........EEAYUU...000JID$($......$((......(($MMI...UQQ..........*.4...Ab.........LN^.....h......($$844...,0,a..488QSb$$(........<>R...;JG.noppw.~f.#1A0>VXe....-....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c003 79.164527, 2020/10/15-17:48:32 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_skin_langmenu.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 253 x 253
Category:	dropped
Size (bytes):	19605
Entropy (8bit):	7.931569658749097
Encrypted:	false
SSDEEP:	384:bxS+UVHJM7tlvI4kbd5RFYhXm81+59mkQ4ZzupiDYXGzvDOedvJ:b03VpMvIdop3AHQ63DOsR
MD5:	111169EA8D294B8989CEFE2347718E01
SHA1:	1F935743CB64A1DDD11D52CBF613CF15B12C27C4
SHA-256:	2F30A922842D18CFDDEC9E3D745A253D5FCB4CB8ECBE4C96594DF6AD2D16FF29
SHA-512:	E7B6DCA44AADF8B867FD3ED8625E77839393DC1416B27D7866CE70FD5465756646783BDC76D6A363ADD8089C8F6D5C39BD8305DECAB3A6765F6D3E36B55E139B
Malicious:	false
Preview:	GIF89a.............QUc....L........F.Od.......>_...........^npqy..........!9+-5-2D...n......................................yyy..................EFQ...tu}...................&G......cem.................y\|.Y[e...wy................QRZ}~......+.....&.b............................cfo.............Yc.*5...........mo{.............x...hix............................A..o............}.............Y......>.C................Z\......e~............U............!6..........k.p<.B...............oll.....\|.\|}.........4mQl.......v.....$........;=Tz..........................32...........;K...i..<x.....{....qM[]g........h.q;QLO..\|\|\|......g..................................gw.......NTb..........................z{....mmvpr~.......................\|........egp..........!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_skin_langmenu_new-4x.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 1012 x 1012
Category:	dropped
Size (bytes):	67487
Entropy (8bit):	7.963852396744452
Encrypted:	false
SSDEEP:	1536:B0YOeepHhRB+IVJUYCQyoE/ACMb3hKb10L73n4nag//87:BvOrHhOLQ0/v23hKyA3/w
MD5:	9795D6C4B7CE1870D945D7C47712928E
SHA1:	128C43322ADE9063877A4F80835E2F6529630D96
SHA-256:	71EBCE0D2118E82041E37CC5ADA7847E1C3310ACE80468D93C81D60D2C0FCAA2
SHA-512:	A933F65FB3D938718150FE6377FD5A8FBE284986A96DB67E4445505774E269E0CE65F1892D0AD95CD59275C6E248826F0716C1C55FA0FC04D19EBD1D1D3A7783
Malicious:	false
Preview:	GIF89a.............tu}..............................................................xy....................}~.............................................................................................................................................................................................}~.\|}....................................................................................................................................................................uv~....................................................wx........................................................................................uv}...........................................................................\|\|...........\|\|...........................!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 7.1-c000 79.9ccc4de93, 2022/03/14-14:07:22 "> <rdf:RDF xmlns:rdf="http://www.w3.org/

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_skin_langmenu_new-4x_dm.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 1012 x 1012
Category:	dropped
Size (bytes):	69225
Entropy (8bit):	7.965250242087678
Encrypted:	false
SSDEEP:	1536:nuaUHGz0AquSkYDBmydRx1fMrG+Kn/4hzWsNwhe84l2cJ:uhH+IpDB1dV0GzQ5WsNw484cu
MD5:	E1EBAE2B2203A31400FE68466E5CADAE
SHA1:	72735CAE2A778F10DC20150122BA7B53ED3C11CE
SHA-256:	D0A80105EAD46AAFB7350D8B704A1B26F207181F718F37C1DDD22D45624EBDE3
SHA-512:	5C112A0006566A4DC23D6C2E2E0A3C5B90D0F12AC45F44383D743AFEB89A5466C4FFFD1390FBE19B73D8B65B2A90B5BC5C9F54260BCDFF812B9EC33076C9BA20
Malicious:	false
Preview:	GIF89a.......&&&OOO...\|\|z\\[oom......bbbrrq.......zzx...~~~666......)))ffessr==<>>>ppp^^].........AA@ppn...FFF222...\|\|\|000CCC---........,,,ggg998KKKXXW...ZZZ...iih[[Y.............UUT......vvv...bb```^xxvlllnnl;;;ddbjji...ddd.........{{{hhf................llk...:::...~~\|....yyx........HHH...uus......::9uuu.........LLL.......~...xwv+++\|{y...QQQYYY...jjj...RRR...MMM...***vvuBBB...00/WWV......444...555```DDDWWWGGGaaaXWWEEEttt'''PPP......QQPXXX...wwu665kkj...SSS.....TTS@@?......xxx...IIH...~===}}}...TSS...aa`RRQ........\|........}...ttrHHG...uut...PPO...SSR...\|\|y...NNMLLK...FFE...CCB...~AAA.~\|MMLUUUttsIII777...kkk......YYWDDC.........ooo;;:mml...vvs...<<;......111...JJI......EEDvvt...,,+..............GGFzyxyyy......uts...554.......}}{......MLL...YXXVVVWVV...!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 7.1-c000 79.9ccc4de93, 2022/03/14-14:07:22 "> <rdf:RDF xmlns:rdf="http://www.w3.org/

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_skin_logo-4x.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 640 x 208
Category:	dropped
Size (bytes):	8829
Entropy (8bit):	7.8473153970985825
Encrypted:	false
SSDEEP:	192:s/95TinQI+Pht+WXLboh/yvD4dAgf1DLpO4:sbiQI+vxXLboh/mDaAg9DL1
MD5:	E362D57571A64CBAE70019E11AABB371
SHA1:	29A2D64CAE7587860A4962968A7951212F88D304
SHA-256:	3B98F042A6B71ECF40BEA69002007EF1FDBFC193499FA1E89DD6E1FA512AA83F
SHA-512:	A77A2D5AFE6C44FAF84D51E03FE96D6C45891B45B83FFCED429A42CB924A1D70860418A2672D8F7E692E0C8465F3D7C5EC84376F85912931C3E3E0D963901D86
Malicious:	false
Preview:	GIF89a........CL............:D.................KT...:<U...13M........R[....#%A...(F+-H...YZo}~........IJb........",...np.........efz.\|.......pq.....^f........PRh..........u\|~...ZbDE]..4..mu........)446P......mn....vw......yz..bj....0:../[]rVWmNPf ">AC[`bv?AY....0K....(2........1..2BD\....&1LNe. =^`t....fn..2<.jq.sz9:T...8.5?....U].7@..:..)...8....x...6...wx....hi\|.........;........0................................................. +.......Z[p............jk~............cdx.....89S....GPJKb.........<&'C......................<>W..........78Rbcx......\^s.................TUk.....,6{\|.......OXKMd......tu.......z{.GH`...gh\|STk..............]_tkl.WXn.$/.......................ij}...........dk.pw.X`..........qx...st..ls...=?X......!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c003 79.164527, 2020/10/15-17:48:32 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_skin_logo-4x_dm.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 640 x 208
Category:	dropped
Size (bytes):	8910
Entropy (8bit):	7.830562670616327
Encrypted:	false
SSDEEP:	192:v/VuDLFQoucy53eHPMviTn00dqUW2BuFB2eykiCR:3VeTy5OHkqrdqQBdkD
MD5:	1212A067E52A9D25A4F118A5B21E8F1B
SHA1:	532BF306F4BBA6C2AAE1D42A64C99EDE3C36E8DD
SHA-256:	7CD72772C87A314F079BCFC15C37F6AD0DC0622895CC3A13C3687AB35A037380
SHA-512:	C945F0E7A2B9C8FCB171B40956CA1488C287FECCD14A54DD780AE4783FAE6ED491C89C205DB1FC30F5BACCD51D12AF3FB6A764717B40765FE5A76CC020540C79
Malicious:	false
Preview:	GIF89a............$xxx...NNNttt...bbb.....#...c.....ddd^^^nnn888.."...VVV.....!".....kkkzzz[[[CCC..2..TTT,,,......HHH}..............>>>..&...r..Q..KKKDDDFFF:::-.......'C.....333LLLggg..'ppp...666...........$Z..444<<<..)H.....lll...&&&...\\\..... ..! ..(((^..n....(**$$$..("""............M....%...z.....<...........v..V..9....%h.................000...PPP......```...@@@........................................vvv............RRRQQQ......ssshhh.............................111........(.......rrr......................).......................................?..\|\|\|.......'...................j.............~~~......SSS..........................aaa...}}}AAA........).................iii......YYY........)...www.....................!...........#..&7.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c003 79.164527, 2020/10/15-17:48:32 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_skin_logo.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 160 x 52
Category:	dropped
Size (bytes):	3296
Entropy (8bit):	7.755829337564453
Encrypted:	false
SSDEEP:	96:uXwizs2K8O2FUcQJrMJHeysPi+x603Sx2pEf:+Vs2K8eJrgJ+iM6+/c
MD5:	E323D560E40CE53A57371C89329B8D87
SHA1:	7330D0476FBF9FBF6A96E7CD5F290EE519DF774B
SHA-256:	81EB8B972D291FBF75B5F853845FA564FD250594DAA037469EC7AB8645D5B00A
SHA-512:	2F4B196049B9A8F59B48888654508EB6CCD2F9D644933A1AA7981E7C9CE1177838DA262E1A08B7B1203B7705B89A99A0D114CE190D7A1477DB7CF30C6C8C155C
Malicious:	false
Preview:	GIF89a..4.....aiPRh.0K..4.CL......NPf...abw.&1.R[.....1.=F9;U.....(F$&Brs.02L....(2....:<Umo.....ry...LNe.....3^`t. =.tz.9C.2<.nu24N[]r.+6.V_"$@,.I.MU..:..6..8../..)..;JKb........hi\|......YZo.....................+-HCD].....<..........................!,............BD\?AY.......-7...............0......dey..............56P}~....!#?......<>W...wx.....U]..........y.'(D.........45P{\|.............STk.............#.....XYo...........dk.............?H...........89S....................efz...fg{...]_t.........,G.......goWXn...67Q\|}.....8A.T\....=?X...GH`.pwUVl.....JLcKMd................X`.;Eoq.xy....z{.......gh\|......bcxcdx......uv......8jk~.ip...tu....................HIa..... +....ls...\^s...."-.........EF^.IR...ij}................em.........!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c003 79.164527, 2020/10/15-17:48:32 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_skin_vault.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 62 x 78
Category:	dropped
Size (bytes):	3096
Entropy (8bit):	7.74253870031419
Encrypted:	false
SSDEEP:	48:941CHRyXr7BxQFPG/ueLNn2VwvJ3ML88m/JbiIaD3tdM6fjYYO2j7IYYu3/:KCxcxQFO/Z2n4FiIaD7LfTj7aQ
MD5:	BB16131EE37CB9DE0C7ADA5033006EF1
SHA1:	F50E08602B044A9461330FA667F2BD10912C25FF
SHA-256:	E35A5C675838AEED0982D6E863222E5D97B80AF8E896F707998C95D424EBCB4E
SHA-512:	DB3C41C6CC835BCCBAC2C48145DD2146CD4D75A6CE0DECAB8D509F323670C2283AE18A8A30E1E7471C965F3EB990B11886D9FAADB5A3EEB34175435244B571EB
Malicious:	false
Preview:	GIF89a>.N..........F\....gz.*E.....................Vkyy......"................uu...........................................s............#...................<S............................9............ww.....................)..................yy..............Rg.....0..................\|\|.......................................................}}................................................................}\|..........................................................................~~.......................................\|\|....................Lb.....................3L............}}.............................................................6........................................~............\q..................................!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c003 79.164527, 2020/10/15-17:48:32 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbuitray.exe

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	530480
Entropy (8bit):	6.3260698986363995
Encrypted:	false
SSDEEP:	12288:HoK2ufq1USdLcJzJYsMIRHhocCtf7x1kJ2:Hb2Aq15L4RHhocCtDx1o2
MD5:	EED2AF7AB068C1B2E609437BF4A34CF4
SHA1:	739A0018FA6296EF07C1A64B79DA44815F0BFAD5
SHA-256:	EDFA0ED820439F280A9BC4E028567A716240987307FE841C2AD46A202FC26627
SHA-512:	294BC3BE1330ECE6D3268B7F65A184A89AC1491C657875297B36E381859F1B1BF6C182718DD7D5F26260DAEB61098A09D2E97B56AE85158E3D11EA1E7069C1C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........R...<X..<X..<X-J.X..<X-J.X..<X-J.X..<X.v.X..<X.?Y..<X.9Y..<X.8Y..<XD).X..<XD).X..<XD).X..<X..=X..<X0.5Y..<X0..X..<X..X..<X0.>Y..<XRich..<X........................PE..L......e.....................T.......y............@..........................@...... .....@..............................................U..............0,......HP..0...T...................(...........@............................................text...w........................... ..`.rdata...g.......h..................@..@.data....B...0...(..................@....rsrc....U.......V...D..............@..@.reloc..HP.......R..................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzcustom.dat

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	data
Category:	dropped
Size (bytes):	200
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	FBAF48EC981A5EECDB57B929FDD426E8
SHA1:	C45D01B195DECD87A0BF097784FBA6734005B8EA
SHA-256:	6D9C54DEE5660C46886F32D80E57E9DD0FFA57EE0CD2A762B036D9C8E0C3A33A
SHA-512:	72686058F765941BFDA046F7890A4B70D0C7A40A14BAA73EBB1FDCD47CDDC9072E5452F183B2F419B471C5B0C7D7CE074BF0B8ED004EBF418C7059737E6C093D
Malicious:	false
Preview:	........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1216064
Entropy (8bit):	6.20966177765337
Encrypted:	false
SSDEEP:	12288:+tr71kym+/dkBBgbQd3jz8tCZ0Wvv35VcQJob2EpyDbJPNg734s6Il15HeQ4t0SC:+trBkytdkBBEQdzzu1WH3+pMbJFcKV6B
MD5:	F10C1327338C2E01503EE7D1D6540E7B
SHA1:	580AACB5BD3992919219F89155FB04BD06C12C93
SHA-256:	687877B7DD3B69A9D383B81C1DFB75CC345272B3621B6A133EEC5472F69F5B93
SHA-512:	FF65BBD2E0AE1D3258D2E62902A0C0FFC70950EEBDB7A52AD006E4902204DE5A94741FE985E8ABBC76CCFD1B990D2A894A6671AC9F2047579B68BF78E39AEB25
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......L `..A.E.A.E.A.E...E.A.E...E.A.E...E.A.E...E.A.EZ).D.A.EZ).DqA.EZ).D,A.E.(.D.A.E..E.A.E..E.A.E..E.A.E.A.Ej@.E.(.D.A.E.(.E.A.E.A.E.A.E.(.D.A.ERich.A.E........................PE..L.....e............................m$............@...........................................z..............................7.......................b..@,..............T...............................@............................................text............................... ..`.rdata...`.......b..................@..@.data...DI...`...*...F..............@....rsrc................p..............@..@................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdownloader.exe

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3109424
Entropy (8bit):	6.798204678916012
Encrypted:	false
SSDEEP:	49152:Fwa5tZBUOcBH4t3NtY87HItP53PffWY48cQO3:FXtfRcBH4pNtYWID3s8cQs
MD5:	AF8612D75DC9ECB386CE8681CEC2EF28
SHA1:	3D3F2438376AB515F6D5E4247A425FA9E08359F3
SHA-256:	4E08057A87C5470571926628DDDE48542D72B4609067134AEFADE6E9FFF63ADF
SHA-512:	3BB0854D4C730039339E4EEC695F24040AFFCD5687593F524AD1077D64A57289FB2E1D658EA4C4F744B4AD849BEE42A2D6214348A8C8438DECFCA19C9EA191C1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......o...+.jR+.jR+.jR.b.R?.jR.b.R..jR.b.R5.jR.^.R#.jRy.iS1.jRy.oSR.jRy.nS..jR..nS..jR...R).jR...R.jR..nS..jR...R..jR+.kR..jR..cS7.jR...R.jR+..R.jR..hS.jRRich+.jR........PE..L.....e..........................................@.........................../......S0.......z..............................."...... ..............F/.0,..........p3".T...................h4"......3".@...............$............................text...g........................... ..`.rdata..\...........................@..@.data...,X....".......".............@....rsrc........ .......).............@..@........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdownloader_ui_strings.xml

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (349), with CRLF line terminators
Category:	dropped
Size (bytes):	112521
Entropy (8bit):	6.063187692172258
Encrypted:	false
SSDEEP:	3072:LYBPLVAcaKODxgA4gwVSU687w2MmC83UvoRf5oqP6aO:EZ1ODLHrU687fS8EvoB5oeO
MD5:	450C0393B3292EF91A11F0F5C8DFA755
SHA1:	5342B0C5A46B4A8C05425207EC7BBE50979AD8AD
SHA-256:	835A7893A0A1CF1414F7AAF9EA6FA6DCFB4310B23D8BCBF661ABF4A99A68FC5B
SHA-512:	FD489C72AEE1913512C82E6818F672B4ECBF73BF534ECED5A2E03DB3AC619CB4F9083644B7A7867C521BA3FDACD6916C5DBA2E7412465D5DEA12BEE8A9633E52
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<bzinterface>..<bzbui_text lang="en_US" .. MenuBarItem_BackblazeDownloader="Backblaze Downloader" .. SignInBadUsernamePassword="The username or password was incorrect, please try again.".. SignInCouldNotReachDatacenter="The Backblaze datacenter was unreachable, please check your Internet connection and try again.".. Information="Information".. Unsuccessful="Unsuccessful".. Error="Error".. Question="Question".. Success_Str="Success".. ok_button_text="OK".. cancel_button_text="Cancel".. close_but_text="Close" .. show_file_but_text="Show File" .. folder="Folder".. choose_folder="Choose Folder".. change_location="Change Location...".. unzip_file="Unzip File...".. pick_a_directory_to_download_into="Pick a Directory to Download Into:".. email_address="Account Email:".. password="Password:".. enter_6_digit_verify_code="Enter the two-factor verification code either sent with SMS to your phone or with Authy or Google Authentication."..

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzfclean.exe

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	166016
Entropy (8bit):	4.919821807172511
Encrypted:	false
SSDEEP:	1536:Kynndknkpvo4YGYD3oRq5+YMMmjXjFDhoYpYQ7sWocdG/MVJ7gns:OlljD3oEgYTmJht1XG/MVJgs
MD5:	5DA3374069372609B45EE2920A14BE7B
SHA1:	A04F86F180C281D843FD5061B4F076E6D8D6A95D
SHA-256:	A612EFFFE5214CCBAB3C5B26B0A751FE8C1CC6103FBC3182C641112C838BB5E8
SHA-512:	959F07CF11D0FB034DE2200B42D6541DA07F4C202BBEDEE00373423714377C7B505C35C77FC645081D2EEF4874844E3F3DBEA6CAEB20E8D371ACD73B3FB17055
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........P...>...>...>.A-...>.A-...>.A-..>.X.=..>.X.;..>.X.:..>......>...?...>.@.7...>.@.....>.......>.@.<...>.Rich..>.................PE..L....+w`............................g.............@.................................s5........z.............................$!..(....`..`R...........n..................p...........................0...@............................................text...W........................... ..`.rdata..vW.......X..................@..@.data........0......................@....gfids.......P......................@..@.rsrc...`R...`...T..................@..@................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzfilelist.exe

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1020976
Entropy (8bit):	6.539940583087731
Encrypted:	false
SSDEEP:	24576:g8A9awbeSavfF6gKSFhoetN3IC1Ecu5sX:CfbeSav9Fh7tGC1Ecu5sX
MD5:	CB9D9F1975161D48FAF2A524E8D47691
SHA1:	F24312AE58864635BFBEDFA51AADEE1B010F0CD7
SHA-256:	7D8C67C366A9AF623EDE216491A1DE5507263B80816CBED392CE63B0E9CB3C2D
SHA-512:	7466B9C0A11ED22F9E613CC8F0176923ECC8CBFB4824A35FDF10430E2AAD5C4CDCA70593CFC24FFE00BEDD7DC9C35DF0FA577212466F64B61833BB16477DB9EC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........[.:..:..:..".z.:..".x..:..".y.:....L.:...R..:...R...:...R..:..K.E.:..K.[.:..K.@.:..:..;..?S..:..?St.:..:..:..?S..:..Rich.:..................PE..L......e.....................N......=.............@.................................2.........z..........................................R...........h..0,...........u..T....................v......8v..@...............(............................text...'........................... ..`.rdata..B_.......`..................@..@.data...............................@....rsrc....R.......T..................@..@................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzfilelist64.exe

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1313840
Entropy (8bit):	6.4931066315531325
Encrypted:	false
SSDEEP:	24576:XEowHTLiPRozEr7G1NLRL6OrZILDn+UG+VqbwEsDsK:UowH/iPRKEe1NLR+OUD+l+4bwEsDsK
MD5:	D5F401FE074432CF2C3B84A4A1EF0F23
SHA1:	0B04A432166C96803F1314476BC02F262E4AA75D
SHA-256:	6633898D488F082C894C674C782848A921A60671869BDC6386400117F38A234A
SHA-512:	399B6BBCF5A5B2F78F459085353BC713B16E7F52832176D6F54788ABFC6A65673063DD90E8532388BF0C67126CD37E2A8816EC2BBC7DE5CB5971C1D053696498
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$..........C.........z~w....z~u.Y..z~t....PBA...........................H......V......M..........g......g.y...........g......Rich...........................PE..d...q..e..........#......z.....................@.............................0........... ...z..........................................................R...`..pk......0,..........0...T.......................(.......................p............................text...Hx.......z.................. ..`.rdata...e.......f...~..............@..@.data...d^.......<..................@....pdata..pk...`...l... ..............@..@.rsrc....R.......T..................@..@................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzinstallername.txt

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	63
Entropy (8bit):	4.5384671788317545
Encrypted:	false
SSDEEP:	3:oNsHVWW+WMXJ0kHFVb98LACn:oNsHvRMXJ00VsN
MD5:	0290F5018F575F39C1843027A6151EDF
SHA1:	BBD0861D36435EF15D9F5776A727223968A443A5
SHA-256:	8C44F78B7A6EB722A59D144CDDF7005E9794D8845DCDAC23644A8B4EE900281A
SHA-512:	4184B97F3AD880EF5E0D2AA47EE618D4EAF1AD367002557ACCAF28EF1AA7D75F859C603FF26C9B8C87F5E626D4D93FBBF140709F172474A88E3D9918E37C6B81
Malicious:	false
Preview:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzlogo.ico

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	MS Windows icon resource - 5 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel
Category:	dropped
Size (bytes):	85182
Entropy (8bit):	2.4696076544161514
Encrypted:	false
SSDEEP:	192:C+vposlTmveK7jdj7XmUtHWdOyK3ZnNReI3DCWpK:FprkeKnRjt27K3ZnN8I3GWpK
MD5:	FA460AF4D8B51BF03E735821940B69D3
SHA1:	874A925BADC43631342DE1649AEDE86121D5CC4B
SHA-256:	B61847597517A636519484B17E6FDD4357B8C68C0817519A76AAD7A3985F6DD9
SHA-512:	394BEF072DEBB31208C00FE912AF1DF5786DCE27682FC403D9416B03711CAB9F03386205553DABEF9F0FCA62535F919A710FBF352A099B12CF6836C34FC46939
Malicious:	false
Preview:	............ .h...V......... ......... .... .....F...00.... ..%............ .(....D..(....... ..... ...................................../ ../ ../ ../ .H/ ../ ./ .s/ .&/ ../ ....................../ ../ ../ .&/ ./ ../ ../ ../ ./ ./ .#/ ....................../ ../ ../ ./ ../ ../ ../ .Q/ .m/ .y/ .3/ ../ ............../ ../ ../ .R/ ../ ../ ../ .W/ ./ ../ ../ ../ .+/ ............../ ../ ../ ./ ../ ./ .k/ ../ ../ ../ ../ ../ .p/ ............../ ../ ../ .N/ .O/ ./ ./ .X/ .\|/ ../ ../ ../ .x/ ............../ ../ ../ ../ ./ ../ ../ ../ .Q/ ../ ../ ../ .J/ ................../ ../ .</ ../ ../ ../ ../ .b/ ../ ../ ./ ../ ................../ ../ .8/ ../ ../ ../ ./ ./ ../ .z/ ../ ....................../ ../ ../ ../ ../ ../ .m/ ./ ./ ../ ........................../ ../ ../ .G/ ../ ../ ./ ./ ./ ../ ............................../ ../ ../ .T/ ../ ../ .@/ .k/ ../ ................................../ ../ ../ ./ ../ ../ ../ ../ ....................................../ ../ .n/ ./ ../ ....

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzrestore.exe

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	8951344
Entropy (8bit):	6.640668147654083
Encrypted:	false
SSDEEP:	98304:VlyeOuDHsoBpXQMmt+fqRird+pjHVnu3u9FLOAkGkzdnEVomFHKnPk:LyeOuDHl1vPizj1KMFLOyomFHKnPk
MD5:	CB4DD16436AA0C322B76EF8BC57F99CD
SHA1:	26E72AC6C571F10942D0ADF9600FDD6621791392
SHA-256:	BF5B73E32BA89C80CE17306727C4F8D0C783ABDCD31AC1FE397DE05C0FEBFE6D
SHA-512:	5E4C06AFFF4B0609C64E294BCABE15A87754DC550299C7A4BA5160F14402964F3F456B9C4B6C9E7C51B6A461121042C6A163488569114FB175BCC14F5BBCEF1D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.......Fa.....\...\...\...\...\...\...\...\!..\..<\...\..*\...\..5\...\..4\...\..+\...\Ph.]$..\Ph.]...\Ph.]...\.i.]...\..0\3..\...\...\.i.]...\.i.\...\..l\...\.i.]...\Rich...\........................PE..d...q..e..........".......L..><.......C........@.............................`......;r....`...................................................b......Ph.0.....e.tL...j..0,......@E..pDY.T....................EY.(....DY...............M..............................text.....L.......L................. ..`.rdata........M.......L.............@..@.data.........c.. ....b.............@....pdata..tL....e..N....d.............@..@.rsrc...0....Ph......lg.............@..@.reloc..@E.......F...$..............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzserv.exe

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	895024
Entropy (8bit):	6.521210985958746
Encrypted:	false
SSDEEP:	24576:lIqa5YrkQu/3ZkDFZd/ATBEhKgM41VkOJHww5e:lIqa5YrkQu/3ZkDFZd/A6Kg91VkCwwk
MD5:	9B9B2F69D85DC531239A07AC9FAFF31D
SHA1:	6E8DDA4945C912A69D1B34E0A76B733B87066740
SHA-256:	4D6717181E9BABD082B10E574D58B7489187799CF82A19A5E2E09DDADC9954BC
SHA-512:	032E019CA1551C5FEE60869669CA237FCDD614236A783E2C1E67B3224A5B668BA8F1E3A5497A52ED84F938466427D571C9979B7A173EF956FD513073A791F27A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......-..5i.fi.fi.f.Plfx.f.Pnf..f.Pofw.f.lZfh.f;..gq.f;..g..f;..gM.f.3Sfk.f.3Mfh.f.3Vf~.fi.fp.f...gs.f..bfh.fi..fh.f...gh.fRichi.f........................PE..L......e................. ..........za.......0....@.................................6:........z.............................0............R...........\|..0,..............T..........................8...@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data...d........,..................@....rsrc....R.......T...(..............@..@........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4460080
Entropy (8bit):	6.717980182225096
Encrypted:	false
SSDEEP:	98304:kDLbIb3XiOKqIaIMLbazsNLrdEIqnk1s8VZ:CbIb3XiOt+MS/nkq8VZ
MD5:	B3442F00487BC454F45D31D3A95E5079
SHA1:	7B906F66B20C76352C78B89FCB5AA3FFF0F520ED
SHA-256:	054D3FBF92234C405F601F3F1D307CE0BA7CD5A4470A790B6F0DC4CCD3DFBDD5
SHA-512:	639CB22DBFBBB7C46D7AEE996AE61FA572F1AAD608E636BE37FDD812AA4237D5B806F9071D67AC550DB900EC348ACE0D9D85BA671A8B17A240577735E7265094
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........&.H...H...H.......H.......H.......H.$1....H...K...H...M..H...L...H...L.2.H.gn....H...L.F.H.gn....H.gn....H...I..H...A...H.......H......H...J...H.Rich..H.........PE..L.....e..................1...0....... .......1...@..........................pb......lD.......z.............................,>B.......a..R............C.0,..........p.@.T...................h.@.......@.@.............1..............................text.....1.......1................. ..`.rdata..2.....1.......1.............@..@.data...\....`B..J...DB.............@....rsrc....R....a..T....B.............@..@........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit64.exe

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5521968
Entropy (8bit):	6.569518863163696
Encrypted:	false
SSDEEP:	49152:BA0jXVZ31DJzp3xTf47SgTGZ8EMcqaEDGS/LvTDFFwpsJalmStRc+fdO+Ioo7bAz:JTneoofd1DPGfKAmZ1GafZYpMPH3o
MD5:	EBF1C6E6E0003EE17F55E0FDB3620714
SHA1:	81A711D6F5377B22846CB654E5402A6503F8B261
SHA-256:	E3BB84F5B6ACBB09F9B2CB0F24CECE874DEAEC2224D1BA26D2B5306EEA57F8CD
SHA-512:	F52020F55A437B7855E2CCED0394337D3F03378E8EC6B78286AF0BB90C24E57A8FC0923D22132F30343758FA6406A93BFE60CA12AB464EF2B1E101EB8B54402F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$..........j.y9.y9.y9o-.9.y9o-.9h.y9o-.9.y9E..9.y9..z8.y9..\|8[.y9..}8..y9r.}8S.y9.N.9.y9s.}8'.y9.N.9.y9.N.9..y9.x9..y9r.p8..y9r.9.y9..9.y9r.{8.y9Rich.y9........................PE..d......e..........#......>;..FP......g(........@....................................r.T... ...z..............................................}P......P...R......\.....T.0,..........P.L.T.....................L.(.....L..............P;.(............................text...`=;......>;................. ..`.rdata..&N...P;..P...B;.............@..@.data.....7...P..l....P.............@....pdata..\.............P.............@..@.rsrc....R...P...T....R.............@..@................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzwinrt.dll

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	42032
Entropy (8bit):	6.554664388528599
Encrypted:	false
SSDEEP:	768:BLRnTz4m9bIbB8P+KPHslJ4MKgKChqABrABgUFs/zd0r2lq9gV1VaXLkjIY:BLRAAbIbB8clhKChqABrABgUFw0rgq9g
MD5:	74B7995F2D0667F88983D93D05F0E146
SHA1:	C5427B17AEFDAC927D50F9DADA0BFD81B2D7DB65
SHA-256:	243BE9BED5D23F0070B72CEE5451B21621BB18FDCB44858B2514FA2A1B34000A
SHA-512:	B839F20CF6CA7913B624EDBC730CDE88A113CA78CEDE1295645B789A3FAC5FBAB480502766628FEF00E9FA2321B570EF36D7CA8EE85D5622881B1A6EFC18B0EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........tv`...3...3...3.}.2...3.}.2...3.}.2...3.}.2...3.q.2...3.m.3...3...3...3.\|.2...3.\|.2...3.\|.3...3...3...3.\|.2...3Rich...3........................PE..L......e...........!.....:...>.......=.......P......................................u.....@.........................Pe..x....e..........p............x..0,..........`U..T...................XV.......U..@............P..`............................text....8.......:.................. ..`.rdata..x!...P..."...>..............@..@.data................`..............@....rsrc...p............j..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\files.zip

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	29674571
Entropy (8bit):	7.998906704301309
Encrypted:	true
SSDEEP:	786432:2A4fEIAQR5jw7zEaJT+AlCXb800mo9kvLGCCZyMacvRt:2A9vQRBwTJHlIb800mo9yLrncvT
MD5:	36704772516A6DB610061A951B1D764D
SHA1:	A4AE149C689A38091AB25823F709BC6062D076C2
SHA-256:	C21CEBE52A88730BF08B87001ECED5B806A9953E6885E1569E52B96F8BBA2DA4
SHA-512:	8751E23BC61A304F55853C1207A977A95FAC99EB0C46E5FC9999AE128CD3B819085ED865E6013B83531AE4616BBE0507F484DE0714D748E4AC63ECB09D5437B1
Malicious:	false
Preview:	PK.........cIX.}`Y.a..0.......bzserv.exe.{\.U.8...AP.C.fyCC.4#.........,3..Y.q.@18.....6V2a:.3...&.J.y#c..)...4T.b...k......?.}...~.^{..Z{..:3..V.........T(._.r......s..Jy.#...G..[.z"b....\q.#.....eE,~ b......H.sN.#.-y`d..."9.[..a.C.K...?M[.t%>.]z...-}.>./.{..>.6.......P\|...L.,....a\|.D..yKW!..K..)YZ...>q.....C.....<.....o....5.(....Na..".Q1...z...../..~s..d(MD.3.B:@Q..2..#....._......?..DW...J.$.U.f....=....kcaw%....jw..}..g....i..jE.....,.<9 ...m5..D(..+..u..\<id8..32....8..)K..Q\|.g@...pU#W<..~h....YI..a!^..S.....L%....S.r\|.A..HS..k.5.B..aR.............4e..c.%..M....C....?.....I..V.g9.O.._........=....=_.B.#..p...L?.g..v.W.~9....\|$......>..\|0.6.lZ..9.p.X..R..:...k..K&..y.....-y-.....1.;,.]..N..ZK.{.)iNKY..<.....e.Yk.S......>...-.8....u#.Q....e.8]....h:............E.h;L...G.....T..J5)..y..#.l.}.j.~k..kk.4..q&.Z........)...)?.h._i>.....\|[........UY.......S..4.}.o.e.W.`}.P.>:.m\...q..S.............qx.?.%......\|)._..>.........o........

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\license.txt

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	7430
Entropy (8bit):	5.205400410702866
Encrypted:	false
SSDEEP:	192:GQHHUhCreitmxrs1rsy/QZ93OWZ7u2dOrsMrsSC13C3dinCY:GlhCrei2rs1rsyilHcPrsMrspdsdWCY
MD5:	4BC3298873D59531F93AC415E885732D
SHA1:	727AA225F3948A20DEA088E966CCB10D797D5E2E
SHA-256:	B19F1BF1E95EB365D82353E045760707912A1C29FD6C7C342C2564704714E315
SHA-512:	C813AA6EE270926B6F6A7986EE121ECCE0821DE9EAA9041CD014A9A6CF8A681FCC0C794B81A9123704CE4DB30AF80E5716408ED90ED25B43D9BBBA9840C11D01
Malicious:	false
Preview:	********** libcurl **********....COPYRIGHT AND PERMISSION NOTICE....Copyright (c) 1996 - 2023, Daniel Stenberg, <daniel@haxx.se>, and many..contributors, see the THANKS file.....All rights reserved.....Permission to use, copy, modify, and distribute this software for any purpose..with or without fee is hereby granted, provided that the above copyright..notice and this permission notice appear in all copies.....THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR..IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,..FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN..NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,..DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR..OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE..OR OTHER DEALINGS IN THE SOFTWARE.....Except as contained in this notice, the name of a copyright holder shall not..be used in a

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\msvcr100.dll

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	768848
Entropy (8bit):	6.911829055229904
Encrypted:	false
SSDEEP:	12288:dmCy3GUj/QGrB4F+FVW1rWNivf9JNxpEtwIy2i3Hlr0n1:dmCy3LQA4F8U1rWNivf9hpEam1
MD5:	2B92A88E329F4845D31941967A3BAA90
SHA1:	BBF341E7ED9947DE0B5D84D93CA0BC4C8BEB5500
SHA-256:	649A7AB8E3B5C0940812E40EAFC8F004979BB48BFC8F4BC7DB9F2CBCDD715344
SHA-512:	B94862E3F516402317A5467C6E0FF3DD23A967D90DAE87DEC1687157E43978C2D73C24FEE71B4FEBEADA54BB433EA4FCD16568D02FDE1C4F9F50F6D7BA02408A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..\|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L...v5.M.........."!................D........ .....x.....................................@..........................I..........(....p..................P........L......8...........................h!..@............................................text...i........................... ..`.data...\|Z.......N..................@....rsrc........p.......R..............@..@.reloc...L.......N...V..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\msvcr100_x64.dll

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	829264
Entropy (8bit):	6.55381739669424
Encrypted:	false
SSDEEP:	12288:3gzGPEett9Mw9HfBCddjMb2NQVmTW752fmyyKWeHQGokozS:QzJetPMw9HfBCrMb2Kc6ymyyKWewGzUS
MD5:	DF3CA8D16BDED6A54977B30E66864D33
SHA1:	B7B9349B33230C5B80886F5C1F0A42848661C883
SHA-256:	1D1A1AE540BA132F998D60D3622F0297B6E86AE399332C3B47462D7C0F560A36
SHA-512:	951B2F67C2F2EF1CFCD4B43BD3EE0E486CDBA7D04B4EA7259DF0E4B3112E360AEFB8DCD058BECCCACD99ACA7F56D4F9BD211075BD16B28C2661D562E50B423F0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........pm...>...>...>..>...>...>F..>...>...>...>..>...>..>...>D..>...>...>...>...>...>...>Rich...>........................PE..d...J._M.........." ..........................sy............................. ............@.........................................pt.......`..(...............pb......P............................................................................................text...F........................... ..`.rdata..............................@..@.data...L}... ...R..................@....pdata..pb.......d...Z..............@..@_CONST..............................@...text.....2... ...4..................@.. data.........`......................@..@.rsrc................v..............@..@.reloc...............z..............@..B................................................................................................................................

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\still_cloud_win_120p.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 213 x 120
Category:	dropped
Size (bytes):	7070
Entropy (8bit):	7.850519815742094
Encrypted:	false
SSDEEP:	96:/6gPGRgzaz2e5fkf7i+LnDu9ROhQlxK9ZXFPIFDfrMRYtn+P2cfC5lwSj5cDetE2:/DggDDi+k2KxK9ZtI9iYtM2IfDeCvgA0
MD5:	BD3371D7807024EE2FA3E7B2EDE629DD
SHA1:	8F154D0B134AC3356AF8866DE8F2F172BB90C978
SHA-256:	0AF0126B100344D4C5FF333C763A9D4729E2B43FBFE8A863083135ED67FCAFC2
SHA-512:	73B7593A584595B655628123C03EA0375E5AC42EB440CB189A6D0BA1956B3D08D5FB6474ED3416E6E6C0A57A58296423F0F6322129EBE1EBFAB6F24A3114A3FD
Malicious:	false
Preview:	GIF89a..x..............Ta.................bs..(yc~.j.sa}.......Ui...s...r`\|....dv....aq......d\|.........................Rf..........EY.F[.........................*D.....[n.........&6...............p.....Sf........%.i..1I.t.......s......BW...r............w..La...........cy.....3.bv...w...........6F..FU....?L....>S....8O...Uh.........8L........7..................y..bo................#<............................. ........u.....+C....}..............................r}................................+....$>.......g\|wf..................^r....}.........%....J`~m..........1@..au.....(..1..$..$../................................................p_{............................-=.....#..&...................l{............!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 7.1-c000 79.9ccc4de93, 2022/03/14-14:07:22 "> <rdf:RDF xmlns:rdf="http://www.w3.org/

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\still_cloud_win_120p_dm.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 213 x 120
Category:	dropped
Size (bytes):	6199
Entropy (8bit):	7.863699151544176
Encrypted:	false
SSDEEP:	96:vI0dz2KBfl4UHgjrWnryXbDWWW1IANlPJ+gOsGAeQ:w0dJAjrWebD5yBvpz
MD5:	A7B5F907ECDFA4A3211FB75F25354A42
SHA1:	D3DC08188C0EF839E565C6C11B02415A993989DD
SHA-256:	5310941538A5E73BF199E7E825EADBCA96CF3DC353DF2E87341AD37D3C9687ED
SHA-512:	A79F2472155808943236F8E859BEAD20010BB93AF93156E9EA91697BC2F161921FC96FFE89196935A05424F4F86361A99AEAA95CF6B31BC1A5E39F94361222CD
Malicious:	false
Preview:	GIF89a..x................bu.r..bv.Tg..(.t..EZr`\|.r........at...?...........dyH>N...}k........VbaK[.&6....<Gyc~..2.....q..k....sXg.3J.EY...[.#....Tg.j~........%..sa~...%...I`..6....B..6F.Sf......w....o...........h....%.'......6F.+E..ER.^q.?L....Tg.w..[n..+......"=z.%.`ra3.(5.........;R...KY..........L`..6.4L.fs......5(/.n..HY....BY.i..zi..$=..;RcQc...=S.............. .........Xg$.&p^y.."xf..........l9C........r}..............as....".$..........R3;..k.I,3..-...jZqF<I......I9C.,=...._k~l..m..........W=F..../.K_cAJ.P^....[nC8E....j}...A3?...TES..%:/:......m.....t.&......]q..... .1@.m.M>I.....(. %..%.....$?6A"....................................,<....L@O........HW...e\|..............................'<...........................!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 7.1-c000 79.9ccc4de93, 2022/03/14-14:07:22 "> <rdf:RDF xmlns:rdf="http://www.w3.org/

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\windows-cloud-4x.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 248 x 312
Category:	dropped
Size (bytes):	7697
Entropy (8bit):	7.920239230581173
Encrypted:	false
SSDEEP:	96:1SwL/w2Yrr/U4hR8aMqquC3luc2e3Acs6k75kDPhGAN8Vn7Xu+CMicGEjol/g:H/TM08c2e30tyDPVCF7Xu30Xol/g
MD5:	A170A009A9DB214721F150EE4D976F6B
SHA1:	CC210758132D8C1328A46122D4E889F8B6815087
SHA-256:	9316CA14C33BBB1E533C441FF67F46F545A9A6D5F1AD34D1A4407D3869D3D36B
SHA-512:	C81E7069615F3B70677738C45303963A002E3D91F63816412BA0EBE6F91833771900B89F7B07770426817D253E3DD4F34FA222AB20DF9191B9AB45AF7BF14C23
Malicious:	false
Preview:	GIF89a..8..............D[.\|...................................*.............................Tj....................;S..........................)D....4M....Kb.Xm.........................k}..1.............................................4................................................!=.......9........&A............cv....\p....u...H.......Pf....n...%..........................................................................................................................................................................................'......................&.................................................................gz............................w........................-.............................................!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c003 79.164527, 2020/10/15-17:48:32 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\windows-cloud-4x_dm.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 248 x 312
Category:	dropped
Size (bytes):	8170
Entropy (8bit):	7.918948871435702
Encrypted:	false
SSDEEP:	192:yOpndy9pd4AXfjzaqW0Y2ftgo47LTdHNbo2PzDt:zpnd+nvaFUkL1PzDt
MD5:	575AE077E36C8EA938DB64204D842ADA
SHA1:	A5F880CC67CE0C05A4A1416AA7056FD7EBD3D752
SHA-256:	CBC2D622030F2D8EC0D7E2C60FA83A66385DB842D44BB90192CAC57B7A5CAE76
SHA-512:	6B5C424AB712045CF67DB8C4B8174287518C6FE176167AE3874B7571143E88BD4AB807FB9AB79BA28F93FA09D78CBE355A57C0FB429C02640DFECDC1AE0B75F7
Malicious:	false
Preview:	GIF89a..8....666.CZtt.~~.001SSb999...::C....s.[[k...... ...qq.&&&....""".............333,,,........;S.....)...**..........$$$...xx................\|\|..................................4M................................2aarnn..k}...33<.{..I`...,,3....KKXjj}.......+E........................@@K...............ddv.........zz..Yn......IIUEEQ...............%@.....5.......Ti................................$$PP^......................Pfggx..".^r....">....................!!&....fy......./I.cv..;....ll...-..%.........((/......FFF@@@;;;CCCDDD)))///555(((...<<<EEE???BBBGGG:::...>>>444AAA===HHH..............................hhz..............................&......^^o...XXg...'.......................................................................!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c003 79.164527, 2020/10/15-17:48:32 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\windows-computer-4x.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 336 x 312
Category:	dropped
Size (bytes):	9110
Entropy (8bit):	7.941385053653354
Encrypted:	false
SSDEEP:	192:ZPeyZzEsGtL5eSF/ksiwhmz4vrft1z+hl:0yZzEsGX1F89whkYZIv
MD5:	C96CB4426C0432488C85A5F9B26B4E17
SHA1:	B9B25A3BAC4E99539BDC3813790C59A5AF79FF81
SHA-256:	08FD3D6DAE2021C4EF2309E1C72B615CDF1511BCA03BF7E0B9CDA8E355FE7B42
SHA-512:	441E3C1AAAAD9E919AA6FF17B12DB58F06CA6BDD21FDE77B0C8632A5340E19FC36FFAD23A99C21319E3840851938CE680569FC8DF36D8BF77B0EBB764A6023DA
Malicious:	false
Preview:	GIF89aP.8...............%....................................................................................F].................................................................................................................5..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c003 79.164527, 2020/10/15-17:48:32 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\windows-computer-4x_dm.gif

Download File

Process:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
File Type:	GIF image data, version 89a, 336 x 312
Category:	dropped
Size (bytes):	9265
Entropy (8bit):	7.935774775485394
Encrypted:	false
SSDEEP:	192:wutX/fl/5GGVunZg7vjsKxAntrzfdjjeoB/LP7BVKFQ:xtX/flRGGgobsKxKrle6BYFQ
MD5:	F7C2708A343D47FE1C3AB685FFD6886C
SHA1:	B6D9FDB9420860C6F1518A2020D8761E220A569F
SHA-256:	CF49468A19DE3EB585670EEF13E97F284E6FE9AC305806AADF30A5EDBEE9ED64
SHA-512:	13D2503445FBC20818B5B6FC3E28F854FA93669E1C2D73DFA4548D83864D26F86D1EA820FF7053F4689729570DD6AE4FC458AB0A3FC5A48FA77FE648229C556E
Malicious:	false
Preview:	GIF89aP.8.......eew............tt............III...AAA...DDD.F]......999)))555...YYc............>>>......%%%...!!!DDK..............%......111......\|\|.......RR^...............<<C................HHQ........qq.....yy.............22:..........kk}.........................,,3..................................AAH............223...iix88>%%+........#!!&................................................................................................................................................................................................................................................((/...................................................................__o.......#?............ffx...............oo.....................!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c003 79.164527, 2020/10/15-17:48:32 "> <rdf:RDF xmlns:rdf="http://www.w3.org/199

C:\Users\user\AppData\Local\Temp\bzt0315155706_0000001_1930_0005724.txt (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.484183719779189
Encrypted:	false
SSDEEP:	3:Atln:Il
MD5:	8419EB7017E34158D9A622045D6BEB33
SHA1:	3548B68ED1C9B6E19E3431A289CDC90B6E6B30D2
SHA-256:	677CB04E2242E8B0B645322555089C6B91A9FF1405BAC26C5025F07BFD328717
SHA-512:	9F87E1D6206656667C3B54936DD90F867F02FB986C3587A50E139C0DEA6EFDBC902BC63857D02E6796D86E2B4388103663DAC3EA0AB5D2457E9AAFC5C0FB5E13
Malicious:	false
Preview:	FAILURE_TO_FETCH_URL

C:\Users\user\AppData\Local\Temp\bzt0315155706_0000001_1930_0005724.txt_5888_6646.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.484183719779189
Encrypted:	false
SSDEEP:	3:Atln:Il
MD5:	8419EB7017E34158D9A622045D6BEB33
SHA1:	3548B68ED1C9B6E19E3431A289CDC90B6E6B30D2
SHA-256:	677CB04E2242E8B0B645322555089C6B91A9FF1405BAC26C5025F07BFD328717
SHA-512:	9F87E1D6206656667C3B54936DD90F867F02FB986C3587A50E139C0DEA6EFDBC902BC63857D02E6796D86E2B4388103663DAC3EA0AB5D2457E9AAFC5C0FB5E13
Malicious:	false
Preview:	FAILURE_TO_FETCH_URL

C:\Users\user\AppData\Local\Temp\bzt0315155706_0000002_6385_0005724.txt (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.484183719779189
Encrypted:	false
SSDEEP:	3:Atln:Il
MD5:	8419EB7017E34158D9A622045D6BEB33
SHA1:	3548B68ED1C9B6E19E3431A289CDC90B6E6B30D2
SHA-256:	677CB04E2242E8B0B645322555089C6B91A9FF1405BAC26C5025F07BFD328717
SHA-512:	9F87E1D6206656667C3B54936DD90F867F02FB986C3587A50E139C0DEA6EFDBC902BC63857D02E6796D86E2B4388103663DAC3EA0AB5D2457E9AAFC5C0FB5E13
Malicious:	false
Preview:	FAILURE_TO_FETCH_URL

C:\Users\user\AppData\Local\Temp\bzt0315155706_0000002_6385_0005724.txt_2088_2166.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.484183719779189
Encrypted:	false
SSDEEP:	3:Atln:Il
MD5:	8419EB7017E34158D9A622045D6BEB33
SHA1:	3548B68ED1C9B6E19E3431A289CDC90B6E6B30D2
SHA-256:	677CB04E2242E8B0B645322555089C6B91A9FF1405BAC26C5025F07BFD328717
SHA-512:	9F87E1D6206656667C3B54936DD90F867F02FB986C3587A50E139C0DEA6EFDBC902BC63857D02E6796D86E2B4388103663DAC3EA0AB5D2457E9AAFC5C0FB5E13
Malicious:	false
Preview:	FAILURE_TO_FETCH_URL

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	83
Entropy (8bit):	4.792721179692367
Encrypted:	false
SSDEEP:	3:zHagGIqZFDE5DROBV7GUZ3E9e9e:z6gGIoFW032A9e
MD5:	3C939EC8F1B5A3FBB99C0D1FAEF9F989
SHA1:	BA67520FE2C390D4FDD2D7A2B4D4C25D924544B4
SHA-256:	C86706C646FFAD8F7AE4F0899454CEDF696F574F000A0B2050AF9ABF4D026F84
SHA-512:	A8FA78DEEA9C4BAB068DC32D94AFA5089CC8DEB91CE5A9887F31E69C133ED2621941B5191D51494A7F3EAC0EFB425B1B0D0F9ACE0B5658712330027F7F6FCBA2
Malicious:	false
Preview:	..ERROR: fetch of url failed: https://ca001.backblaze.com/api/clientversion.xml....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9969826218653015
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	install_backblaze_bbec75b7f971c02a0.exe
File size:	30'129'600 bytes
MD5:	01ec621bc8779d04ffdd06ee380f6669
SHA1:	8c2546b47dcccef81d2fcd90ca3286e6d3d9d278
SHA256:	5ba6d375cd6a7ee8c72a5c37a6da4b203455d999be507e06b0190ea0dde54c74
SHA512:	e0af23c225ee06fe5f62f879bf3b69dedbb7e8590d02a85477a9f1dd04ba2da90190ee5177b8b76e19e1d2f9dc8e9bd6399a7400bfc1552e753839ccd8b6a02e
SSDEEP:	786432:TA4fEIAQR5jw7zEaJT+AlCXb800mo9kvLGCCZyMacvR1:TA9vQRBwTJHlIb800mo9yLrncvX
TLSH:	866733032588C13DDD565F30FA8B8BFCC92B1FA7F61241A7AE5CBE6936321E21934645
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........,...B...B...B..F....B..F..$.B..F....B.&z....B...A...B...G...B...F...B...F...B.e%....B.e%....B.e%....B...C.V.B...K...B.......B

File Icon


Icon Hash:	0606930d215a310f

Static PE Info

General

Entrypoint:	0x41405d
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x65C68AC5 [Fri Feb 9 20:27:49 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d9678942cdccb5a8cbcca65f2f3ac5af

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	23/03/2022 19:16:19 28/05/2025 22:05:57
Subject Chain	CN="BACKBLAZE, INC.", O="BACKBLAZE, INC.", STREET=500 Ben Franklin Ct, L=San Mateo, S=California, C=US, OID.1.3.6.1.4.1.311.60.2.1.2=DELAWARE, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=4337553, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	D6560A9944CD2E4CAA32776C351D2C07
Thumbprint SHA-1:	CE85ED26548E22438BC9DFD40F2D8B9AA887FE20
Thumbprint SHA-256:	0D03690B6AA4BD7BFFE3BEB3232E77E2CA41E139CD0F2E39C1D35F4B1A7FBE78
Serial:	020DB652DFC730ED3E34E3E3

Entrypoint Preview

Instruction
call 00007FD8247E808Ah
jmp 00007FD8247E773Fh
push ebp
mov ebp, esp
jmp 00007FD8247E78CFh
push dword ptr [ebp+08h]
call 00007FD824805E37h
pop ecx
test eax, eax
je 00007FD8247E78D1h
push dword ptr [ebp+08h]
call 00007FD824802937h
pop ecx
test eax, eax
je 00007FD8247E78A8h
pop ebp
ret
cmp dword ptr [ebp+08h], FFFFFFFFh
je 00007FD8247E840Fh
jmp 00007FD8247E83ECh
push ebp
mov ebp, esp
test byte ptr [ebp+08h], 00000001h
push esi
mov esi, ecx
mov dword ptr [esi], 00447FE4h
je 00007FD8247E78CCh
push 0000000Ch
push esi
call 00007FD8247E7619h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
mov eax, dword ptr [00456014h]
and eax, 1Fh
push 00000020h
pop ecx
sub ecx, eax
mov eax, dword ptr [ebp+08h]
ror eax, cl
xor eax, dword ptr [00456014h]
pop ebp
ret
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007FD8247E78DBh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007FD8247E78CCh
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007FD8247E78CEh
add edx, 28h
cmp edx, esi
jne 00007FD8247E78ACh
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007FD8247E78BBh
push esi
call 00007FD8247E8533h
test eax, eax
je 00007FD8247E78E2h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x54f24	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5a000	0x15290	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1cb9180	0x2c40
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x50c10	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x50d08	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x50c68	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x44000	0x26c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x42a15	0x42c00	c1d7dfaaf1977d28028e826a4c5ac1a8	False	0.572283912687266	MS Windows COFF Motorola 68000 object file	6.649123025016168	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x44000	0x11d5a	0x11e00	f547f524ec1b53caf65dac99c9a9e26a	False	0.4722601617132867	data	5.519656329184807	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x56000	0x315c	0x2200	a556b5297147fc30f377ea756ae9cff6	False	0.18026194852941177	DOS executable (block device driver @\273)	4.0387591637400115	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5a000	0x15290	0x15400	b465bae50ae5b1ff0dd3290a5e2365b3	False	0.07209329044117647	data	2.548046598022004	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5a200	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.2872340425531915
RT_ICON	0x5a668	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States	0.22008196721311477
RT_ICON	0x5aff0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.1723733583489681
RT_ICON	0x5c098	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.12645228215767634
RT_ICON	0x5e640	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.040163255648882054
RT_GROUP_ICON	0x6ee68	0x4c	data	English	United States	0.7763157894736842
RT_VERSION	0x6eeb8	0x250	data	English	United States	0.49324324324324326
RT_MANIFEST	0x6f108	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
WS2_32.dll	WSAStartup, WSACleanup
KERNEL32.dll	GetCurrentDirectoryW, SetCurrentDirectoryW, CreateProcessW, CloseHandle, DeleteFileW, GetFileAttributesExW, GetLastError, MultiByteToWideChar, GetVersionExW, GetCurrentProcess, TerminateProcess, Sleep, GetTimeZoneInformation, GetProcAddress, LocalFree, GetCurrentProcessId, GetModuleHandleW, GetSystemTimeAsFileTime, FindNextFileW, GetFinalPathNameByHandleW, FindClose, SetFileAttributesW, GetCurrentThread, SetFilePointerEx, FreeLibrary, LoadLibraryExW, FileTimeToSystemTime, SystemTimeToFileTime, SetFilePointer, EnterCriticalSection, LeaveCriticalSection, CreateFileW, DeleteCriticalSection, GetCurrentThreadId, WideCharToMultiByte, QueryPerformanceCounter, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, SetEvent, WaitForSingleObjectEx, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, SignalObjectAndWait, CreateThread, SetThreadPriority, GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, RegisterWaitForSingleObject, UnregisterWait, EncodePointer, GetThreadTimes, FreeLibraryAndExitThread, GetModuleHandleA, VirtualAlloc, VirtualProtect, VirtualFree, DuplicateHandle, ReleaseSemaphore, InterlockedPopEntrySList, InterlockedPushEntrySList, InterlockedFlushSList, QueryDepthSList, UnregisterWaitEx, CreateTimerQueue, LoadLibraryW, RtlUnwind, RaiseException, ExitProcess, GetModuleHandleExW, GetACP, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, HeapReAlloc, HeapFree, HeapAlloc, GetFileType, GetStringTypeW, GetConsoleMode, ReadConsoleW, GetConsoleCP, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetStdHandle, GetProcessHeap, FlushFileBuffers, WriteConsoleW, HeapSize, DecodePointer, SetEndOfFile, GetTempPathW, CreatePipe, GetModuleFileNameW, RemoveDirectoryW, WriteFile, GetStdHandle, ReadFile, CreateDirectoryW, GetSystemTime, TryEnterCriticalSection, GetTickCount
USER32.dll	LoadCursorW, CreateWindowExW, GetMessageW, DefWindowProcW, DestroyWindow, MessageBoxW, RegisterClassExW
ADVAPI32.dll	SetEntriesInAclW, SetSecurityInfo, SetSecurityDescriptorDacl, RegCloseKey, RegOpenKeyExW, RegQueryValueExW, FreeSid, AllocateAndInitializeSid, AddAccessAllowedAce, GetLengthSid, InitializeAcl, InitializeSecurityDescriptor, SetFileSecurityW, SetNamedSecurityInfoW
SHELL32.dll	SHGetFolderPathW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 23
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 15, 2024 16:57:07.782836914 CET	49706	443	192.168.2.17	104.153.233.8
Mar 15, 2024 16:57:07.782942057 CET	443	49706	104.153.233.8	192.168.2.17
Mar 15, 2024 16:57:07.783054113 CET	49706	443	192.168.2.17	104.153.233.8
Mar 15, 2024 16:57:07.795619965 CET	49706	443	192.168.2.17	104.153.233.8
Mar 15, 2024 16:57:07.795665979 CET	443	49706	104.153.233.8	192.168.2.17
Mar 15, 2024 16:57:07.883358002 CET	49707	443	192.168.2.17	104.153.233.9
Mar 15, 2024 16:57:07.883389950 CET	443	49707	104.153.233.9	192.168.2.17
Mar 15, 2024 16:57:07.883462906 CET	49707	443	192.168.2.17	104.153.233.9
Mar 15, 2024 16:57:07.887840986 CET	49707	443	192.168.2.17	104.153.233.9
Mar 15, 2024 16:57:07.887856007 CET	443	49707	104.153.233.9	192.168.2.17
Mar 15, 2024 16:57:08.153101921 CET	443	49706	104.153.233.8	192.168.2.17
Mar 15, 2024 16:57:08.153239012 CET	49706	443	192.168.2.17	104.153.233.8
Mar 15, 2024 16:57:08.168102980 CET	49706	443	192.168.2.17	104.153.233.8
Mar 15, 2024 16:57:08.168131113 CET	443	49706	104.153.233.8	192.168.2.17
Mar 15, 2024 16:57:08.168282986 CET	49706	443	192.168.2.17	104.153.233.8
Mar 15, 2024 16:57:08.168329954 CET	443	49706	104.153.233.8	192.168.2.17
Mar 15, 2024 16:57:08.168415070 CET	49706	443	192.168.2.17	104.153.233.8
Mar 15, 2024 16:57:08.238394976 CET	443	49707	104.153.233.9	192.168.2.17
Mar 15, 2024 16:57:08.238481045 CET	49707	443	192.168.2.17	104.153.233.9
Mar 15, 2024 16:57:08.240556955 CET	49707	443	192.168.2.17	104.153.233.9
Mar 15, 2024 16:57:08.240569115 CET	443	49707	104.153.233.9	192.168.2.17
Mar 15, 2024 16:57:08.240768909 CET	49707	443	192.168.2.17	104.153.233.9
Mar 15, 2024 16:57:08.240803957 CET	443	49707	104.153.233.9	192.168.2.17
Mar 15, 2024 16:57:08.240863085 CET	49707	443	192.168.2.17	104.153.233.9
Mar 15, 2024 16:57:08.534317970 CET	49710	443	192.168.2.17	104.153.233.8
Mar 15, 2024 16:57:08.534404039 CET	443	49710	104.153.233.8	192.168.2.17
Mar 15, 2024 16:57:08.534514904 CET	49710	443	192.168.2.17	104.153.233.8
Mar 15, 2024 16:57:08.538836002 CET	49710	443	192.168.2.17	104.153.233.8
Mar 15, 2024 16:57:08.538867950 CET	443	49710	104.153.233.8	192.168.2.17
Mar 15, 2024 16:57:08.888745070 CET	443	49710	104.153.233.8	192.168.2.17
Mar 15, 2024 16:57:08.888864994 CET	49710	443	192.168.2.17	104.153.233.8
Mar 15, 2024 16:57:08.891030073 CET	49710	443	192.168.2.17	104.153.233.8
Mar 15, 2024 16:57:08.891077042 CET	443	49710	104.153.233.8	192.168.2.17
Mar 15, 2024 16:57:08.891135931 CET	49710	443	192.168.2.17	104.153.233.8
Mar 15, 2024 16:57:08.891239882 CET	443	49710	104.153.233.8	192.168.2.17
Mar 15, 2024 16:57:08.891304970 CET	49710	443	192.168.2.17	104.153.233.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 15, 2024 16:57:07.688150883 CET	61743	53	192.168.2.17	1.1.1.1
Mar 15, 2024 16:57:07.778220892 CET	53	61743	1.1.1.1	192.168.2.17
Mar 15, 2024 16:57:07.789371014 CET	63149	53	192.168.2.17	1.1.1.1
Mar 15, 2024 16:57:07.878652096 CET	53	63149	1.1.1.1	192.168.2.17

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 15, 2024 16:57:07.688150883 CET	192.168.2.17	1.1.1.1	0x295b	Standard query (0)	ca000.backblaze.com	A (IP address)	IN (0x0001)	false
Mar 15, 2024 16:57:07.789371014 CET	192.168.2.17	1.1.1.1	0x4d07	Standard query (0)	ca001.backblaze.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 15, 2024 16:57:07.778220892 CET	1.1.1.1	192.168.2.17	0x295b	No error (0)	ca000.backblaze.com	ca-000-0000.backblaze.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 15, 2024 16:57:07.778220892 CET	1.1.1.1	192.168.2.17	0x295b	No error (0)	ca-000-0000.backblaze.com		104.153.233.8	A (IP address)	IN (0x0001)	false
Mar 15, 2024 16:57:07.878652096 CET	1.1.1.1	192.168.2.17	0x4d07	No error (0)	ca001.backblaze.com	ca-001-0000.backblaze.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 15, 2024 16:57:07.878652096 CET	1.1.1.1	192.168.2.17	0x4d07	No error (0)	ca-001-0000.backblaze.com		104.153.233.9	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• install_backblaze_bbec75b7f971c02a0.exe
• bzdoinstall.exe
• bztransmit.exe
• conhost.exe
• bztransmit.exe
• conhost.exe
• bztransmit.exe
• conhost.exe

Click to jump to process

Memory Usage

• install_backblaze_bbec75b7f971c02a0.exe
• bzdoinstall.exe
• bztransmit.exe
• conhost.exe
• bztransmit.exe
• conhost.exe
• bztransmit.exe
• conhost.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Behavior

• install_backblaze_bbec75b7f971c02a0.exe
• bzdoinstall.exe
• bztransmit.exe
• conhost.exe
• bztransmit.exe
• conhost.exe
• bztransmit.exe
• conhost.exe

Click to jump to process

Target ID:	0
Start time:	16:56:59
Start date:	15/03/2024
Path:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\install_backblaze_bbec75b7f971c02a0.exe
Imagebase:	0x400000
File size:	30'129'600 bytes
MD5 hash:	01EC621BC8779D04FFDD06EE380F6669
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:57:05
Start date:	15/03/2024
Path:	C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzdoinstall.exe" -doinstall "C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir
Imagebase:	0x400000
File size:	1'216'064 bytes
MD5 hash:	F10C1327338C2E01503EE7D1D6540E7B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:57:06
Start date:	15/03/2024
Path:	C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe" -fetchurltofile https://ca000.backblaze.com/api/clientversion.xml "C:\Users\user\AppData\Local\Temp\bzt0315155706_0000001_1930_0005724.txt
Imagebase:	0x400000
File size:	4'460'080 bytes
MD5 hash:	B3442F00487BC454F45D31D3A95E5079
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:57:06
Start date:	15/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff772470000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:57:07
Start date:	15/03/2024
Path:	C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe" -fetchurltofile https://ca001.backblaze.com/api/clientversion.xml "C:\Users\user\AppData\Local\Temp\bzt0315155706_0000002_6385_0005724.txt
Imagebase:	0x400000
File size:	4'460'080 bytes
MD5 hash:	B3442F00487BC454F45D31D3A95E5079
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:57:07
Start date:	15/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff772470000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:57:07
Start date:	15/03/2024
Path:	C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bztransmit.exe" -at_install_time_checkuser https://ca000.backblaze.com 626265633735623766393731
Imagebase:	0x400000
File size:	4'460'080 bytes
MD5 hash:	B3442F00487BC454F45D31D3A95E5079
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:57:07
Start date:	15/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff772470000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report install_backblaze_bbec75b7f971c02a0.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Backblaze\bzdata\bzlogs\bzdoinstall\bzdoinstall15.log

C:\ProgramData\Backblaze\bzdata\bzlogs\bztransmit\bztransmit15.log

C:\ProgramData\Backblaze\bzdata\bzreports\install_history.txt

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\InstallerConfig.xml

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\InstallerSkin.gif

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\VC_redist.x86.exe

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\animated_cloud_win_120p.gif

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\animated_cloud_win_120p_dm.gif

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui.exe

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_animation-4x.gif

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_animation-4x_dm.gif

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_animation.gif

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_interface.xml

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_restore-4x.gif

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_restore-4x_dm.gif

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_restore.gif

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_restore_arrow.gif

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_restore_arrow_dm.gif

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_restore_opt_app.gif

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_restore_opt_app_dm.gif

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_restore_opt_zip.gif

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_restore_opt_zip_dm.gif

C:\Users\user\AppData\Local\Temp\bzi0315155659_0000001_7969dir\bzbui_skin_bg-4x.gif

Windows Analysis Report
install_backblaze_bbec75b7f971c02a0.exe