Edit tour

Windows Analysis Report
IEW113_2311a.exe

Overview

General Information

Sample name:	IEW113_2311a.exe
Analysis ID:	1540035
MD5:	1bb2447f9ae84781bcfa73eda1606d72
SHA1:	6c875dd5404a67ceb1d3aee207be4286cbd8dd93
SHA256:	45f839521bdf4ebfeb32d8dd17ea33133e3c7ae67c6859380bea02cf56cf30f6
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Compliance

Score:	49
Range:	0 - 100

Signatures

Creates files in the system32 config directory

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the driver directory

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Driver Install by pnputil.exe

Sigma detected: Suspicious Execution From GUID Like Folder Names

Stores files to the Windows start menu directory

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

IEW113_2311a.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\IEW113_2311a.exe" MD5: 1BB2447F9AE84781BCFA73EDA1606D72)

IEW113_2311a.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\IEW113_2311a.exe" -run {192AB307-8DDD-45B1-BC93-D10838BCC13F} 0|Yes|No|C:\Windows\System32\msiexec.exe /i C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Package\SetupIEW.msi MD5: 1BB2447F9AE84781BCFA73EDA1606D72)

msiexec.exe (PID: 7440 cmdline: "C:\Windows\System32\msiexec.exe" /i C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Package\SetupIEW.msi MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7536 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7580 cmdline: C:\Windows\System32\MsiExec.exe -Embedding 87308A77B4DC65560968A93A1904E71A C MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7824 cmdline: C:\Windows\System32\MsiExec.exe -Embedding 026172C647FCA3CC45C109DD1CF65201 MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7860 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 1F622DA67DE9472AD76099B184CCC342 MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7944 cmdline: C:\Windows\System32\MsiExec.exe -Embedding 41D4778385EEC697935AEB0EB737BBE8 E Global\MSI0000 MD5: E5DA170027542E25EDE42FC54C929077)

cmd.exe (PID: 7980 cmdline: cmd /c pnputil /add-driver "C:\Program Files\Sony\Imaging Edge Webcam\Driver\*.inf" /install MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

pnputil.exe (PID: 8044 cmdline: pnputil /add-driver "C:\Program Files\Sony\Imaging Edge Webcam\Driver\*.inf" /install MD5: DE03AC6962C0655E6F769F881295DE3F)

drvinst.exe (PID: 8120 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\ImagingEdgeWebcam_Driver.inf" "9" "40c79f59f" "000000000000015C" "WinSta0\Default" "0000000000000168" "208" "C:\Program Files\Sony\Imaging Edge Webcam\Driver" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

rundll32.exe (PID: 8152 cmdline: rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{94bae122-cba7-1d4a-abe9-55200fb5c9ba} Global\{f15111e6-e2a2-7143-bb08-c644d6dcff21} C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam_Driver.inf C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam.cat MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Sigma Signatures

Sigma detected: Suspicious Driver Install by pnputil.exe

Source: Process started

Author: Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger: Data: Command: pnputil /add-driver "C:\Program Files\Sony\Imaging Edge Webcam\Driver\*.inf" /install, CommandLine: pnputil /add-driver "C:\Program Files\Sony\Imaging Edge Webcam\Driver\*.inf" /install, CommandLine|base64offset|contains: zn), Image: C:\Windows\System32\pnputil.exe, NewProcessName: C:\Windows\System32\pnputil.exe, OriginalFileName: C:\Windows\System32\pnputil.exe, ParentCommandLine: cmd /c pnputil /add-driver "C:\Program Files\Sony\Imaging Edge Webcam\Driver\*.inf" /install, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7980, ParentProcessName: cmd.exe, ProcessCommandLine: pnputil /add-driver "C:\Program Files\Sony\Imaging Edge Webcam\Driver\*.inf" /install, ProcessId: 8044, ProcessName: pnputil.exe

Sigma detected: Suspicious Execution From GUID Like Folder Names

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\IEW113_2311a.exe" -run {192AB307-8DDD-45B1-BC93-D10838BCC13F} 0|Yes|No|C:\Windows\System32\msiexec.exe /i C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Package\SetupIEW.msi, CommandLine: "C:\Users\user\Desktop\IEW113_2311a.exe" -run {192AB307-8DDD-45B1-BC93-D10838BCC13F} 0|Yes|No|C:\Windows\System32\msiexec.exe /i C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Package\SetupIEW.msi, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\IEW113_2311a.exe, NewProcessName: C:\Users\user\Desktop\IEW113_2311a.exe, OriginalFileName: C:\Users\user\Desktop\IEW113_2311a.exe, ParentCommandLine: "C:\Users\user\Desktop\IEW113_2311a.exe", ParentImage: C:\Users\user\Desktop\IEW113_2311a.exe, ParentProcessId: 7324, ParentProcessName: IEW113_2311a.exe, ProcessCommandLine: "C:\Users\user\Desktop\IEW113_2311a.exe" -run {192AB307-8DDD-45B1-BC93-D10838BCC13F} 0|Yes|No|C:\Windows\System32\msiexec.exe /i C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Package\SetupIEW.msi, ProcessId: 7408, ProcessName: IEW113_2311a.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Compliance

Uses 32bit PE files

Source: IEW113_2311a.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Creates a directory in C:\Program Files

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\default.jpg	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\EULA.rtf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\Webcam.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\webcam_help.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\Driver	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\Driver\imagingedgewebcam.cat	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\Driver\ImagingEdgeWebcam.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\Driver\ImagingEdgeWebcam_Driver.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\Driver\ImagingEdgeWebcam_Driver.inf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\ImagingEdgeWebcamLauncher.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\License.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\Lja_PTP_USB.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\libusb-1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\Lja_PTP_WIA.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\LjCore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\mfc140u.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\mfcm140u.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\USBReset.exe	Jump to behavior

Creates license or readme file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Sony\Imaging Edge Webcam\EULA.rtf			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Sony\Imaging Edge Webcam\License.txt			Jump to behavior

PE / OLE file has a valid certificate

Source: IEW113_2311a.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: IEW113_2311a.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\uica.pdb source: SetupIEW.msi.0.dr, 3b1c81.msi.3.dr
Source:	Binary string: MFCM140U.amd64.pdb source: mfcm140u.dll.3.dr
Source:	Binary string: msvcp140.amd64.pdb source: msvcp140.dll.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Installer\Installer\bin\x64\Release\IDCCustomProc\IDCCustomProc.pdb source: SetupIEW.msi.0.dr, MSI239A.tmp.3.dr, MSI1F71.tmp.3.dr, MSIF12C.tmp.2.dr, MSI1E56.tmp.3.dr, MSIF18A.tmp.2.dr, 3b1c81.msi.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\bin\x64\Release\App\LjAdapter\Lja_PTP_WIA.pdb source: Lja_PTP_WIA.dll.3.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: MSI1F92.tmp.3.dr, SetupIEW.msi.0.dr, MSI1F71.tmp.3.dr, MSI1EC5.tmp.3.dr, 3b1c81.msi.3.dr
Source:	Binary string: msvcp140.amd64.pdbGCTL source: msvcp140.dll.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\bin\x64\Release\App\LjAdapter\Lja_PTP_WIA.pdb>*$GCTL source: Lja_PTP_WIA.dll.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\obj\x64\Release\x64\Release\ImagingEdgeWebcamLauncher.pdb source: ImagingEdgeWebcamLauncher.exe.3.dr
Source:	Binary string: mfc140u.amd64.pdb source: mfc140u.dll.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Installer\Installer\bin\x64\Release\IDCCustomProc\IDCCustomProc.pdbG5#GCTL source: SetupIEW.msi.0.dr, MSI239A.tmp.3.dr, MSI1F71.tmp.3.dr, MSIF12C.tmp.2.dr, MSI1E56.tmp.3.dr, MSIF18A.tmp.2.dr, 3b1c81.msi.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\bin\x64\Release\Driver\ImagingEdgeWebcam.pdb source: pnputil.exe, 0000000B.00000002.4180572792.0000023325EA7000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1880800954.000001DD9B391000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1876395031.000001DD9AE6D000.00000004.00000020.00020000.00000000.sdmp, ImagingEdgeWebcam.dll.3.dr, SET27EC.tmp.13.dr, SET2618.tmp.11.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\bin\x64\Release\App\LjAdapter\Lja_PTP_USB.pdb source: Lja_PTP_USB.dll.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\bin\x64\Release\Driver\ImagingEdgeWebcam_Driver.pdb source: pnputil.exe, 0000000B.00000002.4180572792.0000023325E2D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000002.4180561913.000001DD9AEF0000.00000004.00000020.00020000.00000000.sdmp, ImagingEdgeWebcam_Driver.dll.3.dr, SET27FD.tmp.13.dr, SET2638.tmp.11.dr
Source:	Binary string: mfc140u.amd64.pdbGCTL source: mfc140u.dll.3.dr
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: vcruntime140.dll.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\bin\x64\Release\App\LjAdapter\Lja_PTP_USB.pdb?+#GCTL source: Lja_PTP_USB.dll.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\bin\x64\Release\App\LjCore.pdb source: LjCore.dll.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\bin\x64\Release\App\USBReset.pdb source: USBReset.exe.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\bin\x64\Release\App\Webcam.pdb3.*GCTL source: Webcam.exe.3.dr
Source:	Binary string: PackmanExtractor.pdb source: IEW113_2311a.exe
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\bin\x64\Release\Driver\ImagingEdgeWebcam.pdbee source: pnputil.exe, 0000000B.00000002.4180572792.0000023325EA7000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1880800954.000001DD9B391000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1876395031.000001DD9AE6D000.00000004.00000020.00020000.00000000.sdmp, ImagingEdgeWebcam.dll.3.dr, SET27EC.tmp.13.dr, SET2618.tmp.11.dr
Source:	Binary string: C:\Users\SDNA\Desktop\libusb\libusb\lib\Release\libusb-1.0.pdb source: libusb-1.0.dll.3.dr
Source:	Binary string: vcruntime140.amd64.pdb source: vcruntime140.dll.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\bin\x64\Release\App\Webcam.pdb source: Webcam.exe.3.dr

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D1B2C0 FindFirstFileW,FindClose,	0_2_00D1B2C0
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D1E890 GetSystemTime,SystemTimeToFileTime,FindFirstFileW,FindNextFileW,FindClose,GetLastError,	0_2_00D1E890
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D15BD0 FindFirstFileW,CompareStringW,FindNextFileW,GetLastError,FindClose,CompareStringW,	0_2_00D15BD0
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D1B350 _wcsrchr,FindFirstFileW,DeleteFileW,GetLastError,GetFileAttributesW,SetFileAttributesW,DeleteFileW,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,	0_2_00D1B350
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D24350 _wcsrchr,FindFirstFileW,FindNextFileW,GetLastError,	0_2_00D24350

Networking

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown	DNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 56.163.245.4.in-addr.arpa replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: 56.163.245.4.in-addr.arpa

Source: MSI1F92.tmp.3.dr, SetupIEW.msi.0.dr, MSI1F71.tmp.3.dr, MSI1EC5.tmp.3.dr, 3b1c81.msi.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: rundll32.exe, 0000000E.00000002.4181972577.00000221F9679000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0DO
Source: IEW113_2311a.exe, libusb-1.0.dll.3.dr, SetupIEW.msi.0.dr, SET25F7.tmp.11.dr, ImagingEdgeWebcam_Driver.dll.3.dr, ImagingEdgeWebcam.dll.3.dr, imagingedgewebcam.cat.3.dr, SET27EC.tmp.13.dr, ImagingEdgeWebcamLauncher.exe.3.dr, Webcam.exe.3.dr, Lja_PTP_USB.dll.3.dr, SET27DC.tmp.13.dr, SET2618.tmp.11.dr, Lja_PTP_WIA.dll.3.dr, 3b1c81.msi.3.dr, USBReset.exe.3.dr, SET27FD.tmp.13.dr, SET2638.tmp.11.dr, LjCore.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: MSI1F92.tmp.3.dr, SetupIEW.msi.0.dr, MSI1F71.tmp.3.dr, MSI1EC5.tmp.3.dr, 3b1c81.msi.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: drvinst.exe, 0000000D.00000003.1881142044.000001DD9AEA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
Source: IEW113_2311a.exe, libusb-1.0.dll.3.dr, SetupIEW.msi.0.dr, SET25F7.tmp.11.dr, ImagingEdgeWebcam_Driver.dll.3.dr, ImagingEdgeWebcam.dll.3.dr, imagingedgewebcam.cat.3.dr, SET27EC.tmp.13.dr, ImagingEdgeWebcamLauncher.exe.3.dr, Webcam.exe.3.dr, Lja_PTP_USB.dll.3.dr, SET27DC.tmp.13.dr, SET2618.tmp.11.dr, Lja_PTP_WIA.dll.3.dr, 3b1c81.msi.3.dr, USBReset.exe.3.dr, SET27FD.tmp.13.dr, SET2638.tmp.11.dr, LjCore.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: drvinst.exe, 0000000D.00000003.1879279442.000001DD9AEAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: IEW113_2311a.exe, libusb-1.0.dll.3.dr, SetupIEW.msi.0.dr, SET25F7.tmp.11.dr, ImagingEdgeWebcam_Driver.dll.3.dr, ImagingEdgeWebcam.dll.3.dr, imagingedgewebcam.cat.3.dr, SET27EC.tmp.13.dr, ImagingEdgeWebcamLauncher.exe.3.dr, Webcam.exe.3.dr, Lja_PTP_USB.dll.3.dr, SET27DC.tmp.13.dr, SET2618.tmp.11.dr, Lja_PTP_WIA.dll.3.dr, 3b1c81.msi.3.dr, USBReset.exe.3.dr, SET27FD.tmp.13.dr, SET2638.tmp.11.dr, LjCore.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: IEW113_2311a.exe, libusb-1.0.dll.3.dr, SetupIEW.msi.0.dr, SET25F7.tmp.11.dr, ImagingEdgeWebcam_Driver.dll.3.dr, ImagingEdgeWebcam.dll.3.dr, imagingedgewebcam.cat.3.dr, SET27EC.tmp.13.dr, ImagingEdgeWebcamLauncher.exe.3.dr, Webcam.exe.3.dr, Lja_PTP_USB.dll.3.dr, SET27DC.tmp.13.dr, SET2618.tmp.11.dr, Lja_PTP_WIA.dll.3.dr, 3b1c81.msi.3.dr, USBReset.exe.3.dr, SET27FD.tmp.13.dr, SET2638.tmp.11.dr, LjCore.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: MSI1F92.tmp.3.dr, SetupIEW.msi.0.dr, MSI1F71.tmp.3.dr, MSI1EC5.tmp.3.dr, 3b1c81.msi.3.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: drvinst.exe, 0000000D.00000003.1877018608.000001DD9AE6A000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1876427804.000001DD9AE6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCer
Source: IEW113_2311a.exe, libusb-1.0.dll.3.dr, SetupIEW.msi.0.dr, SET25F7.tmp.11.dr, ImagingEdgeWebcam_Driver.dll.3.dr, ImagingEdgeWebcam.dll.3.dr, imagingedgewebcam.cat.3.dr, SET27EC.tmp.13.dr, ImagingEdgeWebcamLauncher.exe.3.dr, Webcam.exe.3.dr, Lja_PTP_USB.dll.3.dr, SET27DC.tmp.13.dr, SET2618.tmp.11.dr, Lja_PTP_WIA.dll.3.dr, 3b1c81.msi.3.dr, USBReset.exe.3.dr, SET27FD.tmp.13.dr, SET2638.tmp.11.dr, LjCore.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: MSI1F92.tmp.3.dr, SetupIEW.msi.0.dr, MSI1F71.tmp.3.dr, MSI1EC5.tmp.3.dr, 3b1c81.msi.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: MSI1F92.tmp.3.dr, SetupIEW.msi.0.dr, MSI1F71.tmp.3.dr, MSI1EC5.tmp.3.dr, 3b1c81.msi.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: drvinst.exe, 0000000D.00000003.1879279442.000001DD9AEAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: IEW113_2311a.exe, libusb-1.0.dll.3.dr, SetupIEW.msi.0.dr, SET25F7.tmp.11.dr, ImagingEdgeWebcam_Driver.dll.3.dr, ImagingEdgeWebcam.dll.3.dr, imagingedgewebcam.cat.3.dr, SET27EC.tmp.13.dr, ImagingEdgeWebcamLauncher.exe.3.dr, Webcam.exe.3.dr, Lja_PTP_USB.dll.3.dr, SET27DC.tmp.13.dr, SET2618.tmp.11.dr, Lja_PTP_WIA.dll.3.dr, 3b1c81.msi.3.dr, USBReset.exe.3.dr, SET27FD.tmp.13.dr, SET2638.tmp.11.dr, LjCore.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: drvinst.exe, 0000000D.00000003.1881142044.000001DD9AEA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlhttp://crl4.digicert.co
Source: drvinst.exe, 0000000D.00000003.1879279442.000001DD9AEAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.4180898661.00000221F9467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: drvinst.exe, 0000000D.00000003.1879279442.000001DD9AEAF000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1876395031.000001DD9AE6D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1882608934.00000221F943D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.4180898661.00000221F9425000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.4180898661.00000221F9467000.00000004.00000020.00020000.00000000.sdmp, IEW113_2311a.exe, libusb-1.0.dll.3.dr, SetupIEW.msi.0.dr, SET25F7.tmp.11.dr, ImagingEdgeWebcam_Driver.dll.3.dr, ImagingEdgeWebcam.dll.3.dr, imagingedgewebcam.cat.3.dr, SET27EC.tmp.13.dr, ImagingEdgeWebcamLauncher.exe.3.dr, Webcam.exe.3.dr, Lja_PTP_USB.dll.3.dr, SET27DC.tmp.13.dr, SET2618.tmp.11.dr, Lja_PTP_WIA.dll.3.dr, 3b1c81.msi.3.dr, USBReset.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: drvinst.exe, 0000000D.00000003.1879279442.000001DD9AEAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl:
Source: drvinst.exe, 0000000D.00000002.4180561913.000001DD9AE93000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1881142044.000001DD9AEA6000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1879279442.000001DD9AEAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crlB
Source: rundll32.exe, 0000000E.00000002.4180898661.00000221F93F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crlE4
Source: drvinst.exe, 0000000D.00000002.4180561913.000001DD9AE93000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1881142044.000001DD9AEA6000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1879279442.000001DD9AEAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crlH
Source: drvinst.exe, 0000000D.00000003.1881142044.000001DD9AEA6000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1879279442.000001DD9AEAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crlV
Source: drvinst.exe, 0000000D.00000003.1879279442.000001DD9AEAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crln
Source: drvinst.exe, 0000000D.00000003.1881142044.000001DD9AEA6000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1879279442.000001DD9AEAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crlt
Source: drvinst.exe, 0000000D.00000002.4180561913.000001DD9AE93000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1881142044.000001DD9AEA6000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1879279442.000001DD9AEAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: LjCore.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: drvinst.exe, 0000000D.00000002.4180561913.000001DD9AE93000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1881142044.000001DD9AEA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl9
Source: drvinst.exe, 0000000D.00000002.4180561913.000001DD9AE93000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1881142044.000001DD9AEA6000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1879279442.000001DD9AEAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlH
Source: drvinst.exe, 0000000D.00000003.1879279442.000001DD9AEAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlq
Source: MSI1F92.tmp.3.dr, SetupIEW.msi.0.dr, MSI1F71.tmp.3.dr, MSI1EC5.tmp.3.dr, 3b1c81.msi.3.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: MSI1F92.tmp.3.dr, SetupIEW.msi.0.dr, MSI1F71.tmp.3.dr, MSI1EC5.tmp.3.dr, 3b1c81.msi.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: MSI1F92.tmp.3.dr, SetupIEW.msi.0.dr, MSI1F71.tmp.3.dr, MSI1EC5.tmp.3.dr, 3b1c81.msi.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: drvinst.exe, 0000000D.00000002.4180561913.000001DD9AE93000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1881142044.000001DD9AEA6000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1879279442.000001DD9AEAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: IEW113_2311a.exe, libusb-1.0.dll.3.dr, SetupIEW.msi.0.dr, SET25F7.tmp.11.dr, ImagingEdgeWebcam_Driver.dll.3.dr, ImagingEdgeWebcam.dll.3.dr, imagingedgewebcam.cat.3.dr, SET27EC.tmp.13.dr, ImagingEdgeWebcamLauncher.exe.3.dr, Webcam.exe.3.dr, Lja_PTP_USB.dll.3.dr, SET27DC.tmp.13.dr, SET2618.tmp.11.dr, Lja_PTP_WIA.dll.3.dr, 3b1c81.msi.3.dr, USBReset.exe.3.dr, SET27FD.tmp.13.dr, SET2638.tmp.11.dr, LjCore.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: MSI1F92.tmp.3.dr, SetupIEW.msi.0.dr, MSI1F71.tmp.3.dr, MSI1EC5.tmp.3.dr, 3b1c81.msi.3.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: MSI1F92.tmp.3.dr, SetupIEW.msi.0.dr, MSI1F71.tmp.3.dr, MSI1EC5.tmp.3.dr, 3b1c81.msi.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: libusb-1.0.dll.3.dr	String found in binary or memory: http://libusb.info
Source: libusb-1.0.dll.3.dr	String found in binary or memory: http://libusb.infoneed
Source: drvinst.exe, 0000000D.00000003.1879279442.000001DD9AEAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: drvinst.exe, 0000000D.00000003.1881142044.000001DD9AEA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxL
Source: drvinst.exe, 0000000D.00000003.1881142044.000001DD9AEA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: IEW113_2311a.exe, libusb-1.0.dll.3.dr, SetupIEW.msi.0.dr, SET25F7.tmp.11.dr, ImagingEdgeWebcam_Driver.dll.3.dr, ImagingEdgeWebcam.dll.3.dr, imagingedgewebcam.cat.3.dr, SET27EC.tmp.13.dr, ImagingEdgeWebcamLauncher.exe.3.dr, Webcam.exe.3.dr, Lja_PTP_USB.dll.3.dr, SET27DC.tmp.13.dr, SET2618.tmp.11.dr, Lja_PTP_WIA.dll.3.dr, 3b1c81.msi.3.dr, USBReset.exe.3.dr, SET27FD.tmp.13.dr, SET2638.tmp.11.dr, LjCore.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: IEW113_2311a.exe, libusb-1.0.dll.3.dr, SetupIEW.msi.0.dr, SET25F7.tmp.11.dr, ImagingEdgeWebcam_Driver.dll.3.dr, ImagingEdgeWebcam.dll.3.dr, imagingedgewebcam.cat.3.dr, SET27EC.tmp.13.dr, ImagingEdgeWebcamLauncher.exe.3.dr, Webcam.exe.3.dr, Lja_PTP_USB.dll.3.dr, SET27DC.tmp.13.dr, SET2618.tmp.11.dr, Lja_PTP_WIA.dll.3.dr, 3b1c81.msi.3.dr, USBReset.exe.3.dr, SET27FD.tmp.13.dr, SET2638.tmp.11.dr, LjCore.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: IEW113_2311a.exe, libusb-1.0.dll.3.dr, MSI1F92.tmp.3.dr, SetupIEW.msi.0.dr, SET25F7.tmp.11.dr, ImagingEdgeWebcam_Driver.dll.3.dr, ImagingEdgeWebcam.dll.3.dr, imagingedgewebcam.cat.3.dr, SET27EC.tmp.13.dr, ImagingEdgeWebcamLauncher.exe.3.dr, Webcam.exe.3.dr, Lja_PTP_USB.dll.3.dr, MSI1F71.tmp.3.dr, SET27DC.tmp.13.dr, SET2618.tmp.11.dr, Lja_PTP_WIA.dll.3.dr, MSI1EC5.tmp.3.dr, 3b1c81.msi.3.dr, USBReset.exe.3.dr, SET27FD.tmp.13.dr, SET2638.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: MSI1F92.tmp.3.dr, SetupIEW.msi.0.dr, MSI1F71.tmp.3.dr, MSI1EC5.tmp.3.dr, 3b1c81.msi.3.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: MSI1F92.tmp.3.dr, SetupIEW.msi.0.dr, MSI1F71.tmp.3.dr, MSI1EC5.tmp.3.dr, 3b1c81.msi.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: MSI1F92.tmp.3.dr, SetupIEW.msi.0.dr, MSI1F71.tmp.3.dr, MSI1EC5.tmp.3.dr, 3b1c81.msi.3.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: IEW113_2311a.exe, libusb-1.0.dll.3.dr, SetupIEW.msi.0.dr, SET25F7.tmp.11.dr, ImagingEdgeWebcam_Driver.dll.3.dr, ImagingEdgeWebcam.dll.3.dr, imagingedgewebcam.cat.3.dr, SET27EC.tmp.13.dr, ImagingEdgeWebcamLauncher.exe.3.dr, Webcam.exe.3.dr, Lja_PTP_USB.dll.3.dr, SET27DC.tmp.13.dr, SET2618.tmp.11.dr, Lja_PTP_WIA.dll.3.dr, 3b1c81.msi.3.dr, USBReset.exe.3.dr, SET27FD.tmp.13.dr, SET2638.tmp.11.dr, LjCore.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: drvinst.exe, 0000000D.00000002.4180561913.000001DD9AE93000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1881142044.000001DD9AEA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
Source: drvinst.exe, 0000000D.00000003.1879279442.000001DD9AEAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comB
Source: drvinst.exe, 0000000D.00000003.1881142044.000001DD9AEA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digice
Source: MSI1F92.tmp.3.dr, SetupIEW.msi.0.dr, MSI1F71.tmp.3.dr, MSI1EC5.tmp.3.dr, 3b1c81.msi.3.dr	String found in binary or memory: http://wixtoolset.org
Source: IEW113_2311a.exe, libusb-1.0.dll.3.dr, SetupIEW.msi.0.dr, SET25F7.tmp.11.dr, ImagingEdgeWebcam_Driver.dll.3.dr, ImagingEdgeWebcam.dll.3.dr, imagingedgewebcam.cat.3.dr, SET27EC.tmp.13.dr, ImagingEdgeWebcamLauncher.exe.3.dr, Webcam.exe.3.dr, Lja_PTP_USB.dll.3.dr, SET27DC.tmp.13.dr, SET2618.tmp.11.dr, Lja_PTP_WIA.dll.3.dr, 3b1c81.msi.3.dr, USBReset.exe.3.dr, SET27FD.tmp.13.dr, SET2638.tmp.11.dr, LjCore.dll.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: libusb-1.0.dll.3.dr	String found in binary or memory: http://www.gnu.org/licenses/lgpl-2.1.htmlF
Source: License.txt.3.dr	String found in binary or memory: https://github.com/microsoft/Windows-driver-samples)
Source: SetupIEW.msi.0.dr, 3b1c81.msi.3.dr	String found in binary or memory: https://oss.sony.net/Products/Linux/
Source: MSI1F71.tmp.3.dr	String found in binary or memory: https://support.d-imaging.sony.co.jp/app/webcam/l/instruction/index.php
Source: MSI1F92.tmp.3.dr, SetupIEW.msi.0.dr, MSI1F71.tmp.3.dr, MSI1EC5.tmp.3.dr, 3b1c81.msi.3.dr	String found in binary or memory: https://www.digicert.com/CPS0

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Windows\System32\pnputil.exe	File created: C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\SET25F7.tmp	Jump to dropped file
Source: C:\Windows\System32\pnputil.exe	File created: C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\ImagingEdgeWebcam.cat (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\SET27DC.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam.cat (copy)	Jump to dropped file

System Summary

Creates files inside the driver directory

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3b1c81.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1E56.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1EC5.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{77F8518A-144A-4DB2-80EB-C544B68375EE}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1F71.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1F92.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI239A.tmp	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\INF\c_camera.PNF	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI1E56.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D2A360	0_2_00D2A360
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D15480	0_2_00D15480
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D20AC0	0_2_00D20AC0
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D35070	0_2_00D35070
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D3A172	0_2_00D3A172
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D3E27B	0_2_00D3E27B
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D2BED0	0_2_00D2BED0
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D32EAF	0_2_00D32EAF

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Code function: String function: 00D42480 appears 39 times

Sample file is different than original file name gathered from version info

Source: IEW113_2311a.exe, 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePackmanExtractor.exe. vs IEW113_2311a.exe
Source: IEW113_2311a.exe, 00000001.00000002.4180804615.0000000000D57000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePackmanExtractor.exe. vs IEW113_2311a.exe
Source: IEW113_2311a.exe	Binary or memory string: OriginalFilenamePackmanExtractor.exe. vs IEW113_2311a.exe

Uses 32bit PE files

Source: IEW113_2311a.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus24.evad.winEXE@22/71@2/0

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Code function: 0_2_00D1A830 GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceExW,GetModuleFileNameW,

0_2_00D1A830

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Code function: 0_2_00D2BED0 ResetEvent,WaitForMultipleObjects,ResetEvent,CreateToolhelp32Snapshot,GetLastError,WaitForMultipleObjects,ResetEvent,WaitForSingleObject,Process32FirstW,Process32NextW,CloseHandle,__dtol3,__dtol3,EnterCriticalSection,CloseHandle,LeaveCriticalSection,WaitForMultipleObjects,EnterCriticalSection,LeaveCriticalSection,WaitForMultipleObjects,WaitForMultipleObjects,WaitForMultipleObjects,ResetEvent,EnterCriticalSection,LeaveCriticalSection,SetEvent,ResetEvent,ResetEvent,CloseHandle,

0_2_00D2BED0

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Code function: 0_2_00D21BF0 GetWindowLongW,SetWindowLongW,SetWindowLongW,SetWindowLongW,SetWindowPos,GetSystemMenu,EnableMenuItem,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,LoadImageW,LoadImageW,LoadImageW,SendMessageW,SendMessageW,SendMessageW,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetDlgItem,GetDlgItem,IsWindow,SendMessageW,SendMessageW,CoCreateInstance,KiUserCallbackDispatcher,SetTimer,ShowWindow,SetForegroundWindow,ResetEvent,

0_2_00D21BF0

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Code function: 0_2_00D235D0 CreateCompatibleDC,EnumFontFamiliesExW,DeleteDC,FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GlobalFree,GlobalUnlock,GlobalUnlock,

0_2_00D235D0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files\Sony

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7988:120:WilError_03

Source: C:\Users\user\Desktop\IEW113_2311a.exe

File created: C:\Users\user\AppData\Local\Temp\SPackTool

Jump to behavior

Source: IEW113_2311a.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\IEW113_2311a.exe

File read: C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Support\Settings.ini

Jump to behavior

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\drvinst.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{94bae122-cba7-1d4a-abe9-55200fb5c9ba} Global\{f15111e6-e2a2-7143-bb08-c644d6dcff21} C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam_Driver.inf C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam.cat

Source: C:\Users\user\Desktop\IEW113_2311a.exe

File read: C:\Users\user\Desktop\IEW113_2311a.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\IEW113_2311a.exe "C:\Users\user\Desktop\IEW113_2311a.exe"
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Process created: C:\Users\user\Desktop\IEW113_2311a.exe "C:\Users\user\Desktop\IEW113_2311a.exe" -run {192AB307-8DDD-45B1-BC93-D10838BCC13F} 0\|Yes\|No\|C:\Windows\System32\msiexec.exe /i C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Package\SetupIEW.msi
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Package\SetupIEW.msi
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 87308A77B4DC65560968A93A1904E71A C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 026172C647FCA3CC45C109DD1CF65201
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1F622DA67DE9472AD76099B184CCC342
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 41D4778385EEC697935AEB0EB737BBE8 E Global\MSI0000
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\cmd.exe cmd /c pnputil /add-driver "C:\Program Files\Sony\Imaging Edge Webcam\Driver\*.inf" /install
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\pnputil.exe pnputil /add-driver "C:\Program Files\Sony\Imaging Edge Webcam\Driver\*.inf" /install
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\ImagingEdgeWebcam_Driver.inf" "9" "40c79f59f" "000000000000015C" "WinSta0\Default" "0000000000000168" "208" "C:\Program Files\Sony\Imaging Edge Webcam\Driver"
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{94bae122-cba7-1d4a-abe9-55200fb5c9ba} Global\{f15111e6-e2a2-7143-bb08-c644d6dcff21} C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam_Driver.inf C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam.cat
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Process created: C:\Users\user\Desktop\IEW113_2311a.exe "C:\Users\user\Desktop\IEW113_2311a.exe" -run {192AB307-8DDD-45B1-BC93-D10838BCC13F} 0\|Yes\|No\|C:\Windows\System32\msiexec.exe /i C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Package\SetupIEW.msi	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Package\SetupIEW.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 87308A77B4DC65560968A93A1904E71A C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 026172C647FCA3CC45C109DD1CF65201	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1F622DA67DE9472AD76099B184CCC342	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 41D4778385EEC697935AEB0EB737BBE8 E Global\MSI0000	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\cmd.exe cmd /c pnputil /add-driver "C:\Program Files\Sony\Imaging Edge Webcam\Driver\*.inf" /install	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\pnputil.exe pnputil /add-driver "C:\Program Files\Sony\Imaging Edge Webcam\Driver\*.inf" /install	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{94bae122-cba7-1d4a-abe9-55200fb5c9ba} Global\{f15111e6-e2a2-7143-bb08-c644d6dcff21} C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam_Driver.inf C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam.cat	Jump to behavior

Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\pnputil.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\pnputil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\pnputil.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Windows\System32\pnputil.exe	Section loaded: drvsetup.dll	Jump to behavior
Source: C:\Windows\System32\pnputil.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\pnputil.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: pnpui.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\IEW113_2311a.exe

File written: C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Support\Settings.ini

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Windows\System32\msiexec.exe	Automated click: Next
Source: C:\Windows\System32\msiexec.exe	Automated click: Agree
Source: C:\Windows\System32\msiexec.exe	Automated click: Next
Source: C:\Windows\System32\msiexec.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Windows\System32\rundll32.exe	Automated click: Install

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Creates a directory in C:\Program Files

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\default.jpg	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\EULA.rtf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\Webcam.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\webcam_help.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\Driver	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\Driver\imagingedgewebcam.cat	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\Driver\ImagingEdgeWebcam.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\Driver\ImagingEdgeWebcam_Driver.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\Driver\ImagingEdgeWebcam_Driver.inf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\ImagingEdgeWebcamLauncher.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\License.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\Lja_PTP_USB.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\libusb-1.0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\Lja_PTP_WIA.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\LjCore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\mfc140u.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\mfcm140u.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Sony\Imaging Edge Webcam\USBReset.exe	Jump to behavior

PE / OLE file has a valid certificate

Source: IEW113_2311a.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: IEW113_2311a.exe

Static file information: File size 5302512 > 1048576

PE file contains a mix of data directories often seen in goodware

Source: IEW113_2311a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: IEW113_2311a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: IEW113_2311a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: IEW113_2311a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: IEW113_2311a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: IEW113_2311a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: IEW113_2311a.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: IEW113_2311a.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\uica.pdb source: SetupIEW.msi.0.dr, 3b1c81.msi.3.dr
Source:	Binary string: MFCM140U.amd64.pdb source: mfcm140u.dll.3.dr
Source:	Binary string: msvcp140.amd64.pdb source: msvcp140.dll.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Installer\Installer\bin\x64\Release\IDCCustomProc\IDCCustomProc.pdb source: SetupIEW.msi.0.dr, MSI239A.tmp.3.dr, MSI1F71.tmp.3.dr, MSIF12C.tmp.2.dr, MSI1E56.tmp.3.dr, MSIF18A.tmp.2.dr, 3b1c81.msi.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\bin\x64\Release\App\LjAdapter\Lja_PTP_WIA.pdb source: Lja_PTP_WIA.dll.3.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: MSI1F92.tmp.3.dr, SetupIEW.msi.0.dr, MSI1F71.tmp.3.dr, MSI1EC5.tmp.3.dr, 3b1c81.msi.3.dr
Source:	Binary string: msvcp140.amd64.pdbGCTL source: msvcp140.dll.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\bin\x64\Release\App\LjAdapter\Lja_PTP_WIA.pdb>*$GCTL source: Lja_PTP_WIA.dll.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\obj\x64\Release\x64\Release\ImagingEdgeWebcamLauncher.pdb source: ImagingEdgeWebcamLauncher.exe.3.dr
Source:	Binary string: mfc140u.amd64.pdb source: mfc140u.dll.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Installer\Installer\bin\x64\Release\IDCCustomProc\IDCCustomProc.pdbG5#GCTL source: SetupIEW.msi.0.dr, MSI239A.tmp.3.dr, MSI1F71.tmp.3.dr, MSIF12C.tmp.2.dr, MSI1E56.tmp.3.dr, MSIF18A.tmp.2.dr, 3b1c81.msi.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\bin\x64\Release\Driver\ImagingEdgeWebcam.pdb source: pnputil.exe, 0000000B.00000002.4180572792.0000023325EA7000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1880800954.000001DD9B391000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1876395031.000001DD9AE6D000.00000004.00000020.00020000.00000000.sdmp, ImagingEdgeWebcam.dll.3.dr, SET27EC.tmp.13.dr, SET2618.tmp.11.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\bin\x64\Release\App\LjAdapter\Lja_PTP_USB.pdb source: Lja_PTP_USB.dll.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\bin\x64\Release\Driver\ImagingEdgeWebcam_Driver.pdb source: pnputil.exe, 0000000B.00000002.4180572792.0000023325E2D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000002.4180561913.000001DD9AEF0000.00000004.00000020.00020000.00000000.sdmp, ImagingEdgeWebcam_Driver.dll.3.dr, SET27FD.tmp.13.dr, SET2638.tmp.11.dr
Source:	Binary string: mfc140u.amd64.pdbGCTL source: mfc140u.dll.3.dr
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: vcruntime140.dll.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\bin\x64\Release\App\LjAdapter\Lja_PTP_USB.pdb?+#GCTL source: Lja_PTP_USB.dll.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\bin\x64\Release\App\LjCore.pdb source: LjCore.dll.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\bin\x64\Release\App\USBReset.pdb source: USBReset.exe.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\bin\x64\Release\App\Webcam.pdb3.*GCTL source: Webcam.exe.3.dr
Source:	Binary string: PackmanExtractor.pdb source: IEW113_2311a.exe
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\bin\x64\Release\Driver\ImagingEdgeWebcam.pdbee source: pnputil.exe, 0000000B.00000002.4180572792.0000023325EA7000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1880800954.000001DD9B391000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000D.00000003.1876395031.000001DD9AE6D000.00000004.00000020.00020000.00000000.sdmp, ImagingEdgeWebcam.dll.3.dr, SET27EC.tmp.13.dr, SET2618.tmp.11.dr
Source:	Binary string: C:\Users\SDNA\Desktop\libusb\libusb\lib\Release\libusb-1.0.pdb source: libusb-1.0.dll.3.dr
Source:	Binary string: vcruntime140.amd64.pdb source: vcruntime140.dll.3.dr
Source:	Binary string: D:\ohshima\sony\iew\IEW_win\Application\bin\x64\Release\App\Webcam.pdb source: Webcam.exe.3.dr

PE file contains a valid data directory to section mapping

Source: IEW113_2311a.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: IEW113_2311a.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: IEW113_2311a.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: IEW113_2311a.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: IEW113_2311a.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Binary contains a suspicious time stamp

Source: ImagingEdgeWebcamLauncher.exe.3.dr

Static PE information: 0xE7A7E0D0 [Fri Feb 27 02:09:20 2093 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Code function: 0_2_00D11120 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,

0_2_00D11120

PE file contains sections with non-standard names

Source: ImagingEdgeWebcam.dll.3.dr	Static PE information: section name: _RDATA
Source: ImagingEdgeWebcam_Driver.dll.3.dr	Static PE information: section name: _RDATA
Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: mfc140u.dll.3.dr	Static PE information: section name: .didat
Source: mfcm140u.dll.3.dr	Static PE information: section name: .nep
Source: SET2618.tmp.11.dr	Static PE information: section name: _RDATA
Source: SET2638.tmp.11.dr	Static PE information: section name: _RDATA
Source: SET27EC.tmp.13.dr	Static PE information: section name: _RDATA
Source: SET27FD.tmp.13.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Code function: 0_2_00D424C6 push ecx; ret

0_2_00D424D9

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	Jump to behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\Lja_PTP_USB.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Sony\Imaging Edge Webcam\LjCore.dll	Jump to dropped file
Source: C:\Windows\System32\pnputil.exe	File created: C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\SET2638.tmp	Jump to dropped file
Source: C:\Windows\System32\pnputil.exe	File created: C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\ImagingEdgeWebcam_Driver.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\pnputil.exe	File created: C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\ImagingEdgeWebcam.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\pnputil.exe	File created: C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\SET2618.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF12C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Sony\Imaging Edge Webcam\USBReset.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF18A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Sony\Imaging Edge Webcam\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\libusb-1.0.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\SET27FD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\Lja_PTP_WIA.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Sony\Imaging Edge Webcam\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI239A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Sony\Imaging Edge Webcam\Driver\ImagingEdgeWebcam_Driver.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Sony\Imaging Edge Webcam\ImagingEdgeWebcamLauncher.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Sony\Imaging Edge Webcam\Driver\ImagingEdgeWebcam.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam_Driver.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1E56.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1F92.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Sony\Imaging Edge Webcam\mfcm140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Sony\Imaging Edge Webcam\Webcam.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Sony\Imaging Edge Webcam\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1EC5.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\SET27EC.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI239A.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam_Driver.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1E56.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1F92.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1EC5.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\SET27EC.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\SET27FD.tmp	Jump to dropped file

Creates license or readme file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Sony\Imaging Edge Webcam\EULA.rtf			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Sony\Imaging Edge Webcam\License.txt			Jump to behavior

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Windows\System32\msiexec.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Imaging Edge Webcam

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Code function: 0_2_00D20AC0 KiUserCallbackDispatcher,ShowWindow,IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetModuleHandleW,GetProcAddress,GetCommandLineW,SetEvent,SetWindowTextW,SetDlgItemTextW,SetDlgItemTextW,SendMessageW,KillTimer,IsWindow,KiUserCallbackDispatcher,GetSystemMenu,EnableMenuItem,SetDlgItemTextW,ShowWindow,ShowWindow,IsWindow,EnableWindow,GetSystemMenu,EnableMenuItem,SetDlgItemTextW,IsWindow,EnableWindow,GetSystemMenu,EnableMenuItem,SetDlgItemTextW,ShowWindow,SetEvent,

0_2_00D20AC0

Source: C:\Users\user\Desktop\IEW113_2311a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\pnputil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\pnputil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: IEW113_2311a.exe	Binary or memory string: UA0UALPK.DLLUSP10.DLLVERSION.DLLUSER32.DLLOLE32.DLLOLEAUT32.DLLMSVCRT.DLLSHLWAPI.DLLGDI32.DLLURLMON.DLLWININET.DLLIMAGEHLP.DLLWLDAP32.DLLCRYPT32.DLLIMM32.DLLCOMRES.DLLXPSP2RES.DLLWS2HELP.DLLCABINET.DLLSAMLIB.DLLUXTHEME.DLLMSCTF.DLLMSASN1.DLLCLBCATQ.DLLNETAPI32.DLLRSAENH.DLLAPPHELP.DLLMSXML3.DLLSETUPAPI.DLLMSCTFIME.IMEIMJP81.IMEIMJP81K.DLLIMJP9K.DLLIMJP10K.DLLIMJP12K.DLLIMJP14K.DLL..\IME\IMJP8_1\DICTS\IMJPCD.DICWINTRUST.DLLRICHED20.DLLCRYPTUI.DLLSHDOCVW.DLLMLANG.DLLWS2_32.DLLUSERENV.DLLPSAPI.DLLSENSAPI.DLLWINHTTP.DLLCRYPTNET.DLLWBEM\WBEMCOMN.DLLWBEM\WBEMPROX.DLLWBEM\WBEMSVC.DLLMSVCP60.DLLDNSAPI.DLLNTDSAPI.DLLHNETCFG.DLLWINMM.DLLRTUTILS.DLLTAPI32.DLLRASMAN.DLLRASAPI32.DLLWBEM\FASTPROX.DLLNTMARTA.DLLRASADHLP.DLLMPR.DLLCOMDLG32.DLLSHDOCLC.DLLCSCDLL.DLLBROWSEUI.DLLATL.DLLNTSHRUI.DLLLINKINFO.DLLDRPROV.DLLMYDOCS.DLLCSCUI.DLLNETRAP.DLLNETUI0.DLLNETUI1.DLLNTLANMAN.DLLDAVCLNT.DLLSHGINA.DLLODBCINT.DLLODBC32.DLLMSGINA.DLLWINSTA.DLLMSTASK.DLLWSOCK32.DLLWEBCHECK.DLLOCCACHE.DLLADSLDPC.DLLACTIVEDS.DLLTWEXT.DLLWIASHEXT.DLLBCRYPT.DLLNSI.DLLIME\SHARED\IMETIP.DLLIME\SHARED\IMECFM.DLLIME\IMEJP10\IMJPAPI.DLLIME\SHARED\IMJKAPI.DLLIME\SHARED\IMEAPIS.DLLIERTUTIL.DLLPROPSYS.DLLOLEACC.DLLIME\IMEJP10\IMJPTIP.DLLSLC.DLLGPAPI.DLLNCRYPT.DLLWINNSI.DLLDHCPCSVC6.DLLDHCPCSVC.DLLIPHLPAPI.DLLNORMALIZ.DLLWINDOWSCODECS.DLLDUSER.DLLXMLLITE.DLLCSCAPI.DLLPORTABLEDEVICEAPI.DLLWMASF.DLLNETWORKITEMFACTORY.DLLNPMPROXY.DLLACTXPRXY.DLLMSSPRXY.DLLNETWORKEXPLORER.DLLWPDSHEXT.DLLWMVCORE.DLLAUDIODEV.DLLFIREWALLAPI.DLLDTSH.DLLSXS.DLLEXPLORERFRAME.DLLIEFRAME.DLLDWMAPI.DLLCRYPTBASE.DLLCRYPTSP.DLLRPCRTREMOTE.DLLWBEMCOMN.DLLPROFAPI.DLLSSPICLI.DLLDUI70.DLLEXPLORERFRAME.DLLDEVOBJ.DLLCFGMGR32.DLLAUTHZ.DLLPEERDIST.DLLWEBIO.DLLSECUR32.DLLEHSTORSHELL.DLLNETUTILS.DLLMSXML6.DLLWKSCLI.DLLEHSTORAPI.DLLSRVCLI.DLLSAMCLI.DLLSEARCHFOLDER.DLLSTRUCTUREDQUERY.DLLMAPI32.DLLTQUERY.DLLDAVHLPR.DLLMSSVP.DLLAPI-MS-WIN-CORE-SYNCH-L1-2-0.DLLAPI-MS-WIN-CORE-FIBERS-L1-1-1.DLLAPI-MS-WIN-CORE-LOCALIZATION-L1-2-1.DLLAPI-MS-WIN-APPMODEL-RUNTIME-L1-1-1.DLLEXT-MS-WIN-KERNEL32-PACKAGE-CURRENT-L1-1-0.DLLIMAGERES.DLLMSFTE.DLLMSTRACER.DLLSETDEFAULTDLLDIRECTORIES
Source: IEW113_2311a.exe, 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmp, IEW113_2311a.exe, 00000000.00000000.1705523045.0000000000D47000.00000002.00000001.01000000.00000003.sdmp, IEW113_2311a.exe, 00000001.00000000.1729480468.0000000000D47000.00000002.00000001.01000000.00000003.sdmp, IEW113_2311a.exe, 00000001.00000002.4180630000.0000000000D47000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: LPK.DLLUSP10.DLLVERSION.DLLUSER32.DLLOLE32.DLLOLEAUT32.DLLMSVCRT.DLLSHLWAPI.DLLGDI32.DLLURLMON.DLLWININET.DLLIMAGEHLP.DLLWLDAP32.DLLCRYPT32.DLLIMM32.DLLCOMRES.DLLXPSP2RES.DLLWS2HELP.DLLCABINET.DLLSAMLIB.DLLUXTHEME.DLLMSCTF.DLLMSASN1.DLLCLBCATQ.DLLNETAPI32.DLLRSAENH.DLLAPPHELP.DLLMSXML3.DLLSETUPAPI.DLLMSCTFIME.IMEIMJP81.IMEIMJP81K.DLLIMJP9K.DLLIMJP10K.DLLIMJP12K.DLLIMJP14K.DLL..\IME\IMJP8_1\DICTS\IMJPCD.DICWINTRUST.DLLRICHED20.DLLCRYPTUI.DLLSHDOCVW.DLLMLANG.DLLWS2_32.DLLUSERENV.DLLPSAPI.DLLSENSAPI.DLLWINHTTP.DLLCRYPTNET.DLLWBEM\WBEMCOMN.DLLWBEM\WBEMPROX.DLLWBEM\WBEMSVC.DLLMSVCP60.DLLDNSAPI.DLLNTDSAPI.DLLHNETCFG.DLLWINMM.DLLRTUTILS.DLLTAPI32.DLLRASMAN.DLLRASAPI32.DLLWBEM\FASTPROX.DLLNTMARTA.DLLRASADHLP.DLLMPR.DLLCOMDLG32.DLLSHDOCLC.DLLCSCDLL.DLLBROWSEUI.DLLATL.DLLNTSHRUI.DLLLINKINFO.DLLDRPROV.DLLMYDOCS.DLLCSCUI.DLLNETRAP.DLLNETUI0.DLLNETUI1.DLLNTLANMAN.DLLDAVCLNT.DLLSHGINA.DLLODBCINT.DLLODBC32.DLLMSGINA.DLLWINSTA.DLLMSTASK.DLLWSOCK32.DLLWEBCHECK.DLLOCCACHE.DLLADSLDPC.DLLACTIVEDS.DLLTWEXT.DLLWIASHEXT.DLLBCRYPT.DLLNSI.DLLIME\SHARED\IMETIP.DLLIME\SHARED\IMECFM.DLLIME\IMEJP10\IMJPAPI.DLLIME\SHARED\IMJKAPI.DLLIME\SHARED\IMEAPIS.DLLIERTUTIL.DLLPROPSYS.DLLOLEACC.DLLIME\IMEJP10\IMJPTIP.DLLSLC.DLLGPAPI.DLLNCRYPT.DLLWINNSI.DLLDHCPCSVC6.DLLDHCPCSVC.DLLIPHLPAPI.DLLNORMALIZ.DLLWINDOWSCODECS.DLLDUSER.DLLXMLLITE.DLLCSCAPI.DLLPORTABLEDEVICEAPI.DLLWMASF.DLLNETWORKITEMFACTORY.DLLNPMPROXY.DLLACTXPRXY.DLLMSSPRXY.DLLNETWORKEXPLORER.DLLWPDSHEXT.DLLWMVCORE.DLLAUDIODEV.DLLFIREWALLAPI.DLLDTSH.DLLSXS.DLLEXPLORERFRAME.DLLIEFRAME.DLLDWMAPI.DLLCRYPTBASE.DLLCRYPTSP.DLLRPCRTREMOTE.DLLWBEMCOMN.DLLPROFAPI.DLLSSPICLI.DLLDUI70.DLLEXPLORERFRAME.DLLDEVOBJ.DLLCFGMGR32.DLLAUTHZ.DLLPEERDIST.DLLWEBIO.DLLSECUR32.DLLEHSTORSHELL.DLLNETUTILS.DLLMSXML6.DLLWKSCLI.DLLEHSTORAPI.DLLSRVCLI.DLLSAMCLI.DLLSEARCHFOLDER.DLLSTRUCTUREDQUERY.DLLMAPI32.DLLTQUERY.DLLDAVHLPR.DLLMSSVP.DLLAPI-MS-WIN-CORE-SYNCH-L1-2-0.DLLAPI-MS-WIN-CORE-FIBERS-L1-1-1.DLLAPI-MS-WIN-CORE-LOCALIZATION-L1-2-1.DLLAPI-MS-WIN-APPMODEL-RUNTIME-L1-1-1.DLLEXT-MS-WIN-KERNEL32-PACKAGE-CURRENT-L1-1-0.DLLIMAGERES.DLLMSFTE.DLLMSTRACER.DLLSETDEFAULTDLLDIRECTORIES

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\Lja_PTP_USB.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Sony\Imaging Edge Webcam\LjCore.dll	Jump to dropped file
Source: C:\Windows\System32\pnputil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\SET2638.tmp	Jump to dropped file
Source: C:\Windows\System32\pnputil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\ImagingEdgeWebcam_Driver.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\pnputil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\ImagingEdgeWebcam.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\pnputil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\SET2618.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF12C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Sony\Imaging Edge Webcam\USBReset.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF18A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Sony\Imaging Edge Webcam\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\libusb-1.0.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\SET27FD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\Lja_PTP_WIA.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI239A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Sony\Imaging Edge Webcam\Driver\ImagingEdgeWebcam_Driver.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Sony\Imaging Edge Webcam\ImagingEdgeWebcamLauncher.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Sony\Imaging Edge Webcam\Driver\ImagingEdgeWebcam.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam_Driver.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1E56.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1F92.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Sony\Imaging Edge Webcam\mfcm140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Sony\Imaging Edge Webcam\Webcam.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1EC5.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\SET27EC.tmp	Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-23399

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D1B2C0 FindFirstFileW,FindClose,	0_2_00D1B2C0
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D1E890 GetSystemTime,SystemTimeToFileTime,FindFirstFileW,FindNextFileW,FindClose,GetLastError,	0_2_00D1E890
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D15BD0 FindFirstFileW,CompareStringW,FindNextFileW,GetLastError,FindClose,CompareStringW,	0_2_00D15BD0
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D1B350 _wcsrchr,FindFirstFileW,DeleteFileW,GetLastError,GetFileAttributesW,SetFileAttributesW,DeleteFileW,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,	0_2_00D1B350
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D24350 _wcsrchr,FindFirstFileW,FindNextFileW,GetLastError,	0_2_00D24350

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Code function: 0_2_00D42E23 VirtualQuery,GetSystemInfo,

0_2_00D42E23

Source: setupapi.dev.log.11.dr	Binary or memory string: sig: Key = vmci.inf
Source: setupapi.dev.log.11.dr	Binary or memory string: dvs: {Driver Setup Import Driver Package: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.178
Source: setupapi.dev.log.11.dr	Binary or memory string: idb: Activating driver package 'vmci.inf_amd64_68ed49469341f563'.
Source: setupapi.dev.log.11.dr	Binary or memory string: cpy: Published 'vmci.inf_amd64_68ed49469341f563\vmci.inf' to 'oem2.inf'.
Source: setupapi.dev.log.11.dr	Binary or memory string: inf: {Add Service: vmci}
Source: setupapi.dev.log.11.dr	Binary or memory string: inf: Created new service 'vmci'.
Source: setupapi.dev.log.11.dr	Binary or memory string: inf: Display Name = VMware VMCI Bus Driver
Source: setupapi.dev.log.11.dr	Binary or memory string: inf: Service Name = vmci
Source: setupapi.dev.log.11.dr	Binary or memory string: idb: {Publish Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf} 11:48:39.707
Source: setupapi.dev.log.11.dr	Binary or memory string: idb: Indexed 4 device IDs for 'vmci.inf_amd64_68ed49469341f563'.
Source: setupapi.dev.log.11.dr	Binary or memory string: utl: Driver INF - oem2.inf (C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf)
Source: setupapi.dev.log.11.dr	Binary or memory string: sto: {Configure Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf}
Source: setupapi.dev.log.11.dr	Binary or memory string: sto: {Stage Driver Package: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.634
Source: setupapi.dev.log.11.dr	Binary or memory string: sig: Installed catalog 'vmci.cat' as 'oem2.cat'.
Source: setupapi.dev.log.11.dr	Binary or memory string: cpy: Target Path = C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563
Source: setupapi.dev.log.11.dr	Binary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.inf' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.inf'.
Source: IEW113_2311a.exe, 00000000.00000002.4180646421.00000000007CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\iasQ
Source: setupapi.dev.log.11.dr	Binary or memory string: sig: FilePath = C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.inf
Source: setupapi.dev.log.11.dr	Binary or memory string: inf: {Configure Driver Configuration: vmci.install.x64.NT}
Source: setupapi.dev.log.11.dr	Binary or memory string: idb: Created driver package object 'vmci.inf_amd64_68ed49469341f563' in SYSTEM database node.
Source: setupapi.dev.log.11.dr	Binary or memory string: inf: Image Path = System32\drivers\vmci.sys
Source: setupapi.dev.log.11.dr	Binary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.cat' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.cat'.
Source: setupapi.dev.log.11.dr	Binary or memory string: sig: Catalog = C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.cat
Source: setupapi.dev.log.11.dr	Binary or memory string: inf: Section Name = vmci.install.x64.NT
Source: setupapi.dev.log.11.dr	Binary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.sys' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.sys'.
Source: setupapi.dev.log.11.dr	Binary or memory string: idb: Registered driver package 'vmci.inf_amd64_68ed49469341f563' with 'oem2.inf'.
Source: setupapi.dev.log.11.dr	Binary or memory string: inf: Driver package 'vmci.inf' is configurable.
Source: setupapi.dev.log.11.dr	Binary or memory string: inf: {Configure Driver: VMware VMCI Bus Device}
Source: setupapi.dev.log.11.dr	Binary or memory string: inf: {Query Configurability: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.636
Source: setupapi.dev.log.11.dr	Binary or memory string: sto: {Core Driver Package Import: vmci.inf_amd64_68ed49469341f563} 11:48:39.704
Source: setupapi.dev.log.11.dr	Binary or memory string: idb: {Register Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf} 11:48:39.707
Source: setupapi.dev.log.11.dr	Binary or memory string: flq: Copying 'C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.sys' to 'C:\Windows\System32\drivers\vmci.sys'.

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Code function: 0_2_00D42292 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00D42292

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Code function: 0_2_00D11120 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,

0_2_00D11120

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D38357 mov eax, dword ptr fs:[00000030h]		0_2_00D38357
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D2E688 mov esi, dword ptr fs:[00000030h]		0_2_00D2E688

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Code function: 0_2_00D2E57D GetProcessHeap,HeapAlloc,InterlockedPopEntrySList,VirtualAlloc,RaiseException,InterlockedPopEntrySList,VirtualFree,InterlockedPushEntrySList,

0_2_00D2E57D

Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D42292 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D42292
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D42428 SetUnhandledExceptionFilter,	0_2_00D42428
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D41CAC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00D41CAC
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Code function: 0_2_00D2ED34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D2ED34

HIPS / PFW / Operating System Protection Evasion

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Code function: 0_2_00D1B740 CreateEventW,PathFindExtensionW,CompareStringW,CompareStringW,CompareStringW,GetModuleFileNameW,PostMessageW,ShellExecuteExW,GetProcessId,AllowSetForegroundWindow,WaitForInputIdle,AllowSetForegroundWindow,PostMessageW,WaitForMultipleObjects,SetEvent,GetLastError,GetExitCodeProcess,CloseHandle,GetLastError,PostMessageW,CloseHandle,

0_2_00D1B740

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\IEW113_2311a.exe	Process created: C:\Users\user\Desktop\IEW113_2311a.exe "C:\Users\user\Desktop\IEW113_2311a.exe" -run {192AB307-8DDD-45B1-BC93-D10838BCC13F} 0\|Yes\|No\|C:\Windows\System32\msiexec.exe /i C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Package\SetupIEW.msi	Jump to behavior
Source: C:\Users\user\Desktop\IEW113_2311a.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Package\SetupIEW.msi	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\pnputil.exe pnputil /add-driver "C:\Program Files\Sony\Imaging Edge Webcam\Driver\*.inf" /install	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\drvinst.exe drvinst.exe "4" "0" "c:\users\user\appdata\local\temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\imagingedgewebcam_driver.inf" "9" "40c79f59f" "000000000000015c" "winsta0\default" "0000000000000168" "208" "c:\program files\sony\imaging edge webcam\driver"
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe c:\windows\system32\pnpui.dll,installsecuritypromptrundllw 20 global\{94bae122-cba7-1d4a-abe9-55200fb5c9ba} global\{f15111e6-e2a2-7143-bb08-c644d6dcff21} c:\windows\system32\driverstore\temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\imagingedgewebcam_driver.inf c:\windows\system32\driverstore\temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\imagingedgewebcam.cat
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe c:\windows\system32\pnpui.dll,installsecuritypromptrundllw 20 global\{94bae122-cba7-1d4a-abe9-55200fb5c9ba} global\{f15111e6-e2a2-7143-bb08-c644d6dcff21} c:\windows\system32\driverstore\temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\imagingedgewebcam_driver.inf c:\windows\system32\driverstore\temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\imagingedgewebcam.cat	Jump to behavior

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Code function: 0_2_00D2A360 OpenEventW,GetCurrentProcessId,InitializeCriticalSectionAndSpinCount,GetLastError,CreateEventW,CreateEventW,CreateEventW,CreateEventW,GetModuleFileNameW,ResetEvent,GetLastError,GetLastError,GetLastError,ShellExecuteExW,GetLastError,GetProcAddress,FreeLibrary,GetProcessId,AllowSetForegroundWindow,WaitForInputIdle,AllowSetForegroundWindow,GetTickCount,WaitForMultipleObjects,GetExitCodeProcess,CloseHandle,WaitForSingleObject,WaitForSingleObject,SetEvent,WaitForSingleObject,GetTickCount,WaitForSingleObject,WaitForSingleObject,GetTickCount,SetEvent,SetEvent,SetEvent,SetEvent,SetEvent,SetEvent,WaitForSingleObject,TerminateThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteCriticalSection,GetModuleFileNameW,GetTimeFormatW,GetDateFormatW,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLastError,GlobalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,LookupAccountSidW,GetLastError,FreeSid,GlobalFree,GetCurrentProcess,CloseHandle,CoInitializeEx,GetActiveWindow,SetLastError,GetCurrentProcess,FlushInstructionCache,GetCurrentThreadId,EnterCriticalSection,LeaveCriticalSection,GlobalLock,DialogBoxIndirectParamW,GlobalUnlock,GlobalFree,GlobalFree,

0_2_00D2A360

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Code function: 0_2_00D420FB cpuid

0_2_00D420FB

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Code function: GetLocaleInfoW,GetLocaleInfoW,

0_2_00D27420

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Code function: 0_2_00D1E890 GetSystemTime,SystemTimeToFileTime,FindFirstFileW,FindNextFileW,FindClose,GetLastError,

0_2_00D1E890

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Code function: 0_2_00D15730 GetSecurityDescriptorDacl,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,GetUserNameW,LookupAccountNameW,GetAce,EqualSid,LocalFree,

0_2_00D15730

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Code function: 0_2_00D26160 GetVersionExW,GetModuleFileNameW,PathFileExistsW,

0_2_00D26160

Source: C:\Windows\System32\drvinst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\IEW113_2311a.exe

Code function: 0_2_00D12BA0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,

0_2_00D12BA0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	2 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Process Injection	1 Timestomp	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	37 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	132 Masquerading	Cached Domain Credentials	121 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Rundll32	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
IEW113_2311a.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files\Sony\Imaging Edge Webcam\Driver\ImagingEdgeWebcam.dll	0%	ReversingLabs
C:\Program Files\Sony\Imaging Edge Webcam\Driver\ImagingEdgeWebcam_Driver.dll	0%	ReversingLabs
C:\Program Files\Sony\Imaging Edge Webcam\ImagingEdgeWebcamLauncher.exe	0%	ReversingLabs
C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\Lja_PTP_USB.dll	0%	ReversingLabs
C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\Lja_PTP_WIA.dll	0%	ReversingLabs
C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\libusb-1.0.dll	0%	ReversingLabs
C:\Program Files\Sony\Imaging Edge Webcam\LjCore.dll	0%	ReversingLabs
C:\Program Files\Sony\Imaging Edge Webcam\USBReset.exe	0%	ReversingLabs
C:\Program Files\Sony\Imaging Edge Webcam\Webcam.exe	0%	ReversingLabs
C:\Program Files\Sony\Imaging Edge Webcam\mfc140u.dll	0%	ReversingLabs
C:\Program Files\Sony\Imaging Edge Webcam\mfcm140u.dll	0%	ReversingLabs
C:\Program Files\Sony\Imaging Edge Webcam\msvcp140.dll	0%	ReversingLabs
C:\Program Files\Sony\Imaging Edge Webcam\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF12C.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF18A.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\ImagingEdgeWebcam.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\ImagingEdgeWebcam_Driver.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\SET2618.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\SET2638.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1E56.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1EC5.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1F92.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI239A.tmp	0%	ReversingLabs
C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam.dll (copy)	0%	ReversingLabs
C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam_Driver.dll (copy)	0%	ReversingLabs
C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\SET27EC.tmp	0%	ReversingLabs
C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\SET27FD.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
56.163.245.4.in-addr.arpa	unknown	unknown	false		unknown
198.187.3.20.in-addr.arpa	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://libusb.infoneed	libusb-1.0.dll.3.dr	false	unknown
http://wixtoolset.org	MSI1F92.tmp.3.dr, SetupIEW.msi.0.dr, MSI1F71.tmp.3.dr, MSI1EC5.tmp.3.dr, 3b1c81.msi.3.dr	false	unknown
https://github.com/microsoft/Windows-driver-samples)	License.txt.3.dr	false	unknown
http://www.gnu.org/licenses/lgpl-2.1.htmlF	libusb-1.0.dll.3.dr	false	unknown
https://oss.sony.net/Products/Linux/	SetupIEW.msi.0.dr, 3b1c81.msi.3.dr	false	unknown
http://libusb.info	libusb-1.0.dll.3.dr	false	unknown
https://support.d-imaging.sony.co.jp/app/webcam/l/instruction/index.php	MSI1F71.tmp.3.dr	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1540035
Start date and time:	2024-10-23 11:19:38 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	IEW113_2311a.exe
Detection:	SUS
Classification:	sus24.evad.winEXE@22/71@2/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 64 Number of non-executed functions: 67
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: IEW113_2311a.exe

Simulations

Behavior and APIs

Time	Type	Description
05:20:33	API Interceptor	1x Sleep call for process: IEW113_2311a.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Config.Msi\3b1c82.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	9567
Entropy (8bit):	5.204644986861534
Encrypted:	false
SSDEEP:	192:8dpx/ed1sgyi3yc5BFW29i9kk/YxGEdl9gt2/gnpMFpWF6yeEB3hTlc0Ai0mm2bq:8Tx/eDsti3yc5BFW29i9kk/YxGEdl9gK
MD5:	B4641DC0A8F04443529CE1C4F22C7139
SHA1:	3DE35BA8620926F7B3AD603A75735C3042CB89D0
SHA-256:	1464D2B0435A67CB4DCF09B161AEFF674CA25928867EF06524BF73A461C37AFC
SHA-512:	4DE26AE0B573FE35152A468DDF82E9C9DE050C29F89D25D1BDF84F1F7AE0EE99CD5CFE7A68D03937C6F9906B71C799BD875EB4EBC5CDE2BB0349C4C4EE6A279E
Malicious:	false
Preview:	...@IXOS.@.....@.*WY.@.....@.....@.....@.....@.....@......&.{77F8518A-144A-4DB2-80EB-C544B68375EE}..Imaging Edge Webcam..SetupIEW.msi.@.....@.....@.....@......IEAppIcon..&.{C2734D1F-96B7-436D-B504-71D79D323D6F}.....@.....@.....@.....@.......@.....@.....@.......@......Imaging Edge Webcam......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{4C93B565-41C9-48B2-B862-116FEF58ECC1}&.{77F8518A-144A-4DB2-80EB-C544B68375EE}.@......&.{54C6D863-4FC1-4FE5-A9B7-46A720CCF24A}&.{77F8518A-144A-4DB2-80EB-C544B68375EE}.@......&.{D53B1643-8E2E-447D-B669-61B1D8B43CD8}&.{77F8518A-144A-4DB2-80EB-C544B68375EE}.@......&.{4BD875C8-7141-4C72-A4DD-A0672A296295}&.{77F8518A-144A-4DB2-80EB-C544B68375EE}.@......&.{05F329B1-BCBC-4B95-8ABA-74790F785F23}&.{77F8518A-144A-4DB2-80EB-C544B68375EE}.@......&.{EE2D374F-C492-4D73-8F30-588B5766D92F}&.{77F8518A-144A-4DB2-80EB-C544B68375EE}.@......&.{5E02ED23-7EC9-41BE-BA69-1BB8068DB5

C:\Program Files\Sony\Imaging Edge Webcam\Driver\ImagingEdgeWebcam.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	269832
Entropy (8bit):	6.601133670257957
Encrypted:	false
SSDEEP:	3072:N/HJDlyWARYazWLkQc3UUMGag32TwVVzJ2F2aFPjVCTxnIko7sU2Cp135qTCm:N/JlyKkQcThCwVVzfaFPY7Kn2CpCum
MD5:	D54CE0AC27BFB7E5854BF0F3F2141987
SHA1:	76F987FA9DA987D330C0F50327D2C7E88B2073A7
SHA-256:	5ACAF60D46D5E456AD8B414467D9C66DE3C41CDAE4E136902F3F1B61DCBBEB5B
SHA-512:	B1D31B706F44CB5E5795DA442BEB5D53F2475390827AA32B322D0A160B82858EBEA0AA69970EF7DA59FD00ABE14AABA77AEB83AA11EDE00CDD0A3D3CDA9DB344
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................................y....u.......u.......uk......u......Rich............PE..d...o..e.........." ...%............ ........................................`............`A...........................................t...T........@...................(...P...... H..p............................F..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....0......."..................@....pdata..............................@..@_RDATA.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................

C:\Program Files\Sony\Imaging Edge Webcam\Driver\ImagingEdgeWebcam_Driver.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36368
Entropy (8bit):	6.435140914980148
Encrypted:	false
SSDEEP:	768:mgfeLgDor29cA10SlHRxtqEpYinAMxUrd4/W:mgY29cAqsL7HxUrd4+
MD5:	0624BDCA7C1E1BF264234BE33FD12FF4
SHA1:	F458D3E7300724EE88D21475B1E6A02E85FE2E82
SHA-256:	B73D7118E561CB099551FB2E902295381075E4BDF07732D13C3A3580D30210C7
SHA-512:	5DBD15EAC5628445AC9C79ECB108B71D22BBB68D54A0D9D874BBEF8581963ADA3C58E09D78DEF61B293B9EB23033F45712797B2D762A6144F90584C0556F5912
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........\i..\i..\i..I...Ci..I...Ui..I...Yi..U...Li......_i..\i...i......^i......^i......^i..d.._i..d..]i..d..]i..Rich\i..................PE..d...w..e.........." ...%.2...8......."...............................................5....`A.........................................m..`....n.......................f...(......0....f..8............................d..@............P...............................text....0.......2.................. ..`.rdata..d$...P...&...6..............@..@.data................\..............@....pdata...............^..............@..@_RDATA...............b..............@..@.reloc..0............d..............@..B........................................................................................................................................................................................................................................

C:\Program Files\Sony\Imaging Edge Webcam\Driver\ImagingEdgeWebcam_Driver.inf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	4253
Entropy (8bit):	5.639653386929951
Encrypted:	false
SSDEEP:	96:5vAUyYLUOMnTXI4vj4vi4vN5mbQ5iXhug5JcoQy654gzuf/9ADGAIKDUDddECahl:xAUJzMnTXI4vj4vi4vN5mbQ5iXhug5Jc
MD5:	CF4188B255F5EF62D58B8EDA3E7BE0B8
SHA1:	7628031BD425A5DD1AA21DC5689961FBD5456690
SHA-256:	4CB21C2E5D885673F5993DE513A32D04AC01E6E26C38EB394BC237D3DD39AB64
SHA-512:	518C567A5E7073AED0981775FF53A6AA383F22204ACAF734C1765DAC4CFF28310412A9152F15790F4198281A71A765004B699723DB13782D0546DED983A0497E
Malicious:	false
Preview:	;..; SimpleMediaSourceDriver.inf..;....[Version]..Signature="$WINDOWS NT$"..Class=Camera..ClassGuid={ca3e7ab9-b4c3-4ae6-8251-579ef933890f} ;.E.J.E..E..E..E..E.f.E.o.E.C.E.X.E..L.E..E.GUID //.E..X.E..E..E.....PnpLockdown=1..Provider=%ProviderString%..DriverVer = 10/06/2023,13.13.41.473..CatalogFile=ImagingEdgeWebcam.cat....[DestinationDirs]..UMDriverCopy=12,UMDF ; copy to driversMdf..CustomCaptureSourceCopy=11....[SourceDisksNames]..1 = %DiskId1%,,,""....[SourceDisksFiles]..ImagingEdgeWebcam_Driver.dll = 1,,..ImagingEdgeWebcam.dll = 1,,....;***************************************..; SimpleMFSource Install Section..;***************************************....[Manufacturer]..%StdMfg%=Standard,NTamd64....[Standard.NTamd64]..%ImagingEdgeWebcam.DeviceDesc%=ImagingEdgeWebcam, root\ImagingEdgeWebcam....;---------------- copy files..[ImagingEdgeWebcam.NT]..CopyFiles=UMDriverCopy, CustomCaptureSourceCopy..AddReg = CustomCaptureSource.ComRegistration....;-------------------------------

C:\Program Files\Sony\Imaging Edge Webcam\Driver\imagingedgewebcam.cat

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	11824
Entropy (8bit):	7.486155218369192
Encrypted:	false
SSDEEP:	192:1/hzypINyby2sE9jBF6IYiYF8pA5K+oBf1hZFqrrvxwiRE:VNyb8E9VF6IYinAM+oZinvDE
MD5:	9BC95EAB4A2B29AEC769D9A217F5A736
SHA1:	E3D42ECDCEFC29FCCC56A366749A5149C2BF14F9
SHA-256:	344DB9816BA7794DBF3AEBF4C4F5E6C9A2CF9CE0CD0ACBF24D14167E85D5711D
SHA-512:	99795FBB4282F3E56F2B2824A6822C1A1A643B0879A96250B2DBA23A7916387EDC2EFAE70918A02E0155BE8B4E0A37635854908AA9F275A093A6ADE0D96463C1
Malicious:	false
Preview:	0..,..*.H..........0......1.0...`.H.e......0.....+.....7......0..~0...+.....7.....no.<CxsH.,.)(.\|0..231006041348Z0...+.....7.....0...0....+.........q.,+...]1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,i.m.a.g.i.n.g.e.d.g.e.w.e.b.c.a.m...d.l.l...0..+. 5...E.%..B.....)..;\;.@..R...1...0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0\..+.....7...1N0L...F.i.l.e.......:i.m.a.g.i.n.g.e.d.g.e.w.e.b.c.a.m._.d.r.i.v.e.r...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 5...E.%..B.....)..;\;.@..R...0.... 67.k.],@A.q...1E....S(..~z..G.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,i.m.a.g.i.n.g.e.d.g.e.w.e.b.c.a.m...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 67.k.],@A.q...1E....S(..~z..G.0..". L...].Vs..=...-.....l8.9K.7..9.d1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r.....

C:\Program Files\Sony\Imaging Edge Webcam\EULA.rtf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	61847
Entropy (8bit):	5.164925920562807
Encrypted:	false
SSDEEP:	768:e7SZpWsROwOrP4niiIIH37FkitkFa/VnA7hYmZW9n6l7xvLKc4Q2/UPcfNBosJ33:e7IZOBrP6FkEpT6/Dt0/UPcfNBj33
MD5:	53D2666A14F94F5B07B6C63159C01C13
SHA1:	EE5D2654A331E802C21B3AADB29C2F4F7A2385B6
SHA-256:	9599E086450A32816BC355ABF95473681064A117096210CA802631CDFC19A473
SHA-512:	4743AA1489A02B2ADECF7870F3218AC141BFEF8AEF496C5F2CABF435B132388A75CFC279A61C4BF692A957EAED9FD8341E7602937C3B4DBCC711BEBCBC5E6778
Malicious:	false
Preview:	{\rtf1\ansi\deff0{\fonttbl{\f0\fcharset0 Times New Roman;}{\f128\fcharset128 \'82\'6c\'82\'72 \'96\'be\'92\'a9{\*\falt MS Mincho};}{\f129\fcharset129 Gulim;}{\f134\fcharset134 SimSun;}{\f136\fcharset136 MingLiU;}{\f161\fcharset161 Times New Roman Greek;}{\f162\fcharset162 Times New Roman Tur;}{\f177\fcharset177 Times New Roman (Hebrew);}{\f178\fcharset178 Times New Roman (Arabic);}{\f186\fcharset186 Times New Roman Baltic;}{\f204\fcharset204 Times New Roman Cyr;}{\f222\fcharset0 Tahoma;}{\f238\fcharset238 Times New Roman CE;}}..{\lang1033 \fs21\loch\af0\hich\f0 CONTRAT DE LICENCE D\'92UTILISATEUR FINAL..\par Date de derni\'e8re mise \'e0 jour : 2021-08..\par ..\par IMPORTANT : ..\par VEUILLEZ LIRE ATTENTIVEMENT LE PR\'c9SENT CONTRAT DE LICENCE D\'92UTILISATEUR FINAL (\'ab CLUF \'bb) AVANT D\'92UTILISER LE LOGICIEL. EN UTILISANT LE LOGICIEL, VOUS ACCEPTEZ LES CONDITIONS DU PR\'c9SENT CLUF. VOUS NE POUVEZ PAS UTILISER LE LOGICIEL SI VOUS N\'92ACCEPTEZ PAS LES CONDITIONS DU PR\'c9SENT CLU

C:\Program Files\Sony\Imaging Edge Webcam\ImagingEdgeWebcamLauncher.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	25096
Entropy (8bit):	6.5207327334887175
Encrypted:	false
SSDEEP:	384:94MSei5pIojlO+J4EpcdtZoFf/wyvl9ptor30/flH0CNyb8E9VF6IYinAM+oZinS:9P0pIoXNaK/wq9RH0CEpYinAMxUZvc
MD5:	0B243B143BA934AF6444CDFC63D8B96C
SHA1:	7602A6CA10FEA0536CC328E58999167CB86E9457
SHA-256:	5EFB448988178A1091F2A7221C41FB59F072ACBADEF56A6885ADF7C413FB1862
SHA-512:	CA76E4E5F35B64CB01CB500744B930569B3FE22F03EDE1C0D70DA68E1481337128DA3744629B4576B80C92C828A41E74BE35CDDADF3C5B5DFE1D43FD3C1CF4F3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0..............M... ...`....@.. ....................................`.................................rM..O....`...............:...(...........L..8............................................ ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............8..............@..B.................M......H........)...!..........PK..p...........................................6.(.....(.....z.,..{....,..{....o......(......0...........s....}.....s....}.....{.....o.....{.....o.....{.....o.....{...........s....o.....{....r...po.....{....r...po ....{.....o!....(".........%..{.....%..{.....o#.......0..S........($....(.....s%...} ...r...p(&...-.r...pr5..p('....{ ...r...po(....{ ...r5..po).....0..K.......s....%.}#....{ ...rM..p.o....s+...}....%.{....o,...}$.........s-...(....&*.

C:\Program Files\Sony\Imaging Edge Webcam\License.txt

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (760), with CRLF line terminators
Category:	dropped
Size (bytes):	31402
Entropy (8bit):	4.720323716440828
Encrypted:	false
SSDEEP:	384:GrswrsdZv1xjUBIk+x/vIqk0TkX6sT6AATeINgKP+nHQ41fgcmmItyOQeM9YfWEA:GJYv1xoBJsFkOTeDnLqFXTfleHBfuoag
MD5:	A63BE57A8626EB0EA448B52D63AE4933
SHA1:	D6E888DA5101232F65968A4C0667C9502D0FD666
SHA-256:	1667F731E21727F698AC28AF4B0595A24DA1DC46A56C822919D01020D62C8680
SHA-512:	71733EEDF5276AB46950AD5A4F2FF8C2321D7750801894E429C6F69028FA72D41479C75C64CD6D301A0081319A1CFC663E843EDCD5A18C06D703198059F90915
Malicious:	false
Preview:	.- This software is based in part on the work of the Independent JPEG Group.....- libjpeg-turbo.. Copyright (C)2009-2015, 2017 D. R. Commander. All Rights Reserved.....Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:....- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer...- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution...- Neither the name of the libjpeg-turbo Project nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.....THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS", AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\Lja_PTP_USB.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	81408
Entropy (8bit):	6.1323415463419115
Encrypted:	false
SSDEEP:	1536:Auuhtteo9R99rLsBdRCyjZe8Fn6pC+Oca1837HxU4p:ANeYpMWyjZn6pCRc93q4p
MD5:	C246784644EC7FACF68E32F0380D6AC3
SHA1:	69E4CD74596B1685251EC04D8B8A748D6D1A4047
SHA-256:	8943E5666D099B5DD8ED762674B0EF3E6505E697B016AE3263CA6FCB11E90750
SHA-512:	D90E7D7C0968F7FF66B2BC362428E69F2704B6721BE604E8A1582E3006EB91B17BE029ABD3E188E8052A5B7E0CCBD1533ECC84B4E766D83260E7F398F4E28666
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h)...G^..G^..G^.q.^..G^.\|C_..G^.\|D_..G^.\|B_..G^.\|F_..G^.qA_..G^.qF_..G^..F^,.G^X\|N_..G^X\|G_..G^X\|.^..G^...^..G^X\|E_..G^Rich..G^................PE..d...v..e.........." .........v......X........................................`............`.........................................P.......4........@.......0..x........(...P..........p.......................(...@...8...............P............................text...4........................... ..`.rdata..FS.......T..................@..@.data...0.... ......................@....pdata..x....0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................

C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\Lja_PTP_WIA.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	55808
Entropy (8bit):	6.287059165860081
Encrypted:	false
SSDEEP:	768:emnv5s45PgQZzBT+7ImOANzzwvmyJHu/2Jq+6EpYinAMxUyo+QT:rvhNANHAm92Jp77HxUy4
MD5:	9E401A1E45F175F4E43EA2BCC79B05D0
SHA1:	CACE6C2C81A34718D0B3B500A1C0123DF82FE4ED
SHA-256:	36DD3AB5222E12FC3F24EA1A684CC62884F5DBCBD7D7381DB8F9B3D4351E6306
SHA-512:	A372319504D5D4AEE02F50A3C0DC038851282AC9896B92D092E5EBCD9E497FCBC9051378877E76650D3B33171332B553037D309F638F8AEF4E90E3F3D76EA426
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......E.....g...g...g......g.S.c...g.S.d...g.S.b...g.S.f...g.J.a...g.J.f...g...f..g.J.c...g...n...g...g...g.....g.......g...e...g.Rich..g.........................PE..d...v..e.........." .....j...N.......f...............................................A....`......................................... ....................................(..........(...p.......................(.......8............................................text....i.......j.................. ..`.rdata...........0...n..............@..@.data...0...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................

C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\libusb-1.0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	174592
Entropy (8bit):	6.443608180442681
Encrypted:	false
SSDEEP:	3072:oAy//eHV0Hxc/H96nJpIsnM5B0SGgvDO73kW4qp7:O21vP+JpIsnMc739R
MD5:	5EDC69FFFF0C79370081BF200AC5944A
SHA1:	04BCBE57B6CE1B5FFD52A776F4C5369CEB4F2426
SHA-256:	36FC52743475E3376E76D725E8552944075536CE0426EB5F7F85706FA2711ABB
SHA-512:	B1C9CC309A557DA675BA1B2419D7C55DD81CF377FD1F0DABFADB82C85FE54A17712E9F46EBC170AB8FD5F5584F90BDA047A717431702456A8C327FC21417B091
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n(.[I..I..I..#1!.$I..x!..(I..x!..(I..x!..!I..x!.."I..E-../I..I..uI..L!..!I..L!..+I..L!M.+I..I%.+I..L!..+I..RichI..........PE..d......^.........." ................................................................LA....`.........................................PD.......^..........H.......\........(..........@...p...............................................H............................text.............................. ..`.rdata..............................@..@.data........p.......\..............@....pdata..\............^..............@..@.rsrc...H............x..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Program Files\Sony\Imaging Edge Webcam\LjCore.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	774112
Entropy (8bit):	6.236040711109025
Encrypted:	false
SSDEEP:	12288:jWLg0rgshUjh32e9F+tMV2kwbGhQ67VySpfgK3EDhd+W5L:jWkogsyh3JF+mVmbGiEVxpfghDOe
MD5:	1671E39C1567AF68CCB49746D528317C
SHA1:	9092C69DBD4CADB467ACEB45305E5772FE1EFFC8
SHA-256:	62F4A8FE6AFAB3CC8175608F6B5EEC6E3F7CFF4E6E899C40398F569278B54263
SHA-512:	93C67FEF28917B45CF082E5388992D3A9E5A1C502ADF7A9534255D9589C7B19F7F813F0EE74435BB03A98C48CC8721FF5FF3110988AA2B86BD68E107DD12DC24
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......8..#\|..p\|..p\|..pu.1pj..p.._p}..p...qt..p...qx..p...qz..p...qR..p\|..pl..p7..q~..p7..q}..p7..qm..p\|..p...p...q\..p...q,..p...q}..p..]p}..p\|.5p}..p...q}..pRich\|..p........................PE..d...\|..e.........." .................`....................................................`......................................... ...................x....p...L.......'......\|....A..p....................D..(...PB..8............................................text.............................. ..`.rdata..............................@..@.data....(...@.......&..............@....pdata...L...p...N...D..............@..@.rsrc...x...........................@..@.reloc..\|...........................@..B........................................................................................................................................................................................

C:\Program Files\Sony\Imaging Edge Webcam\USBReset.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	45544
Entropy (8bit):	5.901420118362686
Encrypted:	false
SSDEEP:	768:G12yZ/HoT3AaciE7wiLQ1Iiq/jHlm6asWEpYinAMxURbv:S5cE7wH/OjHlm617HxURb
MD5:	8647F611F88FB538F7E0E76427DF856F
SHA1:	FBE6A6ACD8B610AE15B769432AEBD78D8FE7440F
SHA-256:	FA063474F425E13C5910EA51AC4B519788877A0330F6D8352AA0412B593AE2AD
SHA-512:	165B4AF25736FF1C90BC7A5315D0F7C09466071D660F4B7479DBB58E112DDC60648D53AB09BB1FC05FFF1847686A6A9D9901A4F94CB3880793FEFD5B081A811E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4...4...4...=.g.>...f...6...f...&...f...>...f...7.......1...4...........6.......5...4.c.5.......5...Rich4...........PE..d...g..e.........."..........\|.................@..........................................`..................................................(.......P...^...@...........'......,...."..T............................"..8............ ...............................text...l........................... ..`.rdata....... ......................@..@.data...H....0.......$..............@....pdata.......@.......&..............@..@.rsrc....^...P...`...(..............@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................................

C:\Program Files\Sony\Imaging Edge Webcam\Webcam.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	81888
Entropy (8bit):	6.582104250803885
Encrypted:	false
SSDEEP:	1536:M4aZAjx4hH2jr5Pto5ZxQQmG8gbz6ofEzM7HxUWW4:3aZI4hWdtorObhgym0MqWF
MD5:	506E55E0C984D20687F0FB146DD7A8CA
SHA1:	D8806807F9F65DAEFF36CB862D02BBD1B138649F
SHA-256:	00CF501BA36A343915731648AA4AA244C0E05A6EBEE3C1B68401AC22965AB66D
SHA-512:	B8647C0719E50C2F327BA248935DD2ECFE1F1CFB0ED7F21E4D3B95C6B4FBF0FA33899CF8DD6C289E8CC931C085A1233A2D64B6F154520B6B58EEACD54C213525
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;r.]Z..]Z..]Z..T"..MZ..."..SZ.../..WZ.../..YZ.../..}Z.../..UZ../..^Z..]Z..Z../..TZ../..\Z../..\Z..]Z..\Z../..\Z..Rich]Z..........................PE..d......e.........."......F...........E.........@.............................`......ul....`.........................................p.......x...@........................'...P..L...0w..p....................y..(....w..8............`.. ............................text...pE.......F.................. ..`.rdata...<...`...>...J..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..L....P......................@..B........................................................................................................................................................................................................................

C:\Program Files\Sony\Imaging Edge Webcam\default.jpg

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=1, orientation=upper-left], baseline, precision 8, 1024x576, components 3
Category:	dropped
Size (bytes):	47599
Entropy (8bit):	7.10350692525856
Encrypted:	false
SSDEEP:	768:4YyAkC3ghVmcVVwn4IdthShDbkwra83kSMU1KGPM8Ctaok:4M/whVmwVw4ITxwrapS3PM8Nok
MD5:	0CEC08F356D38D018F321CCF271809D3
SHA1:	6258801F192C05A6985355517C4416FCD88185CC
SHA-256:	DF14BBF48921A3A6661D8E2E10293CECB679F7CC2505E0C6FFD31398527F07D6
SHA-512:	E81C1682D9448927392854416C3570B36B9410B17DA6E30575E240210A56936F2203D06DDF2C24AB447ADCEDCE73ED6334A6E0DBF184AEA812CD8D8CD8F6B75F
Malicious:	false
Preview:	......JFIF.....H.H....."Exif..MM.*.........................XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch..............................................desc........IEC 61966-2.1 Default RGB colour space - sRGB............IEC 61966-2.1 Default RGB colour space - sRGB......................desc.......,Reference Viewing Condition in IEC61966-2.1...........,Reference Viewi

C:\Program Files\Sony\Imaging Edge Webcam\mfc140u.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6060704
Entropy (8bit):	6.647398713360677
Encrypted:	false
SSDEEP:	49152:ShuDOWOTjuL2QM9xVj078/VHcNG5yd9yKjCHFJnHu83026uSwIbFLOAkGy3zdnEN:OL3uAnUduREXFLOAkGkzdnEVomFHKnPE
MD5:	8C8C985ABA75CEE21C586157FCA8BA87
SHA1:	8F143C210DCFD89CD27D9BFED66C1A8985E6EC2E
SHA-256:	B06C3DFAA40F637769AA43CDD6A8B02F96A5F2EBCA7FA82E6FDE8C41DD063CFC
SHA-512:	56AA91FC744141CD5A0143C0C1411BF5E9DB1EFBE2132417763543D9DC7735CD94586BC7A45194BB8EFF145CFEE907D7B99D549B6C7FF8C5E85C7F66EF6031FF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......t1.u0P.&0P.&0P.&..M&1P.&..K&1P.&..J&'P.&9(-&$P.&.0.'2P.&.0.'<P.&.0.'&P.&..Q&#P.&0P.&.S.&.0.'6P.&.0.'.Q.&.0.'1P.&.0A&1P.&.0.'1P.&Rich0P.&........................PE..d...5E.X.........." .....B0...,.............................................. ].......\...`A..........................................@.....X.A.......F.......C..N...<\..>....[..o...c5.8....................c5.(....e1..............`0.H.....@......................text....A0......B0................. ..`.rdata.......`0......F0.............@..@.data...xi...0B.......B.............@....pdata...N....C..P....B.............@..@.didat..H.....E......,E.............@....tls..........F......2E.............@....rsrc.........F......4E.............@..@.reloc...o....[..p....Z.............@..B................................................................................................................................

C:\Program Files\Sony\Imaging Edge Webcam\mfcm140u.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	105640
Entropy (8bit):	6.304388791460154
Encrypted:	false
SSDEEP:	3072:UIfi5TJmjzGxUthGyV1dQC8mh6HYfT6Yb:UD1SzGxUpV16Eh6HO6Yb
MD5:	8828D20386AADFC266AE2228ACF53FB9
SHA1:	EA315A972BD7E827D4AF5909022207DFAFE3B6D0
SHA-256:	CEED247C74F1BC03E2FAB406F8C419FA3D679CFE7831AD37FDEB6609EE76369B
SHA-512:	33A0CAE3CA69BD510186F1AB9A7CE5FD5507DD5FEBF255E04A63152BE3EC8E6CCF65AF1752BBFB54C0938DE7CA4B76132B95B018377EDB28AE896D623852C564
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........r.....O...O...OS.1O...O.AVO...Ots.N...Ots.N...Ots.N...O.kVO...OS.*O...O...OT..Ots.N...Ots.N...Ots:O...Ots.N...ORich...O........PE..d....D.X.........." .....L...........U..............................................{.....`..........................................[.......\.......................^...>...........z..8...................`M..(... z...............p...............v..H............text....F.......H.................. ..`.nep.........`.......L.............. ..`.rdata..~....p.......P..............@..@.data........p.......H..............@....pdata...............P..............@..@.tls.................T..............@....rsrc................V..............@..@.reloc...............\..............@..B................................................................................................................................................................

C:\Program Files\Sony\Imaging Edge Webcam\msvcp140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	627368
Entropy (8bit):	6.346631066226722
Encrypted:	false
SSDEEP:	12288:fkfR9wkQfEAB8RKE1ujKQEKZm+jWodEEV1EB3C:CAB8RdQEKZm+jWodEEbEY
MD5:	D1BD63F4BB6D9565AF5F82137ACDB434
SHA1:	AEEFDA48D04AE9402EF2424BA8181C38DE14D60A
SHA-256:	7A222F091FDD8A8E6026C24E652396519103E982571370C8740F10778BC9AC43
SHA-512:	4342AB267B18B9FE9C69CDF373DE7DB5569B5CD4207F87C8C1276CFE2BC8FE5303838E090E78A65B5608568801E090F198476DD8D080B881D97D92D61FD8DC35
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........o...<...<...</x.<...<..n<...<...=...<...<\..<...=...<...=...<...=...<...=...<...=...<...<...<...=...<Rich...<........PE..d......X.........." ................`.....................................................`A............................................h...x...,............@...A...T...>..............8...........................0 ......................D...@....................text............................... ..`.rdata..L...........................@..@.data...\9..........................@....pdata...A...@...B..................@..@.didat..h............B..............@....rsrc................D..............@..@.reloc...............H..............@..B................................................................................................................................................................................................................

C:\Program Files\Sony\Imaging Edge Webcam\vcruntime140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	87224
Entropy (8bit):	6.538885960605395
Encrypted:	false
SSDEEP:	1536:fFABA4oLT6MkFVpO0VW4iA6AHpg7otfG0TwecbhTWV1vqbGva:f2FITY7v6Cpg7wG0TwecbhKnvqiS
MD5:	9CEF848DD7026D2626B35032A7B21E6D
SHA1:	321AD662F45F5C601AE4D55F726D075A97D80734
SHA-256:	56DE253172B2FF70BA89CC0544E09C6DD34D6793231C09AA6DFAAC755535F45F
SHA-512:	38034FE11DC69EFE81022EEB0599F3FF3AF315CCA186D4A2C8F41E06C442039F665E420EEEFCB7FCEA7B0FE2F5CAE55C29E10533517286EE9CD09FF9DC1F2835
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......kR.a/3.2/3.2/3.2..)2-3.2&KU2$3.2/3.2.3.2.S.3,3.2.S.3%3.2.S.3$3.2.S.313.2.S.3.3.2.S92.3.2.S.3.3.2Rich/3.2........................PE..d......X.........." .........R...............................................`............`A............................................4............@.......0...........>...P..d.......8............................................................................text............................... ..`.rdata...5.......6..................@..@.data...x.... ......................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc..d....P......................@..B................................................................................................................................................................................................................................................

C:\Program Files\Sony\Imaging Edge Webcam\webcam_help.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 5 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, 64x64, 32 bits/pixel
Category:	dropped
Size (bytes):	95850
Entropy (8bit):	7.378187029601007
Encrypted:	false
SSDEEP:	1536:BK6n3E1/NX82E3A4OkjqE3wN/K5LrLVyfuQ3GB3bzF29pbWf3A:Lw/d82kfOkjqHRK5PA5GBl2CfQ
MD5:	A77225BFD33E7BA20268B85D9D04367E
SHA1:	BDDD5D68501431A1C9EBB94699A47123B1E6E478
SHA-256:	64A6FC8F05B610E68CF3B5D110129F9FF278772AF1963C0050D78768A9C9BD63
SHA-512:	89BFCE50EC0717F4C5964F44213233C84747B2419DF591B9E678F257960B3018B188BC40C4F50D801EBEA5FCEB6B971325696B0B38517E68E67BD62B87D86FF6
Malicious:	false
Preview:	............ .4...V...@@.... .(B......00.... ..%...;.. .... .....Za........ .h....r...PNG........IHDR.............\r.f....IDATx..]...E.>{......N.%.).M@J.."E.J..)bD@.....RH.!......K^..[..93..%..4./w..-.3s..23...nG.......pt;.....(.\|..g.L...._...&.d..L..........'....q./@.\|.m../L..._..........7....~....F....:..W....7}.upt;r.Q...nT.Y......0....._?.}RSS...Grss.i...))).I....?>.....e.H....E...a.I.S.'...\|>.......\|."$.&$....#.HwwWWWGgGgk[[gScCwmmm.......\|.....~....H$R.c...[..~..Wf;.._....P.1...p.C...A....8pP.W.^)ii.iIII).@ ..~.....~.`..?......G..\..e.O.~.MM.:0P...h$.T.._8.>.....P(L..........o$..DB...Z.[.Zjkj...JC...0P(............;.;.._..(.\|....1.c....y..#...241.O..4....S....8...L.. ..O&.....n..... .1...!.L....T.CT..\..............;>......... .&{..g.uuvA.}v'.d.........p$...jkinn...j,,h/=PRH......j>.......( \|I....9lT....T.&..q...9b....y}....2......T.._.-..SAcB./..Nhk..-....,6........~S..m..O.-_jZ$%&Brr"$&&@BB..)*..A...........F...............e..\|

C:\Users\user\AppData\Local\Temp\MSIF12C.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	123904
Entropy (8bit):	6.019348446512073
Encrypted:	false
SSDEEP:	3072:qC2+1/jC6wmMJjS42JOhbdgf2373x8Yyrpb:qCnl6mM9x26bOmx8YK
MD5:	DE475943D21409F1372093D37FC0A0C8
SHA1:	3B634C2A2470718A23EEFA3386C8AF724EA2D1AE
SHA-256:	EB6100F6194060C59C979B470795336F1ECD59757F131A7B7EBA9A6B3B829677
SHA-512:	6F42A1CC2B097A8C6498C03AA5E5E538CF6B4D1420734A7CCD7A21C45EE0B5867E06F8DB8E58987C9BA792864104B11C911C6775295781133CFAFB0DF897C08D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........s.s.s..~..s....s....s....s....s....s.2..s....s.s..r.l..s.l..s.l....s.l..s.Rich.s.................PE..d...j..e.........." .....>...........4.......................................0............`.........................................`.......\...h...............0............ ..0.......p.......................(.......8............P..P............................text....<.......>.................. ..`.rdata..T}...P...~...B..............@..@.data...`...........................@....pdata..0...........................@..@.rsrc...............................@..@.reloc..0.... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIF18A.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	123904
Entropy (8bit):	6.019348446512073
Encrypted:	false
SSDEEP:	3072:qC2+1/jC6wmMJjS42JOhbdgf2373x8Yyrpb:qCnl6mM9x26bOmx8YK
MD5:	DE475943D21409F1372093D37FC0A0C8
SHA1:	3B634C2A2470718A23EEFA3386C8AF724EA2D1AE
SHA-256:	EB6100F6194060C59C979B470795336F1ECD59757F131A7B7EBA9A6B3B829677
SHA-512:	6F42A1CC2B097A8C6498C03AA5E5E538CF6B4D1420734A7CCD7A21C45EE0B5867E06F8DB8E58987C9BA792864104B11C911C6775295781133CFAFB0DF897C08D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........s.s.s..~..s....s....s....s....s....s.2..s....s.s..r.l..s.l..s.l....s.l..s.Rich.s.................PE..d...j..e.........." .....>...........4.......................................0............`.........................................`.......\...h...............0............ ..0.......p.......................(.......8............P..P............................text....<.......>.................. ..`.rdata..T}...P...~...B..............@..@.data...`...........................@....pdata..0...........................@..@.rsrc...............................@..@.reloc..0.... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Package\SetupIEW.msi

Download File

Process:	C:\Users\user\Desktop\IEW113_2311a.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Imaging Edge Webcam, Author: Sony Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Imaging Edge Webcam., Create Time/Date: Fri Oct 6 08:39:02 2023, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2, Template: x64;0, Last Saved By: x64;0, Revision Number: {77F8518A-144A-4DB2-80EB-C544B68375EE}1.1.03.10061;{95690A63-A7AD-4F7B-8CD3-F94BF8573A8E}1.1.03.10061;{28FB0552-E7A4-4193-ACA1-2CA8F06EC841}, Number of Pages: 300, Number of Characters: 0
Category:	dropped
Size (bytes):	7835648
Entropy (8bit):	7.491189626154171
Encrypted:	false
SSDEEP:	196608:+eziaII6eYf7Rl7NyygJ7xzNc4qeQm/e:+e2Ei7P7NydJ1Nc4Um
MD5:	DF408B38D2630AAA6CC578F1020C9B05
SHA1:	D017A4DB82EC7F459DD5669FF73ED55DFC442E47
SHA-256:	EFF867158BDE9EE33DA8E313E93F1E49E3EFA329AC0EE9397744D2DA2C7E650A
SHA-512:	6E8E1E9F6933BDD9623760DF64AE102EBF56A053162310A7EA3649670053084BFEA58769ABE7145227BAB003DC2C767FF4A8F8FFE82BF0E9BC6BF71FB4F17C45
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Support\E8FF0748-2339-49f9-9A79-824D7561736C.cab

Download File

Process:	C:\Users\user\Desktop\IEW113_2311a.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 4828811 bytes, 1 file, at 0x2c +AUtf? "SetupIEW.msi", number 1, 240 datablocks, 0x1503 compression
Category:	dropped
Size (bytes):	4828811
Entropy (8bit):	7.9990462765095804
Encrypted:	true
SSDEEP:	98304:OCF8Jwd+2/HK+4k6JcOGtAg6YcCIwq5YxtNoObY9s4p:PqJwocA1Jc8g6Ylrq5CEObYTp
MD5:	4B274D01B22995836D1CE9A441B3E7B7
SHA1:	0438943ACAE87522A5DCEF942D1EAD165EDEABC4
SHA-256:	43608D06A7214FFE17893BFEBB835DA4D9FC3880288A6FCF808D56DFB1C4224E
SHA-512:	DD29D7618088FA18E28F6583D750E1301DE5441A25C84A3F84CC56CE4782D238E9D512AA696CCF33576834D9FC3D6ECBB44EE1AE7A2E495B195FE0BDA5C32AC7
Malicious:	false
Preview:	MSCF......I.....,...................I.........w.......FW.C..SetupIEW.msi.r9+.&H..[..... .........".+.w.ww........."...........".UD.g.pf....0......q'3.@/.u.-5tM.....77..........%B...]....0@ZB.@.d.........r}./#~D.... ......h..o.wwf..M...4..-.Q..}@.b?S{......:...f.'....^..a?._....._...........O..?..'..?....\|..........?\|.....>....t..........,.H...@.......<...@....L.@.@\...@....4....<........D....L.8......T.X..\.x......d....l.....@{.9....=........A...0E...p....I.(..M.8......Q.H.0U.X.p....Y.h..].x......a...0e...p....i....m........q...0u...p....y....}...p....@....B`..0....D...."...4....#...D$ ..T.`..%...d&.........@\|....(.....P..)....*........+....,..........[.n..] v...0.@/......`........b...8d...X....f...x}..@H.0..5...X6p..h....7......p.....`..r....9`.......:....;..... ..<..........p..(... =.....p=..` ...@....(....0..........p...........#...P'........+..../........3...P7...h. ....v....~... ..!... #...@. ..%...`'..... ..)....+..... ..-..../..... ..1... 3...@. ..5...`7..... ..9...

C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Support\Settings.ini

Download File

Process:	C:\Users\user\Desktop\IEW113_2311a.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1542
Entropy (8bit):	3.60804255875879
Encrypted:	false
SSDEEP:	48:3ro3kzNlrH89poF+7EWAz0Ug3Fh8nM7hGNeyGNev:3E3kxhu7Elz/nM1tytv
MD5:	EAAC4B67F55D7363993F1AC326172141
SHA1:	70EBD67A68A18595D2FD8B94606555659E50F741
SHA-256:	882F197D5002FF35873C2CAF5169B61137E0BB12642AA05B930C26A2D8EA019F
SHA-512:	2D17B827CA4B10E108003C9C53E6A4DFE8B2E48B07AE94108555321AE4672FB2904DADD2768B6998EF8626DCFE0687F10991FFE0D6AE2012D2C7F4A4925854B8
Malicious:	false
Preview:	......[.P.a.c.k.a.g.e.].....P.r.o.d.u.c.t.N.a.m.e.=.I.m.a.g.i.n.g. .E.d.g.e. .W.e.b.c.a.m.....W.i.n.d.o.w.T.i.t.l.e.=.I.m.a.g.i.n.g. .E.d.g.e. .W.e.b.c.a.m.....P.a.c.k.a.g.e.D.a.t.e.T.i.m.e.=.2.0.2.3.-.1.0.-.0.6.T.1.0.:.1.2.:.1.7...3.3.1.Z.....C.o.m.p.r.e.s.s.i.o.n.=.T.r.u.e.....T.o.t.a.l.F.i.l.e.S.i.z.e.=.7.8.3.5.6.4.8.....A.u.t.o.C.l.o.s.e.W.i.n.d.o.w.W.h.e.n.S.u.c.c.e.s.s.=.T.r.u.e.....V.A.I.O.U.p.d.a.t.e.M.o.d.e.=.F.a.l.s.e.....[.M.e.s.s.a.g.e.].....S.h.o.w.M.e.s.s.a.g.e.B.o.x.=.F.a.l.s.e.....S.h.o.w.M.e.s.s.a.g.e.B.o.x.W.h.e.n.S.i.l.e.n.t.=.F.a.l.s.e.....D.i.a.l.o.g.B.u.t.t.o.n.T.y.p.e.=.0.....[.R.e.s.t.r.i.c.t.i.o.n.].....C.h.e.c.k.M.a.n.u.f.a.c.t.u.r.e.r.=.F.a.l.s.e.....O.S.V.e.r.s.i.o.n.M.i.n.=.0.x.0.0.0.6.0.0.0.3.....O.S.B.u.i.l.d.M.i.n.=.0.x.2.5.8.0.0.0.0.0.....A.l.l.o.w.P.r.o.g.r.a.m.C.o.m.p.a.t.i.b.i.l.i.t.y.A.s.s.i.s.t.a.n.t.M.o.d.e.=.T.r.u.e.....C.h.e.c.k.D.i.g.i.t.a.l.S.i.g.n.a.t.u.r.e.=.F.a.l.s.e.....[.E.x.t.r.a.c.t.i.o.n.].....S.p.e.c.i.f.i.e.d.E.x.t.r.a.c.t.F.o.l.d.e.

C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\ImagingEdgeWebcam.cat (copy)

Download File

Process:	C:\Windows\System32\pnputil.exe
File Type:	data
Category:	dropped
Size (bytes):	11824
Entropy (8bit):	7.486155218369192
Encrypted:	false
SSDEEP:	192:1/hzypINyby2sE9jBF6IYiYF8pA5K+oBf1hZFqrrvxwiRE:VNyb8E9VF6IYinAM+oZinvDE
MD5:	9BC95EAB4A2B29AEC769D9A217F5A736
SHA1:	E3D42ECDCEFC29FCCC56A366749A5149C2BF14F9
SHA-256:	344DB9816BA7794DBF3AEBF4C4F5E6C9A2CF9CE0CD0ACBF24D14167E85D5711D
SHA-512:	99795FBB4282F3E56F2B2824A6822C1A1A643B0879A96250B2DBA23A7916387EDC2EFAE70918A02E0155BE8B4E0A37635854908AA9F275A093A6ADE0D96463C1
Malicious:	false
Preview:	0..,..*.H..........0......1.0...`.H.e......0.....+.....7......0..~0...+.....7.....no.<CxsH.,.)(.\|0..231006041348Z0...+.....7.....0...0....+.........q.,+...]1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,i.m.a.g.i.n.g.e.d.g.e.w.e.b.c.a.m...d.l.l...0..+. 5...E.%..B.....)..;\;.@..R...1...0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0\..+.....7...1N0L...F.i.l.e.......:i.m.a.g.i.n.g.e.d.g.e.w.e.b.c.a.m._.d.r.i.v.e.r...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 5...E.%..B.....)..;\;.@..R...0.... 67.k.],@A.q...1E....S(..~z..G.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,i.m.a.g.i.n.g.e.d.g.e.w.e.b.c.a.m...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 67.k.],@A.q...1E....S(..~z..G.0..". L...].Vs..=...-.....l8.9K.7..9.d1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r.....

C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\ImagingEdgeWebcam.dll (copy)

Download File

Process:	C:\Windows\System32\pnputil.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	269832
Entropy (8bit):	6.601133670257957
Encrypted:	false
SSDEEP:	3072:N/HJDlyWARYazWLkQc3UUMGag32TwVVzJ2F2aFPjVCTxnIko7sU2Cp135qTCm:N/JlyKkQcThCwVVzfaFPY7Kn2CpCum
MD5:	D54CE0AC27BFB7E5854BF0F3F2141987
SHA1:	76F987FA9DA987D330C0F50327D2C7E88B2073A7
SHA-256:	5ACAF60D46D5E456AD8B414467D9C66DE3C41CDAE4E136902F3F1B61DCBBEB5B
SHA-512:	B1D31B706F44CB5E5795DA442BEB5D53F2475390827AA32B322D0A160B82858EBEA0AA69970EF7DA59FD00ABE14AABA77AEB83AA11EDE00CDD0A3D3CDA9DB344
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................................y....u.......u.......uk......u......Rich............PE..d...o..e.........." ...%............ ........................................`............`A...........................................t...T........@...................(...P...... H..p............................F..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....0......."..................@....pdata..............................@..@_RDATA.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\ImagingEdgeWebcam_Driver.dll (copy)

Download File

Process:	C:\Windows\System32\pnputil.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36368
Entropy (8bit):	6.435140914980148
Encrypted:	false
SSDEEP:	768:mgfeLgDor29cA10SlHRxtqEpYinAMxUrd4/W:mgY29cAqsL7HxUrd4+
MD5:	0624BDCA7C1E1BF264234BE33FD12FF4
SHA1:	F458D3E7300724EE88D21475B1E6A02E85FE2E82
SHA-256:	B73D7118E561CB099551FB2E902295381075E4BDF07732D13C3A3580D30210C7
SHA-512:	5DBD15EAC5628445AC9C79ECB108B71D22BBB68D54A0D9D874BBEF8581963ADA3C58E09D78DEF61B293B9EB23033F45712797B2D762A6144F90584C0556F5912
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........\i..\i..\i..I...Ci..I...Ui..I...Yi..U...Li......_i..\i...i......^i......^i......^i..d.._i..d..]i..d..]i..Rich\i..................PE..d...w..e.........." ...%.2...8......."...............................................5....`A.........................................m..`....n.......................f...(......0....f..8............................d..@............P...............................text....0.......2.................. ..`.rdata..d$...P...&...6..............@..@.data................\..............@....pdata...............^..............@..@_RDATA...............b..............@..@.reloc..0............d..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\ImagingEdgeWebcam_Driver.inf (copy)

Download File

Process:	C:\Windows\System32\pnputil.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	4253
Entropy (8bit):	5.639653386929951
Encrypted:	false
SSDEEP:	96:5vAUyYLUOMnTXI4vj4vi4vN5mbQ5iXhug5JcoQy654gzuf/9ADGAIKDUDddECahl:xAUJzMnTXI4vj4vi4vN5mbQ5iXhug5Jc
MD5:	CF4188B255F5EF62D58B8EDA3E7BE0B8
SHA1:	7628031BD425A5DD1AA21DC5689961FBD5456690
SHA-256:	4CB21C2E5D885673F5993DE513A32D04AC01E6E26C38EB394BC237D3DD39AB64
SHA-512:	518C567A5E7073AED0981775FF53A6AA383F22204ACAF734C1765DAC4CFF28310412A9152F15790F4198281A71A765004B699723DB13782D0546DED983A0497E
Malicious:	false
Preview:	;..; SimpleMediaSourceDriver.inf..;....[Version]..Signature="$WINDOWS NT$"..Class=Camera..ClassGuid={ca3e7ab9-b4c3-4ae6-8251-579ef933890f} ;.E.J.E..E..E..E..E.f.E.o.E.C.E.X.E..L.E..E.GUID //.E..X.E..E..E.....PnpLockdown=1..Provider=%ProviderString%..DriverVer = 10/06/2023,13.13.41.473..CatalogFile=ImagingEdgeWebcam.cat....[DestinationDirs]..UMDriverCopy=12,UMDF ; copy to driversMdf..CustomCaptureSourceCopy=11....[SourceDisksNames]..1 = %DiskId1%,,,""....[SourceDisksFiles]..ImagingEdgeWebcam_Driver.dll = 1,,..ImagingEdgeWebcam.dll = 1,,....;***************************************..; SimpleMFSource Install Section..;***************************************....[Manufacturer]..%StdMfg%=Standard,NTamd64....[Standard.NTamd64]..%ImagingEdgeWebcam.DeviceDesc%=ImagingEdgeWebcam, root\ImagingEdgeWebcam....;---------------- copy files..[ImagingEdgeWebcam.NT]..CopyFiles=UMDriverCopy, CustomCaptureSourceCopy..AddReg = CustomCaptureSource.ComRegistration....;-------------------------------

C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\SET25F7.tmp

Download File

Process:	C:\Windows\System32\pnputil.exe
File Type:	data
Category:	dropped
Size (bytes):	11824
Entropy (8bit):	7.486155218369192
Encrypted:	false
SSDEEP:	192:1/hzypINyby2sE9jBF6IYiYF8pA5K+oBf1hZFqrrvxwiRE:VNyb8E9VF6IYinAM+oZinvDE
MD5:	9BC95EAB4A2B29AEC769D9A217F5A736
SHA1:	E3D42ECDCEFC29FCCC56A366749A5149C2BF14F9
SHA-256:	344DB9816BA7794DBF3AEBF4C4F5E6C9A2CF9CE0CD0ACBF24D14167E85D5711D
SHA-512:	99795FBB4282F3E56F2B2824A6822C1A1A643B0879A96250B2DBA23A7916387EDC2EFAE70918A02E0155BE8B4E0A37635854908AA9F275A093A6ADE0D96463C1
Malicious:	false
Preview:	0..,..*.H..........0......1.0...`.H.e......0.....+.....7......0..~0...+.....7.....no.<CxsH.,.)(.\|0..231006041348Z0...+.....7.....0...0....+.........q.,+...]1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,i.m.a.g.i.n.g.e.d.g.e.w.e.b.c.a.m...d.l.l...0..+. 5...E.%..B.....)..;\;.@..R...1...0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0\..+.....7...1N0L...F.i.l.e.......:i.m.a.g.i.n.g.e.d.g.e.w.e.b.c.a.m._.d.r.i.v.e.r...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 5...E.%..B.....)..;\;.@..R...0.... 67.k.],@A.q...1E....S(..~z..G.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,i.m.a.g.i.n.g.e.d.g.e.w.e.b.c.a.m...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 67.k.],@A.q...1E....S(..~z..G.0..". L...].Vs..=...-.....l8.9K.7..9.d1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r.....

C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\SET2618.tmp

Download File

Process:	C:\Windows\System32\pnputil.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	269832
Entropy (8bit):	6.601133670257957
Encrypted:	false
SSDEEP:	3072:N/HJDlyWARYazWLkQc3UUMGag32TwVVzJ2F2aFPjVCTxnIko7sU2Cp135qTCm:N/JlyKkQcThCwVVzfaFPY7Kn2CpCum
MD5:	D54CE0AC27BFB7E5854BF0F3F2141987
SHA1:	76F987FA9DA987D330C0F50327D2C7E88B2073A7
SHA-256:	5ACAF60D46D5E456AD8B414467D9C66DE3C41CDAE4E136902F3F1B61DCBBEB5B
SHA-512:	B1D31B706F44CB5E5795DA442BEB5D53F2475390827AA32B322D0A160B82858EBEA0AA69970EF7DA59FD00ABE14AABA77AEB83AA11EDE00CDD0A3D3CDA9DB344
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................................y....u.......u.......uk......u......Rich............PE..d...o..e.........." ...%............ ........................................`............`A...........................................t...T........@...................(...P...... H..p............................F..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....0......."..................@....pdata..............................@..@_RDATA.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\SET2638.tmp

Download File

Process:	C:\Windows\System32\pnputil.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36368
Entropy (8bit):	6.435140914980148
Encrypted:	false
SSDEEP:	768:mgfeLgDor29cA10SlHRxtqEpYinAMxUrd4/W:mgY29cAqsL7HxUrd4+
MD5:	0624BDCA7C1E1BF264234BE33FD12FF4
SHA1:	F458D3E7300724EE88D21475B1E6A02E85FE2E82
SHA-256:	B73D7118E561CB099551FB2E902295381075E4BDF07732D13C3A3580D30210C7
SHA-512:	5DBD15EAC5628445AC9C79ECB108B71D22BBB68D54A0D9D874BBEF8581963ADA3C58E09D78DEF61B293B9EB23033F45712797B2D762A6144F90584C0556F5912
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........\i..\i..\i..I...Ci..I...Ui..I...Yi..U...Li......_i..\i...i......^i......^i......^i..d.._i..d..]i..d..]i..Rich\i..................PE..d...w..e.........." ...%.2...8......."...............................................5....`A.........................................m..`....n.......................f...(......0....f..8............................d..@............P...............................text....0.......2.................. ..`.rdata..d$...P...&...6..............@..@.data................\..............@....pdata...............^..............@..@_RDATA...............b..............@..@.reloc..0............d..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\SET2658.tmp

Download File

Process:	C:\Windows\System32\pnputil.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	4253
Entropy (8bit):	5.639653386929951
Encrypted:	false
SSDEEP:	96:5vAUyYLUOMnTXI4vj4vi4vN5mbQ5iXhug5JcoQy654gzuf/9ADGAIKDUDddECahl:xAUJzMnTXI4vj4vi4vN5mbQ5iXhug5Jc
MD5:	CF4188B255F5EF62D58B8EDA3E7BE0B8
SHA1:	7628031BD425A5DD1AA21DC5689961FBD5456690
SHA-256:	4CB21C2E5D885673F5993DE513A32D04AC01E6E26C38EB394BC237D3DD39AB64
SHA-512:	518C567A5E7073AED0981775FF53A6AA383F22204ACAF734C1765DAC4CFF28310412A9152F15790F4198281A71A765004B699723DB13782D0546DED983A0497E
Malicious:	false
Preview:	;..; SimpleMediaSourceDriver.inf..;....[Version]..Signature="$WINDOWS NT$"..Class=Camera..ClassGuid={ca3e7ab9-b4c3-4ae6-8251-579ef933890f} ;.E.J.E..E..E..E..E.f.E.o.E.C.E.X.E..L.E..E.GUID //.E..X.E..E..E.....PnpLockdown=1..Provider=%ProviderString%..DriverVer = 10/06/2023,13.13.41.473..CatalogFile=ImagingEdgeWebcam.cat....[DestinationDirs]..UMDriverCopy=12,UMDF ; copy to driversMdf..CustomCaptureSourceCopy=11....[SourceDisksNames]..1 = %DiskId1%,,,""....[SourceDisksFiles]..ImagingEdgeWebcam_Driver.dll = 1,,..ImagingEdgeWebcam.dll = 1,,....;***************************************..; SimpleMFSource Install Section..;***************************************....[Manufacturer]..%StdMfg%=Standard,NTamd64....[Standard.NTamd64]..%ImagingEdgeWebcam.DeviceDesc%=ImagingEdgeWebcam, root\ImagingEdgeWebcam....;---------------- copy files..[ImagingEdgeWebcam.NT]..CopyFiles=UMDriverCopy, CustomCaptureSourceCopy..AddReg = CustomCaptureSource.ComRegistration....;-------------------------------

C:\Windows\INF\c_camera.PNF

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x1728 "Signature", at 0x68 WinDirPath, LanguageID 809, at 0x80 language en-GB
Category:	dropped
Size (bytes):	8948
Entropy (8bit):	3.4431898976758726
Encrypted:	false
SSDEEP:	96:hc1OCKsKeUCB0fWpFRsyzHg5e20cNy01HR3T6gYq2vyvVATCG5qyxJw5W/39rdeS:iN0fORsU6NIgEnq5WxZ
MD5:	D63EB1A7143819CB93D75E1C698D008C
SHA1:	D3811F84B8B86ED7C415518031D8CDCC19169699
SHA-256:	75291E77802A6C169123AE7CE9E636A67E2B093E1F2BEAA0302CDF695C3A5D8D
SHA-512:	2A09198F8C2173D825B4F2AF53F708EFE8D87F06A3EF9177D4BC320C8B99562B62D1A7E04DBD8D06418430765B53E201CE0BD5F35A6DD022465011A2B941E27F
Malicious:	false
Preview:	....................(.....x........................(...............P....... ...h................"......C.:.\.W.i.n.d.o.w.s.....e.n.-.G.B.......................................................................................................................................................................................................h............... ...................................................,...........................<.......................0...............................................................H...............................d...........................................................................<...............................,...........................................L...........................................4.......................................................................@...........................................................................................................(.......................................................................

C:\Windows\INF\setupapi.dev.log

Download File

Process:	C:\Windows\System32\pnputil.exe
File Type:	Generic INItialization configuration [BeginLog]
Category:	dropped
Size (bytes):	36600
Entropy (8bit):	5.207132503833556
Encrypted:	false
SSDEEP:	384:OGdni80C/8g0atRf7yr14ujuNY9AZi3Z/oUtwr05hauNzvIbO6:Own95cdyYloiwQ+KvZ6
MD5:	4FB09918B316DA35E22BACCE3AEA9475
SHA1:	E8AC5276E6C95CEDDBFFC0489CE788A33561B635
SHA-256:	7E17A4F4734614757A384A28D6D26C9F68162318459658A354EA6BB550A7FA5E
SHA-512:	8F4CF9D4DFD08441AB2CF460A3A1D17C12A746F016708A253E9ADE36B74A32B84E8D88B586B10BD665589001D4E27FF4FFF20CB08E5BF59D0E0F6B6AF55586A2
Malicious:	false
Preview:	[Device Install Log].. OS Version = 10.0.19045.. Service Pack = 0.0.. Suite = 0x0100.. ProductType = 1.. Architecture = amd64....[BeginLog]....[Boot Session: 2023/10/03 09:57:02.288]....>>> [Setup Import Driver Package - C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf]..>>> Section start 2023/10/03 09:57:37.904.. cmd: C:\Windows\System32\spoolsv.exe.. inf: Provider: Microsoft.. inf: Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}.. inf: Driver Version: 06/21/2006,10.0.19041.1806.. inf: Catalog File: prnms009.cat.. ump: Import flags: 0x0000000D.. pol: {Driver package policy check} 09:57:37.920.. pol: {Driver package policy check - exit(0x00000000)} 09:57:37.920.. sto: {Stage Driver Package: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf: {Query Configurability: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf:

C:\Windows\Installer\3b1c81.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Imaging Edge Webcam, Author: Sony Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Imaging Edge Webcam., Create Time/Date: Fri Oct 6 08:39:02 2023, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2, Template: x64;0, Last Saved By: x64;0, Revision Number: {77F8518A-144A-4DB2-80EB-C544B68375EE}1.1.03.10061;{95690A63-A7AD-4F7B-8CD3-F94BF8573A8E}1.1.03.10061;{28FB0552-E7A4-4193-ACA1-2CA8F06EC841}, Number of Pages: 300, Number of Characters: 0
Category:	dropped
Size (bytes):	7835648
Entropy (8bit):	7.491189626154171
Encrypted:	false
SSDEEP:	196608:+eziaII6eYf7Rl7NyygJ7xzNc4qeQm/e:+e2Ei7P7NydJ1Nc4Um
MD5:	DF408B38D2630AAA6CC578F1020C9B05
SHA1:	D017A4DB82EC7F459DD5669FF73ED55DFC442E47
SHA-256:	EFF867158BDE9EE33DA8E313E93F1E49E3EFA329AC0EE9397744D2DA2C7E650A
SHA-512:	6E8E1E9F6933BDD9623760DF64AE102EBF56A053162310A7EA3649670053084BFEA58769ABE7145227BAB003DC2C767FF4A8F8FFE82BF0E9BC6BF71FB4F17C45
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI1E56.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	123904
Entropy (8bit):	6.019348446512073
Encrypted:	false
SSDEEP:	3072:qC2+1/jC6wmMJjS42JOhbdgf2373x8Yyrpb:qCnl6mM9x26bOmx8YK
MD5:	DE475943D21409F1372093D37FC0A0C8
SHA1:	3B634C2A2470718A23EEFA3386C8AF724EA2D1AE
SHA-256:	EB6100F6194060C59C979B470795336F1ECD59757F131A7B7EBA9A6B3B829677
SHA-512:	6F42A1CC2B097A8C6498C03AA5E5E538CF6B4D1420734A7CCD7A21C45EE0B5867E06F8DB8E58987C9BA792864104B11C911C6775295781133CFAFB0DF897C08D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........s.s.s..~..s....s....s....s....s....s.2..s....s.s..r.l..s.l..s.l....s.l..s.Rich.s.................PE..d...j..e.........." .....>...........4.......................................0............`.........................................`.......\...h...............0............ ..0.......p.......................(.......8............P..P............................text....<.......>.................. ..`.rdata..T}...P...~...B..............@..@.data...`...........................@....pdata..0...........................@..@.rsrc...............................@..@.reloc..0.... ......................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI1EC5.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	216496
Entropy (8bit):	6.646208142644182
Encrypted:	false
SSDEEP:	3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
MD5:	A3AE5D86ECF38DB9427359EA37A5F646
SHA1:	EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
SHA-256:	C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
SHA-512:	96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI1F71.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	759959
Entropy (8bit):	6.618384452341439
Encrypted:	false
SSDEEP:	12288:9ilVM9xkm/BilVM9xkm/s/m4/mXt3jOZy2KsGU6a4KsFt3jOZy2KsGU6a4KsD:9GCHBGCHALAzOE2Z34K4zOE2Z34KA
MD5:	193D78F1C54582BE386624DD6B492A8B
SHA1:	D617990431D9AED20D26E33FD6A66765EC722F80
SHA-256:	ECE5DCAF6792EE5FB41782CB9C18ACE98A38B52211B92D06BF02CB5B97CD931E
SHA-512:	608DC7FC56C244B0996E84216530BDDB9CE8662B57758A5D585545D8050F7FBEA9B7C319870585A8E5458BD4F7E81E58970D6D23CAA39AE7E874D43DA8DAFCCF
Malicious:	false
Preview:	...@IXOS.@.....@.*WY.@.....@.....@.....@.....@.....@......&.{77F8518A-144A-4DB2-80EB-C544B68375EE}..Imaging Edge Webcam..SetupIEW.msi.@.....@.....@.....@......IEAppIcon..&.{C2734D1F-96B7-436D-B504-71D79D323D6F}.....@.....@.....@.....@.......@.....@.....@.......@......Imaging Edge Webcam......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@T....@.....@.]....&.{4C93B565-41C9-48B2-B862-116FEF58ECC1}A.22:\Software\Sony Corporation\Imaging Edge Webcam\InstallLocation.@.......@.....@.....@......&.{54C6D863-4FC1-4FE5-A9B7-46A720CCF24A}4.C:\Program Files\Sony\Imaging Edge Webcam\Webcam.exe.@.......@.....@.....@......&.{D53B1643-8E2E-447D-B669-61B1D8B43CD8}9.C:\Program Files\Sony\Imaging Edge Webcam\webcam_help.ico.@.......@.....@.....@......&.{4BD875C8-7141-4C72-A4DD-A0672A296295}6.C:\Program Files\Sony\Imaging Edge Webcam\USBReset.exe.@.......@.....@.....@......&.{05F329B1-BCBC-4B

C:\Windows\Installer\MSI1F92.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	216496
Entropy (8bit):	6.646208142644182
Encrypted:	false
SSDEEP:	3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
MD5:	A3AE5D86ECF38DB9427359EA37A5F646
SHA1:	EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
SHA-256:	C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
SHA-512:	96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI239A.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	123904
Entropy (8bit):	6.019348446512073
Encrypted:	false
SSDEEP:	3072:qC2+1/jC6wmMJjS42JOhbdgf2373x8Yyrpb:qCnl6mM9x26bOmx8YK
MD5:	DE475943D21409F1372093D37FC0A0C8
SHA1:	3B634C2A2470718A23EEFA3386C8AF724EA2D1AE
SHA-256:	EB6100F6194060C59C979B470795336F1ECD59757F131A7B7EBA9A6B3B829677
SHA-512:	6F42A1CC2B097A8C6498C03AA5E5E538CF6B4D1420734A7CCD7A21C45EE0B5867E06F8DB8E58987C9BA792864104B11C911C6775295781133CFAFB0DF897C08D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........s.s.s..~..s....s....s....s....s....s.2..s....s.s..r.l..s.l..s.l....s.l..s.Rich.s.................PE..d...j..e.........." .....>...........4.......................................0............`.........................................`.......\...h...............0............ ..0.......p.......................(.......8............P..P............................text....<.......>.................. ..`.rdata..T}...P...~...B..............@..@.data...`...........................@....pdata..0...........................@..@.rsrc...............................@..@.reloc..0.... ......................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{77F8518A-144A-4DB2-80EB-C544B68375EE}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7688271611489322
Encrypted:	false
SSDEEP:	12:JSbX72FjhAGiLIlHVRpfh/7777777777777777777777777vDHFlyRtpwl0i8Q:JnQI5b/yDF
MD5:	C8141C2BE48DDF3430AB93C7CE5C628A
SHA1:	55314BB1CAB90C022BCD0DB3F05CA63763384D0F
SHA-256:	99BABF0868461D0F6FBE9C7F8C2E5B8203AD699865F4FF5B0B8B7D9D285F0C4D
SHA-512:	38B07D6432A6034FAE3C6041AC6591C6B2B8D9DEE5281FDE2B678FF1B088166B61A60A854A0461E126F11BE4231E4FD427437716C2918EF387D0F08C4738F9AC
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2869139659306428
Encrypted:	false
SSDEEP:	48:lcPuOBth8FXz1T5e9385JN92bQ1d9hSJ6Ad94o9385JNRQ/PEK+d9hSI1jm:iPe7T6sskrgfskc7A
MD5:	F7C97F482027CDAD99B30D2E4BAEFBCC
SHA1:	668EC174360AD95AB0B9E39193B48C71181745F8
SHA-256:	BF86A23C1D4807DE518A2D357330ED9E740623AE82FA19F7862BA896047440B5
SHA-512:	C9FC797F22B065575D310A4682203FC1CEF6520516942E6318ABAD63D1231001562B2FD722E748DD7233D73731B7C29C35A6A96C53795457FE30131B57BF9A8E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.375171344080192
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauv:zTtbmkExhMJCIpErG
MD5:	4155E424122C972B4DA48C6BEC026A36
SHA1:	95C6EB2F988E1DB6F58744D5BDFE40CE4EA22BB3
SHA-256:	F8AD1317050C2B3FA44F22056677A9E76ECD237AC2AE0EBD735AAB3D0DF025D4
SHA-512:	9DD96D806B8B038E4B3ABCFE42F83897703268DE20CAAA583B4749BF8BE780478D9A6859D593539A01B3AE8E4F512FEF2302188DFF169874563409D0DBD0B7C1
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam.cat (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	data
Category:	dropped
Size (bytes):	11824
Entropy (8bit):	7.486155218369192
Encrypted:	false
SSDEEP:	192:1/hzypINyby2sE9jBF6IYiYF8pA5K+oBf1hZFqrrvxwiRE:VNyb8E9VF6IYinAM+oZinvDE
MD5:	9BC95EAB4A2B29AEC769D9A217F5A736
SHA1:	E3D42ECDCEFC29FCCC56A366749A5149C2BF14F9
SHA-256:	344DB9816BA7794DBF3AEBF4C4F5E6C9A2CF9CE0CD0ACBF24D14167E85D5711D
SHA-512:	99795FBB4282F3E56F2B2824A6822C1A1A643B0879A96250B2DBA23A7916387EDC2EFAE70918A02E0155BE8B4E0A37635854908AA9F275A093A6ADE0D96463C1
Malicious:	false
Preview:	0..,..*.H..........0......1.0...`.H.e......0.....+.....7......0..~0...+.....7.....no.<CxsH.,.)(.\|0..231006041348Z0...+.....7.....0...0....+.........q.,+...]1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,i.m.a.g.i.n.g.e.d.g.e.w.e.b.c.a.m...d.l.l...0..+. 5...E.%..B.....)..;\;.@..R...1...0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0\..+.....7...1N0L...F.i.l.e.......:i.m.a.g.i.n.g.e.d.g.e.w.e.b.c.a.m._.d.r.i.v.e.r...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 5...E.%..B.....)..;\;.@..R...0.... 67.k.],@A.q...1E....S(..~z..G.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,i.m.a.g.i.n.g.e.d.g.e.w.e.b.c.a.m...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 67.k.],@A.q...1E....S(..~z..G.0..". L...].Vs..=...-.....l8.9K.7..9.d1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r.....

C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam.dll (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	269832
Entropy (8bit):	6.601133670257957
Encrypted:	false
SSDEEP:	3072:N/HJDlyWARYazWLkQc3UUMGag32TwVVzJ2F2aFPjVCTxnIko7sU2Cp135qTCm:N/JlyKkQcThCwVVzfaFPY7Kn2CpCum
MD5:	D54CE0AC27BFB7E5854BF0F3F2141987
SHA1:	76F987FA9DA987D330C0F50327D2C7E88B2073A7
SHA-256:	5ACAF60D46D5E456AD8B414467D9C66DE3C41CDAE4E136902F3F1B61DCBBEB5B
SHA-512:	B1D31B706F44CB5E5795DA442BEB5D53F2475390827AA32B322D0A160B82858EBEA0AA69970EF7DA59FD00ABE14AABA77AEB83AA11EDE00CDD0A3D3CDA9DB344
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................................y....u.......u.......uk......u......Rich............PE..d...o..e.........." ...%............ ........................................`............`A...........................................t...T........@...................(...P...... H..p............................F..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....0......."..................@....pdata..............................@..@_RDATA.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................

C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam_Driver.dll (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36368
Entropy (8bit):	6.435140914980148
Encrypted:	false
SSDEEP:	768:mgfeLgDor29cA10SlHRxtqEpYinAMxUrd4/W:mgY29cAqsL7HxUrd4+
MD5:	0624BDCA7C1E1BF264234BE33FD12FF4
SHA1:	F458D3E7300724EE88D21475B1E6A02E85FE2E82
SHA-256:	B73D7118E561CB099551FB2E902295381075E4BDF07732D13C3A3580D30210C7
SHA-512:	5DBD15EAC5628445AC9C79ECB108B71D22BBB68D54A0D9D874BBEF8581963ADA3C58E09D78DEF61B293B9EB23033F45712797B2D762A6144F90584C0556F5912
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........\i..\i..\i..I...Ci..I...Ui..I...Yi..U...Li......_i..\i...i......^i......^i......^i..d.._i..d..]i..d..]i..Rich\i..................PE..d...w..e.........." ...%.2...8......."...............................................5....`A.........................................m..`....n.......................f...(......0....f..8............................d..@............P...............................text....0.......2.................. ..`.rdata..d$...P...&...6..............@..@.data................\..............@....pdata...............^..............@..@_RDATA...............b..............@..@.reloc..0............d..............@..B........................................................................................................................................................................................................................................

C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam_Driver.inf (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	4253
Entropy (8bit):	5.639653386929951
Encrypted:	false
SSDEEP:	96:5vAUyYLUOMnTXI4vj4vi4vN5mbQ5iXhug5JcoQy654gzuf/9ADGAIKDUDddECahl:xAUJzMnTXI4vj4vi4vN5mbQ5iXhug5Jc
MD5:	CF4188B255F5EF62D58B8EDA3E7BE0B8
SHA1:	7628031BD425A5DD1AA21DC5689961FBD5456690
SHA-256:	4CB21C2E5D885673F5993DE513A32D04AC01E6E26C38EB394BC237D3DD39AB64
SHA-512:	518C567A5E7073AED0981775FF53A6AA383F22204ACAF734C1765DAC4CFF28310412A9152F15790F4198281A71A765004B699723DB13782D0546DED983A0497E
Malicious:	false
Preview:	;..; SimpleMediaSourceDriver.inf..;....[Version]..Signature="$WINDOWS NT$"..Class=Camera..ClassGuid={ca3e7ab9-b4c3-4ae6-8251-579ef933890f} ;.E.J.E..E..E..E..E.f.E.o.E.C.E.X.E..L.E..E.GUID //.E..X.E..E..E.....PnpLockdown=1..Provider=%ProviderString%..DriverVer = 10/06/2023,13.13.41.473..CatalogFile=ImagingEdgeWebcam.cat....[DestinationDirs]..UMDriverCopy=12,UMDF ; copy to driversMdf..CustomCaptureSourceCopy=11....[SourceDisksNames]..1 = %DiskId1%,,,""....[SourceDisksFiles]..ImagingEdgeWebcam_Driver.dll = 1,,..ImagingEdgeWebcam.dll = 1,,....;***************************************..; SimpleMFSource Install Section..;***************************************....[Manufacturer]..%StdMfg%=Standard,NTamd64....[Standard.NTamd64]..%ImagingEdgeWebcam.DeviceDesc%=ImagingEdgeWebcam, root\ImagingEdgeWebcam....;---------------- copy files..[ImagingEdgeWebcam.NT]..CopyFiles=UMDriverCopy, CustomCaptureSourceCopy..AddReg = CustomCaptureSource.ComRegistration....;-------------------------------

C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\SET27DC.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	data
Category:	dropped
Size (bytes):	11824
Entropy (8bit):	7.486155218369192
Encrypted:	false
SSDEEP:	192:1/hzypINyby2sE9jBF6IYiYF8pA5K+oBf1hZFqrrvxwiRE:VNyb8E9VF6IYinAM+oZinvDE
MD5:	9BC95EAB4A2B29AEC769D9A217F5A736
SHA1:	E3D42ECDCEFC29FCCC56A366749A5149C2BF14F9
SHA-256:	344DB9816BA7794DBF3AEBF4C4F5E6C9A2CF9CE0CD0ACBF24D14167E85D5711D
SHA-512:	99795FBB4282F3E56F2B2824A6822C1A1A643B0879A96250B2DBA23A7916387EDC2EFAE70918A02E0155BE8B4E0A37635854908AA9F275A093A6ADE0D96463C1
Malicious:	false
Preview:	0..,..*.H..........0......1.0...`.H.e......0.....+.....7......0..~0...+.....7.....no.<CxsH.,.)(.\|0..231006041348Z0...+.....7.....0...0....+.........q.,+...]1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,i.m.a.g.i.n.g.e.d.g.e.w.e.b.c.a.m...d.l.l...0..+. 5...E.%..B.....)..;\;.@..R...1...0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0\..+.....7...1N0L...F.i.l.e.......:i.m.a.g.i.n.g.e.d.g.e.w.e.b.c.a.m._.d.r.i.v.e.r...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 5...E.%..B.....)..;\;.@..R...0.... 67.k.],@A.q...1E....S(..~z..G.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,i.m.a.g.i.n.g.e.d.g.e.w.e.b.c.a.m...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 67.k.],@A.q...1E....S(..~z..G.0..". L...].Vs..=...-.....l8.9K.7..9.d1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r.....

C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\SET27EC.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	269832
Entropy (8bit):	6.601133670257957
Encrypted:	false
SSDEEP:	3072:N/HJDlyWARYazWLkQc3UUMGag32TwVVzJ2F2aFPjVCTxnIko7sU2Cp135qTCm:N/JlyKkQcThCwVVzfaFPY7Kn2CpCum
MD5:	D54CE0AC27BFB7E5854BF0F3F2141987
SHA1:	76F987FA9DA987D330C0F50327D2C7E88B2073A7
SHA-256:	5ACAF60D46D5E456AD8B414467D9C66DE3C41CDAE4E136902F3F1B61DCBBEB5B
SHA-512:	B1D31B706F44CB5E5795DA442BEB5D53F2475390827AA32B322D0A160B82858EBEA0AA69970EF7DA59FD00ABE14AABA77AEB83AA11EDE00CDD0A3D3CDA9DB344
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................................y....u.......u.......uk......u......Rich............PE..d...o..e.........." ...%............ ........................................`............`A...........................................t...T........@...................(...P...... H..p............................F..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....0......."..................@....pdata..............................@..@_RDATA.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................

C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\SET27FD.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36368
Entropy (8bit):	6.435140914980148
Encrypted:	false
SSDEEP:	768:mgfeLgDor29cA10SlHRxtqEpYinAMxUrd4/W:mgY29cAqsL7HxUrd4+
MD5:	0624BDCA7C1E1BF264234BE33FD12FF4
SHA1:	F458D3E7300724EE88D21475B1E6A02E85FE2E82
SHA-256:	B73D7118E561CB099551FB2E902295381075E4BDF07732D13C3A3580D30210C7
SHA-512:	5DBD15EAC5628445AC9C79ECB108B71D22BBB68D54A0D9D874BBEF8581963ADA3C58E09D78DEF61B293B9EB23033F45712797B2D762A6144F90584C0556F5912
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........\i..\i..\i..I...Ci..I...Ui..I...Yi..U...Li......_i..\i...i......^i......^i......^i..d.._i..d..]i..d..]i..Rich\i..................PE..d...w..e.........." ...%.2...8......."...............................................5....`A.........................................m..`....n.......................f...(......0....f..8............................d..@............P...............................text....0.......2.................. ..`.rdata..d$...P...&...6..............@..@.data................\..............@....pdata...............^..............@..@_RDATA...............b..............@..@.reloc..0............d..............@..B........................................................................................................................................................................................................................................

C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\SET282D.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	4253
Entropy (8bit):	5.639653386929951
Encrypted:	false
SSDEEP:	96:5vAUyYLUOMnTXI4vj4vi4vN5mbQ5iXhug5JcoQy654gzuf/9ADGAIKDUDddECahl:xAUJzMnTXI4vj4vi4vN5mbQ5iXhug5Jc
MD5:	CF4188B255F5EF62D58B8EDA3E7BE0B8
SHA1:	7628031BD425A5DD1AA21DC5689961FBD5456690
SHA-256:	4CB21C2E5D885673F5993DE513A32D04AC01E6E26C38EB394BC237D3DD39AB64
SHA-512:	518C567A5E7073AED0981775FF53A6AA383F22204ACAF734C1765DAC4CFF28310412A9152F15790F4198281A71A765004B699723DB13782D0546DED983A0497E
Malicious:	false
Preview:	;..; SimpleMediaSourceDriver.inf..;....[Version]..Signature="$WINDOWS NT$"..Class=Camera..ClassGuid={ca3e7ab9-b4c3-4ae6-8251-579ef933890f} ;.E.J.E..E..E..E..E.f.E.o.E.C.E.X.E..L.E..E.GUID //.E..X.E..E..E.....PnpLockdown=1..Provider=%ProviderString%..DriverVer = 10/06/2023,13.13.41.473..CatalogFile=ImagingEdgeWebcam.cat....[DestinationDirs]..UMDriverCopy=12,UMDF ; copy to driversMdf..CustomCaptureSourceCopy=11....[SourceDisksNames]..1 = %DiskId1%,,,""....[SourceDisksFiles]..ImagingEdgeWebcam_Driver.dll = 1,,..ImagingEdgeWebcam.dll = 1,,....;***************************************..; SimpleMFSource Install Section..;***************************************....[Manufacturer]..%StdMfg%=Standard,NTamd64....[Standard.NTamd64]..%ImagingEdgeWebcam.DeviceDesc%=ImagingEdgeWebcam, root\ImagingEdgeWebcam....;---------------- copy files..[ImagingEdgeWebcam.NT]..CopyFiles=UMDriverCopy, CustomCaptureSourceCopy..AddReg = CustomCaptureSource.ComRegistration....;-------------------------------

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:5l:7
MD5:	2DD3F3C33E7100EC0D4DBBCA9774B044
SHA1:	B254D47F2B9769F13B033CAE2B0571D68D42E5EB
SHA-256:	5A00CC998E0D0285B729964AFD20618CBAECFA7791FECDB843B535491A83AE21
SHA-512:	C719D8C54A3A749A41B8FC430405DB7FCDE829C150F27C89015793CA06018AD9D6833F20AB7E0CFDA99E16322B52A19C080E8C618F996FC8923488819E6E14BB
Malicious:	false
Preview:	CMMM ...................

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	1048576
Entropy (8bit):	0.011583993782604628
Encrypted:	false
SSDEEP:	24:6nwWs0UqdnP8VafYH434zXtUEzZ5Y0ncR3ZgtvnQIl:MwWf7YK4zXtUEzZ5Y0E3OyI
MD5:	B6ABCA0DEB50E5CE4E5869070B6ED178
SHA1:	10187043BFAB3DB482803E6420DAB5F5970824ED
SHA-256:	88BE8CEB1EC1282BBCD9418D687E302361A3CEAFB79639AC529B92D0EBBF143E
SHA-512:	A42E386458AB798CFE8E2CB2E0F63842C1717BB3119057183785CFA45A92C76E27C0BDB8D84A0FC1E3294EFCEA31DE4E04E8FA1B0D33D8E432A4143EBA32140C
Malicious:	false
Preview:	CMMM ...................CMMM......dJ.... .......................5C..-g...r..p;!#e.5.d.7.c.7.a.a.4.a.6.4.f.3.1.c...BM............\|............. ......................................... niW.........................................................................................................i.P.i.P.................................................i...i...i...i...i...i.......................................i.0.i...t..+...+....t...i...i.0.............................i.0.i......6...:...9...5....y...i...i.0.....................i.0.i......;...;...........9...9........i...i.0.................i...y..8...;...;...........:...9...5....y...i...............i.`.i..1...<...<...;...;...;...:...:...9........i...i.`.........i......=...=...<...<...........;...:...:...9........i...........i..+...>...=...=...<...........;...;...:...:...'....i...........i../...>...>...=...=...........;...;...;...:...,....i...........i..?...>...>...>...=...........<...;...;...;...:....i...........i..?...?...>...>...>.......

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:A/lll:A/
MD5:	635E15CB045FF4CF0E6A31C827225767
SHA1:	F1EAAA628678441481309261FABC9D155C0DD6CB
SHA-256:	67219E5AD98A31E8FA8593323CD2024C1CA54D65985D895E8830AE356C7BDF1D
SHA-512:	81172AE72153B24391C19556982A316E16E638F5322B11569D76B28E154250D0D2F31E83E9E832180E34ADD0D63B24D36DD8A0CEE80E8B46D96639BFF811FA58
Malicious:	false
Preview:	CMMM ...................

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:7/lll:x
MD5:	F6B463BE7B50F3CC5D911B76002A6B36
SHA1:	C94920D1E0207B0F53D623A96F48D635314924D2
SHA-256:	16E4D1B41517B48CE562349E3895013C6D6A0DF4FCFFC2DA752498E33C4D9078
SHA-512:	4D155DFEDD3D44EDFBBE7AC84D3E81141D4BB665399C2A5CF01605C24BD12E6FAF87BB5B666EA392E1B246005DFABDE2208ED515CD612D34BAC7F965FD6CC57E
Malicious:	false
Preview:	CMMM ...................

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:lX:1
MD5:	2D84AD5CFDF57BD4E3656BCFD9A864EA
SHA1:	B7B82E72891E16D837A54F94960F9B3C83DC5552
SHA-256:	D241584A3FD4A91976FAFD5EC427E88F6E60998954DEC39E388AF88316AF3552
SHA-512:	0D9BC1EE51A4FB91B24E37F85AFBF88376C88345483D686C6CFF84066544287C98534AA701D7D4D52E53F10A3BEA73EE8BC38D18425FDE6D66352F8B76C0CBB5
Malicious:	false
Preview:	CMMM ...................

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:2/l/:S/
MD5:	60476A101249AEDFF09A43E047040191
SHA1:	DE5B6A0ADC7DE7180E19286CF0F13567278CDB64
SHA-256:	35BC77A06BFDDE8C8F3A474C88520262B88C7B8992EE6B2D5CF41DDDC77A83FB
SHA-512:	F1D2DCC562A36434C6C6405EC4EAC7ECFA76FC5A940114DA6F94495B77584A132D5D82AD3556DF749490BE096CFD238FA8B484B7C734CBC4D074E963E5D451F4
Malicious:	false
Preview:	CMMM ...................

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:3X:n
MD5:	AE6FBDED57F9F7D048B95468DDEE47CA
SHA1:	C4473EA845BE2FB5D28A61EFD72F19D74D5FC82E
SHA-256:	D3C9D1FF7B54B653C6A1125CAC49F52070338A2DD271817BBA8853E99C0F33A9
SHA-512:	F119D5AD9162F0F5D376E03A9EA15E30658780E18DD86E81812DDA8DDF59ADDD1DAA0706B2F5486DF8F17429C2C60AA05D4F041A2082FD2EC6EA8CC9469FADE3
Malicious:	false
Preview:	CMMM ...................

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:Wtl:WX
MD5:	D192F7C343602D02E3E020807707006E
SHA1:	82259C6CB5B1F31CC2079A083BC93C726BFC4FBF
SHA-256:	BB4D233C90BDBEE6EF83E40BFF1149EA884EFA790B3BEF496164DF6F90297C48
SHA-512:	AEC90CF52646B5B0EF00CEB2A8D739BEFE456D08551C031E8DEC6E1F549A6535C1870ADB62EEC0A292787AE6A7876388DD1B2C884CBA8CC6E2D7993790102F43
Malicious:	false
Preview:	CMMM ...................

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:s:s
MD5:	2A8875D2AF46255DB8324AAD9687D0B7
SHA1:	7A066FA7B69FB5450C26A1718B79AD27A9021CA9
SHA-256:	54097CCCAE0CFCE5608466BA5A5CA2A3DFEAC536964EEC532540F3B837F5A7C7
SHA-512:	2C39F05A4DFFD30800BB7FBB3FF2018CF4CC96398460B7492F05CE6AFD59079FD6E3EB7C4F8384A35A954A22B4934C162A38534AD76CFB2FD772BCF10E211F7C
Malicious:	false
Preview:	CMMM ...................

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:a/l/:e/
MD5:	F732BF1006B6529CFFBA2B9F50C4B07F
SHA1:	D3E8D4AF812BBC4F4013C53C4FFAB992D1D714E3
SHA-256:	77739084A27CB320F208AC1927D3D9C3CAC42748DBDF6229684EF18352D95067
SHA-512:	064D56217AEB2980A3BFAA1E252404613624D600C3A08B5CF0ADCB259596A1C60EE903FDC2650972785E5AE9B7B51890DED01EC4DA7B4DE94EBDA08AEAF662DF
Malicious:	false
Preview:	CMMM ...................

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:EX:EX
MD5:	FC94FE7BD3975E75CEFAD79F5908F7B3
SHA1:	78E7DA8D08E8898E956521D3B1BABBF6524E1DCA
SHA-256:	EE1ED3B49720B22D5FDA63D3C46D62A96CA8838C76AB2D2F580B1E7745521AA5
SHA-512:	4CEAF9021B30734F4CE8B4D4A057539472E68C0ADD199CF9C3D1C1C95320DA3884CAF46943FC9F7281607AB7FA6476027860EBED8BBAA9C44B3F4056B5E074D3
Malicious:	false
Preview:	CMMM ...................

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	7416
Entropy (8bit):	0.1225205706908585
Encrypted:	false
SSDEEP:	3:tn6lBlll9/l9elgBy7EtJR1//:0BtEgBy7EtD1X
MD5:	F66C1E91A38A47F00091D2F19BD30334
SHA1:	1B75D4E1D72D01B86A8D7FE356A90F3BF98C6768
SHA-256:	D8410DD3940576405A5E5F0E0A970AFC67497AD195F02665A2BD819217BB1C64
SHA-512:	0F169CCA72A8804F9AD37424569A0B1DA1FB8CB4FC77313251926261F1C19063ABB3333499DB8D7BD932BD80F57037EFAD846AE39863C37B74214AF81FD2788A
Malicious:	false
Preview:	..0 IMMM ...............e...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:6:6
MD5:	379523B9F5D5B954E719B664846DBF8F
SHA1:	930823EC80B85EDD22BAF555CAD21CDF48F066AA
SHA-256:	3C9002CAEDF0C007134A7E632C72588945A4892B6D7AD3977224A6A5A7457BF4
SHA-512:	ECA44DE86BBC3309FA6EAB400154D123DCD97DC1DB79554CE58CE2426854197E2365F5EEE42BAC6E6E9455561B206F592E159EF82FAF229212864894E6021E98
Malicious:	false
Preview:	CMMM ...................

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:V/l/:/
MD5:	5F243BF7CC0A348B6D31460A91173E71
SHA1:	5696B34625F027EC01765FC2BE49EFCFD882BF8E
SHA-256:	1B1AED169F2ACFAE4CF230701BDA91229CB582FF2CE29A413C5B8FE3B890D289
SHA-512:	9E08DFBBF20668B86DF696A0D5969E04E6EE4A67E997FF392099BC7FF184B1B8965502215744BE7FE423668B69099242BBA54DF3F0BFE4E70ACDC7CAD8195B02
Malicious:	false
Preview:	CMMM ...................

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:J:J
MD5:	DB7C049E5E4E336D76D5A744C28C54C8
SHA1:	A4DB9C8586B9E4FA24416EB0D00F06A9EBD16B02
SHA-256:	E8830E7AC4088CF3DD464CAEC33A0035D966A7DE5AE4EFC3580D59A41916FF7B
SHA-512:	B614037FB1C7D19D704BF15F355672114D25080223E7EE4424AD2CB7B89782219E7877B373BBC7FA44F3AD8DF8A27EEF4E8CCC765D44EC02A61E3B7FAE88AE69
Malicious:	false
Preview:	CMMM ...................

C:\Windows\Temp\~DF078B503D22F595BD.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF374548108D8C982B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2869139659306428
Encrypted:	false
SSDEEP:	48:lcPuOBth8FXz1T5e9385JN92bQ1d9hSJ6Ad94o9385JNRQ/PEK+d9hSI1jm:iPe7T6sskrgfskc7A
MD5:	F7C97F482027CDAD99B30D2E4BAEFBCC
SHA1:	668EC174360AD95AB0B9E39193B48C71181745F8
SHA-256:	BF86A23C1D4807DE518A2D357330ED9E740623AE82FA19F7862BA896047440B5
SHA-512:	C9FC797F22B065575D310A4682203FC1CEF6520516942E6318ABAD63D1231001562B2FD722E748DD7233D73731B7C29C35A6A96C53795457FE30131B57BF9A8E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF42DCA64EBD2EB59D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07062011336967261
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOHFxIudYllt4Vky6lw:2F0i8n0itFzDHFlyJw
MD5:	74A01024EEB87C03F05C16180485D378
SHA1:	247F3EA508CDBC04EBABA583AE2BE0C20647AA5A
SHA-256:	08DE02A9083CB12438EEB321E45B4DB3DC360B2AC81A4082724754B5F8792BA8
SHA-512:	BCFF47E0FC7EF3E6BA5AB8D88BF558AEFE2A8E441C58CD1C0AF58C22129EFF9140AAA33B07C896A8BD9E47D0249A8BE67CC63A7E9DE25481AC30EBA0C74EC7D4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7C575039BFD3D0D1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	0.1401776336813471
Encrypted:	false
SSDEEP:	48:Qjm5md9hSPd9hSJ6Ad94o9385JNRQ/PEK6bQk9385JN9:RswgfskcZkys
MD5:	2414446BD3860DCE4C60DA542F3BB4D0
SHA1:	5FB7FBADB83C8493057B0D7451564A5361ECC1C2
SHA-256:	194BB4EC4D02FCDF119464076CFDB627A0AC5851E61C6E37853744B8273AA042
SHA-512:	8548ABA64C64308D7913D92E0151EAFD63A32AE1A2B683D1456FA9E4782EBDAA5131F6589F89AEF041E8FD1607E80FE73E6DFC384EFF7666E3338D1202250173
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.955261679278543
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	IEW113_2311a.exe
File size:	5'302'512 bytes
MD5:	1bb2447f9ae84781bcfa73eda1606d72
SHA1:	6c875dd5404a67ceb1d3aee207be4286cbd8dd93
SHA256:	45f839521bdf4ebfeb32d8dd17ea33133e3c7ae67c6859380bea02cf56cf30f6
SHA512:	fed923b0bb7f303b721f374f677ff61ce588d40c08a839436f82bf27c10638b4a5a1ad9ef5d518d05450cd308bd1dbdaf079bc840c81adfeeba3397986f67f9c
SSDEEP:	98304:cp2gHRKe350tDLaAaPgmprQy19r0J8rk4Dn+7UU+My/UsvUl:qZHRK/aomK69r0irkqz/UKUl
TLSH:	5536222123FA8124F5F3AA35E8B45AA0497EBF61DB31C18F028471599DB0AD2D674F37
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................u.i.....u.k.Q...u.j.....................................i.......i.g.............i.......Rich...

File Icon


Icon Hash:	c486d8e8c898bec6

Static PE Info

General

Entrypoint:	0x416600
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x62C64C93 [Thu Jul 7 03:01:39 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	625fd66a582e409127cd1cdc0a7095d1

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	27/02/2023 00:00:00 10/03/2024 23:59:59
Subject Chain	CN=Sony Corporation, OU=IP&S Business Group System Software Technology Center, O=Sony Corporation, L=Minato-ku, S=Tokyo, C=JP
Version:	3
Thumbprint MD5:	92284C5D1109515A6668BC680ACAF759
Thumbprint SHA-1:	2819D44235A9F7AC57AFBE2F1D230A263678F0A7
Thumbprint SHA-256:	3DCC9955BED85FA0D50737C3D3ED1B761BB7238AA8508B9E85BA0751041A41F6
Serial:	0A8EAA1450F2739E6FD55CAC142144F3

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ecx
lea ecx, dword ptr [ebp-04h]
call 00007F02F87E0CA9h
lea eax, dword ptr [ebp-04h]
mov dword ptr [00446B54h], eax
call 00007F02F87FCE4Dh
mov dword ptr [00446B54h], 00000000h
mov esp, ebp
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push FFFFFFFFh
push 00435E41h
mov eax, dword ptr fs:[00000000h]
push eax
sub esp, 2Ch
push ebx
push esi
push edi
mov eax, dword ptr [00445880h]
xor eax, ebp
push eax
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
mov ebx, ecx
mov dword ptr [ebp-38h], ebx
xor edi, edi
xor ecx, ecx
mov dword ptr [ebp-20h], edi
mov eax, dword ptr [ebx+04h]
mov dword ptr [ebp-24h], ecx
test eax, eax
je 00007F02F87E15E3h
cmp ecx, eax
jnc 00007F02F87E1641h
mov eax, dword ptr [ebx]
lea ebx, dword ptr [eax+ecx*4]
mov eax, dword ptr [ebx]
cmp dword ptr [eax-0Ch], 00000000h
jng 00007F02F87E15DCh
push 0000002Dh
push eax
call 00007F02F87F9AB3h
mov esi, eax
add esp, 08h
mov eax, dword ptr [ebx]
test esi, esi
je 00007F02F87E15C5h
sub esi, eax
sar esi, 1
js 00007F02F87E15BBh
push esi
lea eax, dword ptr [ebp-18h]
mov ecx, ebx
push eax
call 00007F02F87DAC1Dh
mov dword ptr [ebp-04h], 00000000h
lea ecx, dword ptr [esi+01h]
mov eax, dword ptr [ebx]
mov eax, dword ptr [eax-0Ch]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x43718	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0x29a58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x50c190	0x2760
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x71000	0x2b48	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3fda0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x3fe10	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3ceb8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x37000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x42c94	0x180	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x357b9	0x35800	7800336e3463abd4add27c8b381ad955	False	0.5227895005841121	data	6.540898105421263	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x37000	0xd6b4	0xd800	f07ff23f4d77b09d8b78b27d4d86a4d6	False	0.41793258101851855	data	4.903709562228883	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x45000	0x1bac	0x1000	2551ff99d8da06111e8cbce4e0b0e0d1	False	0.243896484375	data	3.772861734586296	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x47000	0x29a58	0x29c00	5a7f13f4c55cd3d0d5b5a33ed85ca787	False	0.3163360778443114	data	5.296790756874419	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x71000	0x2b48	0x2c00	7310dc31beb535029e13ce013bf44e41	False	0.7433416193181818	data	6.589484783372459	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x48510	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.46365248226950356
RT_ICON	0x48978	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.29080675422138835
RT_ICON	0x49a20	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.22593360995850623
RT_ICON	0x4bfc8	0x4076	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9940613258998909
RT_DIALOG	0x50040	0x106	data			0.6984732824427481
RT_DIALOG	0x50148	0x108	data	English	United States	0.6553030303030303
RT_DIALOG	0x50250	0x10e	data			0.6925925925925925
RT_DIALOG	0x50360	0x110	data	English	United States	0.6544117647058824
RT_STRING	0x50470	0x6e	data	Bulgarian	Bulgaria	0.7
RT_STRING	0x504e0	0x8e	data	Chinese	Taiwan	0.528169014084507
RT_STRING	0x50570	0x6e	data	Czech	Czech Republic	0.7
RT_STRING	0x505e0	0x6e	data	German	Germany	0.7
RT_STRING	0x50650	0x6e	data	Greek	Greece	0.7
RT_STRING	0x506c0	0x6e	data	English	United States	0.7
RT_STRING	0x50730	0x6e	data	French	France	0.7
RT_STRING	0x507a0	0x6e	data	Hungarian	Hungary	0.7
RT_STRING	0x50810	0x6e	data	Italian	Italy	0.7
RT_STRING	0x50880	0x70	data	Japanese	Japan	0.7053571428571429
RT_STRING	0x508f0	0x7a	data	Korean	North Korea	0.5573770491803278
RT_STRING	0x508f0	0x7a	data	Korean	South Korea	0.5573770491803278
RT_STRING	0x5096c	0x6e	data	Dutch	Netherlands	0.7
RT_STRING	0x509dc	0x6e	data	Polish	Poland	0.7
RT_STRING	0x50a4c	0x6e	data	Portuguese	Brazil	0.7
RT_STRING	0x50abc	0x6e	data	Romanian	Romania	0.7
RT_STRING	0x50b2c	0x6e	data	Russian	Russia	0.7
RT_STRING	0x50b9c	0x6e	data	Slovak	Slovakia	0.7
RT_STRING	0x50c0c	0x6e	data	Thai	Thailand	0.5545454545454546
RT_STRING	0x50c7c	0x6e	data	Turkish	Turkey	0.7
RT_STRING	0x50cec	0x82	data	Chinese	China	0.5538461538461539
RT_STRING	0x50d70	0x6e	data			0.7
RT_STRING	0x50de0	0x1c2	data	Bulgarian	Bulgaria	0.5022222222222222
RT_STRING	0x50fa4	0xae	data	Chinese	Taiwan	0.8275862068965517
RT_STRING	0x51054	0x1a0	data	Czech	Czech Republic	0.5889423076923077
RT_STRING	0x511f4	0x208	data	German	Germany	0.48653846153846153
RT_STRING	0x513fc	0x1d2	data	Greek	Greece	0.5472103004291845
RT_STRING	0x515d0	0x190	data	English	United States	0.505
RT_STRING	0x51760	0x1be	data	French	France	0.5089686098654709
RT_STRING	0x51920	0x194	data	Hungarian	Hungary	0.5767326732673267
RT_STRING	0x51ab4	0x1d8	data	Italian	Italy	0.4766949152542373
RT_STRING	0x51c8c	0x106	data	Japanese	Japan	0.7175572519083969
RT_STRING	0x51d94	0xd6	data	Korean	North Korea	0.8598130841121495
RT_STRING	0x51d94	0xd6	data	Korean	South Korea	0.8598130841121495
RT_STRING	0x51e6c	0x1cc	data	Dutch	Netherlands	0.4826086956521739
RT_STRING	0x52038	0x1c4	data	Polish	Poland	0.5398230088495575
RT_STRING	0x521fc	0x1aa	data	Portuguese	Brazil	0.5023474178403756
RT_STRING	0x523a8	0x1c4	data	Romanian	Romania	0.5265486725663717
RT_STRING	0x5256c	0x1c4	data	Russian	Russia	0.4889380530973451
RT_STRING	0x52730	0x1ae	data	Slovak	Slovakia	0.5767441860465117
RT_STRING	0x528e0	0x17e	data	Thai	Thailand	0.56282722513089
RT_STRING	0x52a60	0x1ac	data	Turkish	Turkey	0.544392523364486
RT_STRING	0x52c0c	0xa8	data	Chinese	China	0.8392857142857143
RT_STRING	0x52cb4	0x1ba	data			0.497737556561086
RT_STRING	0x52e70	0xf0	data	Bulgarian	Bulgaria	0.5416666666666666
RT_STRING	0x52f60	0x74	data	Chinese	Taiwan	0.6810344827586207
RT_STRING	0x52fd4	0x10a	data	Czech	Czech Republic	0.5375939849624061
RT_STRING	0x530e0	0x12c	data	German	Germany	0.49333333333333335
RT_STRING	0x5320c	0xe8	data	Greek	Greece	0.5431034482758621
RT_STRING	0x532f4	0xf8	data	English	United States	0.4798387096774194
RT_STRING	0x533ec	0x12c	data	French	France	0.47
RT_STRING	0x53518	0x132	data	Hungarian	Hungary	0.5
RT_STRING	0x5364c	0x12c	data	Italian	Italy	0.45
RT_STRING	0x53778	0xa8	data	Japanese	Japan	0.6904761904761905
RT_STRING	0x53820	0x98	data	Korean	North Korea	0.7302631578947368
RT_STRING	0x53820	0x98	data	Korean	South Korea	0.7302631578947368
RT_STRING	0x538b8	0x10a	data	Dutch	Netherlands	0.49624060150375937
RT_STRING	0x539c4	0x108	data	Polish	Poland	0.5113636363636364
RT_STRING	0x53acc	0xf6	data	Portuguese	Brazil	0.45934959349593496
RT_STRING	0x53bc4	0x110	data	Romanian	Romania	0.49264705882352944
RT_STRING	0x53cd4	0xf4	data	Russian	Russia	0.5573770491803278
RT_STRING	0x53dc8	0x132	data	Slovak	Slovakia	0.5261437908496732
RT_STRING	0x53efc	0xd0	data	Thai	Thailand	0.5913461538461539
RT_STRING	0x53fcc	0x104	data	Turkish	Turkey	0.5076923076923077
RT_STRING	0x540d0	0x72	data	Chinese	China	0.6754385964912281
RT_STRING	0x54144	0x12c	data			0.43333333333333335
RT_STRING	0x54270	0x1f0	data	Bulgarian	Bulgaria	0.48185483870967744
RT_STRING	0x54460	0xf4	data	Chinese	Taiwan	0.6639344262295082
RT_STRING	0x54554	0x1f0	data	Czech	Czech Republic	0.4778225806451613
RT_STRING	0x54744	0x250	data	German	Germany	0.42567567567567566
RT_STRING	0x54994	0x228	data	Greek	Greece	0.4963768115942029
RT_STRING	0x54bbc	0x204	data	English	United States	0.4127906976744186
RT_STRING	0x54dc0	0x21e	data	French	France	0.4151291512915129
RT_STRING	0x54fe0	0x1c2	data	Hungarian	Hungary	0.4688888888888889
RT_STRING	0x551a4	0x250	data	Italian	Italy	0.40033783783783783
RT_STRING	0x553f4	0x14e	data	Japanese	Japan	0.6137724550898204
RT_STRING	0x55544	0x152	data	Korean	North Korea	0.6183431952662722
RT_STRING	0x55544	0x152	data	Korean	South Korea	0.6183431952662722
RT_STRING	0x55698	0x220	data	Dutch	Netherlands	0.41911764705882354
RT_STRING	0x558b8	0x204	data	Polish	Poland	0.4689922480620155
RT_STRING	0x55abc	0x1ee	data	Portuguese	Brazil	0.43724696356275305
RT_STRING	0x55cac	0x20a	data	Romanian	Romania	0.4329501915708812
RT_STRING	0x55eb8	0x1d8	data	Russian	Russia	0.5063559322033898
RT_STRING	0x56090	0x218	data	Slovak	Slovakia	0.4664179104477612
RT_STRING	0x562a8	0x1c6	data	Thai	Thailand	0.4911894273127753
RT_STRING	0x56470	0x1c6	data	Turkish	Turkey	0.48237885462555063
RT_STRING	0x56638	0xf4	data	Chinese	China	0.6598360655737705
RT_STRING	0x5672c	0x248	data			0.4143835616438356
RT_STRING	0x56974	0x464	data	Bulgarian	Bulgaria	0.39679715302491103
RT_STRING	0x56dd8	0x162	data	Chinese	Taiwan	0.807909604519774
RT_STRING	0x56f3c	0x3d4	data	Czech	Czech Republic	0.43673469387755104
RT_STRING	0x57310	0x4fe	data	German	Germany	0.38184663536776214
RT_STRING	0x57810	0x506	data	Greek	Greece	0.41135303265940903
RT_STRING	0x57d18	0x42c	data	English	United States	0.38108614232209737
RT_STRING	0x58144	0x4a6	data	French	France	0.3815126050420168
RT_STRING	0x585ec	0x45e	data	Hungarian	Hungary	0.43202146690518783
RT_STRING	0x58a4c	0x49a	data	Italian	Italy	0.3735144312393888
RT_STRING	0x58ee8	0x240	data	Japanese	Japan	0.6215277777777778
RT_STRING	0x59128	0x23e	data	Korean	North Korea	0.6393728222996515
RT_STRING	0x59128	0x23e	data	Korean	South Korea	0.6393728222996515
RT_STRING	0x59368	0x4f6	data	Dutch	Netherlands	0.3606299212598425
RT_STRING	0x59860	0x4aa	OpenPGP Public Key	Polish	Poland	0.4103852596314908
RT_STRING	0x59d0c	0x486	data	Portuguese	Brazil	0.3756476683937824
RT_STRING	0x5a194	0x46c	data	Romanian	Romania	0.3931095406360424
RT_STRING	0x5a600	0x46c	data	Russian	Russia	0.4204946996466431
RT_STRING	0x5aa6c	0x406	data	Slovak	Slovakia	0.43592233009708736
RT_STRING	0x5ae74	0x378	data	Thai	Thailand	0.4380630630630631
RT_STRING	0x5b1ec	0x3de	data	Turkish	Turkey	0.4171717171717172
RT_STRING	0x5b5cc	0x16e	data	Chinese	China	0.7759562841530054
RT_STRING	0x5b73c	0x4a2	data			0.35328836424957843
RT_STRING	0x5bbe0	0x258	data	Bulgarian	Bulgaria	0.4033333333333333
RT_STRING	0x5be38	0xc0	data	Chinese	Taiwan	0.7552083333333334
RT_STRING	0x5bef8	0x218	data	Czech	Czech Republic	0.4085820895522388
RT_STRING	0x5c110	0x2f2	data	German	Germany	0.36074270557029176
RT_STRING	0x5c404	0x204	data	Greek	Greece	0.4496124031007752
RT_STRING	0x5c608	0x212	data	English	United States	0.41132075471698115
RT_STRING	0x5c81c	0x256	data	French	France	0.4297658862876254
RT_STRING	0x5ca74	0x1f4	data	Hungarian	Hungary	0.474
RT_STRING	0x5cc68	0x25a	data	Italian	Italy	0.39368770764119604
RT_STRING	0x5cec4	0x130	data	Japanese	Japan	0.6085526315789473
RT_STRING	0x5cff4	0x11a	data	Korean	North Korea	0.6595744680851063
RT_STRING	0x5cff4	0x11a	data	Korean	South Korea	0.6595744680851063
RT_STRING	0x5d110	0x1fe	data	Dutch	Netherlands	0.4176470588235294
RT_STRING	0x5d310	0x26a	data	Polish	Poland	0.42718446601941745
RT_STRING	0x5d57c	0x274	data	Portuguese	Brazil	0.39012738853503187
RT_STRING	0x5d7f0	0x212	data	Romanian	Romania	0.4075471698113208
RT_STRING	0x5da04	0x1f8	data	Russian	Russia	0.43253968253968256
RT_STRING	0x5dbfc	0x212	data	Slovak	Slovakia	0.4509433962264151
RT_STRING	0x5de10	0x1ca	data	Thai	Thailand	0.4672489082969432
RT_STRING	0x5dfdc	0x1ee	data	Turkish	Turkey	0.4716599190283401
RT_STRING	0x5e1cc	0xbe	data	Chinese	China	0.7526315789473684
RT_STRING	0x5e28c	0x280	data			0.371875
RT_STRING	0x5e50c	0x51a	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	Bulgarian	Bulgaria	0.34686064318529863
RT_STRING	0x5ea28	0x1c2	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	Chinese	Taiwan	0.6822222222222222
RT_STRING	0x5ebec	0x4ce	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	Czech	Czech Republic	0.35040650406504065
RT_STRING	0x5f0bc	0x608	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	German	Germany	0.31411917098445596
RT_STRING	0x5f6c4	0x5c4	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	Greek	Greece	0.3611111111111111
RT_STRING	0x5fc88	0x4f6	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	English	United States	0.3283464566929134
RT_STRING	0x60180	0x5d4	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	French	France	0.30831099195710454
RT_STRING	0x60754	0x4f6	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	Hungarian	Hungary	0.3590551181102362
RT_STRING	0x60c4c	0x574	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	Italian	Italy	0.3216332378223496
RT_STRING	0x611c0	0x308	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	Japanese	Japan	0.49355670103092786
RT_STRING	0x614c8	0x2c6	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	Korean	North Korea	0.5464788732394367
RT_STRING	0x614c8	0x2c6	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	Korean	South Korea	0.5464788732394367
RT_STRING	0x61790	0x572	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	Dutch	Netherlands	0.30631276901004306
RT_STRING	0x61d04	0x5c6	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	Polish	Poland	0.3301759133964817
RT_STRING	0x622cc	0x5b6	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	Portuguese	Brazil	0.320109439124487
RT_STRING	0x62884	0x628	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	Romanian	Romania	0.3039340101522843
RT_STRING	0x62eac	0x586	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	Russian	Russia	0.371994342291372
RT_STRING	0x63434	0x504	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	Slovak	Slovakia	0.35046728971962615
RT_STRING	0x63938	0x4a6	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	Thai	Thailand	0.3831932773109244
RT_STRING	0x63de0	0x4f8	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	Turkish	Turkey	0.35062893081761004
RT_STRING	0x642d8	0x1c2	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	Chinese	China	0.66
RT_STRING	0x6449c	0x5cc	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0			0.3005390835579515
RT_STRING	0x64a68	0x524	data	Bulgarian	Bulgaria	0.26595744680851063
RT_STRING	0x64f8c	0x170	data	Chinese	Taiwan	0.529891304347826
RT_STRING	0x650fc	0x466	data	Czech	Czech Republic	0.28507992895204265
RT_STRING	0x65564	0x57e	data	German	Germany	0.2496443812233286
RT_STRING	0x65ae4	0x56c	data	Greek	Greece	0.2845821325648415
RT_STRING	0x66050	0x494	data	English	United States	0.25597269624573377
RT_STRING	0x664e4	0x548	data	French	France	0.2492603550295858
RT_STRING	0x66a2c	0x48c	data	Hungarian	Hungary	0.26890034364261167
RT_STRING	0x66eb8	0x590	data	Italian	Italy	0.23595505617977527
RT_STRING	0x67448	0x24c	data	Japanese	Japan	0.45068027210884354
RT_STRING	0x67694	0x282	data	Korean	North Korea	0.42990654205607476
RT_STRING	0x67694	0x282	data	Korean	South Korea	0.42990654205607476
RT_STRING	0x67918	0x57e	data	Dutch	Netherlands	0.24182076813655762
RT_STRING	0x67e98	0x4cc	data	Polish	Poland	0.28257328990228014
RT_STRING	0x68364	0x4f8	data	Portuguese	Brazil	0.25
RT_STRING	0x6885c	0x550	data	Romanian	Romania	0.2639705882352941
RT_STRING	0x68dac	0x4f6	data	Russian	Russia	0.29448818897637796
RT_STRING	0x692a4	0x478	data	Slovak	Slovakia	0.2928321678321678
RT_STRING	0x6971c	0x3d6	data	Thai	Thailand	0.31262729124236255
RT_STRING	0x69af4	0x3d0	data	Turkish	Turkey	0.3094262295081967
RT_STRING	0x69ec4	0x188	data	Chinese	China	0.5178571428571429
RT_STRING	0x6a04c	0x524	data			0.23708206686930092
RT_STRING	0x6a570	0x464	data	Bulgarian	Bulgaria	0.25889679715302494
RT_STRING	0x6a9d4	0x290	data	Chinese	Taiwan	0.36128048780487804
RT_STRING	0x6ac64	0x488	data	Czech	Czech Republic	0.2672413793103448
RT_STRING	0x6b0ec	0x4f4	data	German	Germany	0.23422712933753942
RT_STRING	0x6b5e0	0x48a	data	Greek	Greece	0.2882960413080895
RT_STRING	0x6ba6c	0x40e	data	English	United States	0.20809248554913296
RT_STRING	0x6be7c	0x48e	data	French	France	0.22898799313893653
RT_STRING	0x6c30c	0x432	data	Hungarian	Hungary	0.24953445065176907
RT_STRING	0x6c740	0x552	data	Italian	Italy	0.21218795888399414
RT_STRING	0x6cc94	0x302	data	Japanese	Japan	0.35194805194805195
RT_STRING	0x6cf98	0x2d0	data	Korean	North Korea	0.3819444444444444
RT_STRING	0x6cf98	0x2d0	data	Korean	South Korea	0.3819444444444444
RT_STRING	0x6d268	0x400	data	Dutch	Netherlands	0.2373046875
RT_STRING	0x6d668	0x4f6	data	Polish	Poland	0.2251968503937008
RT_STRING	0x6db60	0x418	data	Portuguese	Brazil	0.258587786259542
RT_STRING	0x6df78	0x53a	data	Romanian	Romania	0.2085201793721973
RT_STRING	0x6e4b4	0x4c2	data	Russian	Russia	0.2660098522167488
RT_STRING	0x6e978	0x4a4	data	Slovak	Slovakia	0.23905723905723905
RT_STRING	0x6ee1c	0x440	data	Thai	Thailand	0.27941176470588236
RT_STRING	0x6f25c	0x408	data	Turkish	Turkey	0.24709302325581395
RT_STRING	0x6f664	0x29e	data	Chinese	China	0.35074626865671643
RT_STRING	0x6f904	0x4cc	data			0.22149837133550487
RT_GROUP_ICON	0x6fdd0	0x3e	data	English	United States	0.7903225806451613
RT_VERSION	0x6fe10	0x490	data	English	United States	0.3886986301369863
RT_MANIFEST	0x702a0	0x7b6	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1914), with CRLF line terminators	English	United States	0.32269503546099293

Imports

DLL

Import

ADVAPI32.dll

GetSecurityDescriptorDacl, GetAce, InitializeAcl, BuildExplicitAccessWithNameW, SetEntriesInAclW, CreateWellKnownSid, GetUserNameW, EqualSid, LookupAccountSidW, LookupAccountNameW, GetNamedSecurityInfoW, RegCloseKey, RegOpenKeyExW, RegQueryValueExW, RegDeleteValueW, OpenThreadToken, OpenProcessToken, DuplicateTokenEx, MapGenericMask, AccessCheck, GetTokenInformation, AllocateAndInitializeSid, FreeSid

KERNEL32.dll

GetSystemDirectoryW, LoadLibraryW, GetProcAddress, FreeLibrary, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, TlsAlloc, GetCurrentThreadId, SetFileAttributesW, WaitForSingleObject, DeleteFileW, TlsSetValue, TlsGetValue, GetTickCount, CreateFileW, DosDateTimeToFileTime, LocalFileTimeToFileTime, SetFileTime, CloseHandle, MultiByteToWideChar, WideCharToMultiByte, GetLastError, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, GetFileSizeEx, SetFilePointerEx, WriteFile, CompareStringW, CreateDirectoryW, SetFilePointer, SetEndOfFile, LocalFree, LocalAlloc, GetModuleHandleW, FindFirstFileW, FindNextFileW, FindClose, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, EnterCriticalSection, LeaveCriticalSection, GetCurrentProcess, SetEvent, VerSetConditionMask, VerifyVersionInfoW, CreateEventW, GetVersionExW, GetNativeSystemInfo, GetTempPathW, GetModuleFileNameW, GetFileAttributesW, RemoveDirectoryW, GetProcessId, WaitForMultipleObjects, GetExitCodeProcess, ExpandEnvironmentStringsW, GetLocalTime, GetSystemTime, SystemTimeToFileTime, ResetEvent, GetExitCodeThread, TerminateThread, RaiseException, FlushInstructionCache, GlobalAlloc, GetCurrentProcessId, GetCommandLineW, InterlockedIncrement, InterlockedDecrement, GetCurrentThread, GlobalLock, GlobalFree, GlobalUnlock, SetLastError, lstrlenW, lstrcmpW, FormatMessageW, ExitProcess, SetDllDirectoryW, LoadLibraryExW, LCMapStringW, GetThreadLocale, GetUserDefaultUILanguage, GetUserDefaultLCID, GetLocaleInfoW, GetPrivateProfileStringW, GetFileTime, FileTimeToSystemTime, FileTimeToLocalFileTime, OpenEventW, GetTimeFormatW, GetDateFormatW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, OpenProcess, DuplicateHandle, CreateThread, DecodePointer, IsDebuggerPresent, OutputDebugStringW, EncodePointer, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, LoadLibraryExA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, GetFileType, ReadFile, GetConsoleMode, ReadConsoleW, GetConsoleCP, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, SetStdHandle, GetStdHandle, GetStartupInfoW, WriteConsoleW, GetACP, GetStringTypeW, TlsFree, GetSystemTimeAsFileTime, IsValidCodePage, GetOEMCP, GetCPInfo, FlushFileBuffers, WaitForSingleObjectEx, RtlUnwind, QueryPerformanceCounter, GetSystemInfo, VirtualProtect, VirtualQuery, FindFirstFileExW, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Bulgarian	Bulgaria
Chinese	Taiwan
Czech	Czech Republic
German	Germany
Greek	Greece
French	France
Hungarian	Hungary
Italian	Italy
Japanese	Japan
Korean	North Korea
Korean	South Korea
Dutch	Netherlands
Polish	Poland
Portuguese	Brazil
Romanian	Romania
Russian	Russia
Slovak	Slovakia
Thai	Thailand
Turkish	Turkey
Chinese	China

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 23, 2024 11:21:07.672267914 CEST	53	52815	162.159.36.2	192.168.2.4
Oct 23, 2024 11:21:08.306536913 CEST	54018	53	192.168.2.4	1.1.1.1
Oct 23, 2024 11:21:08.318250895 CEST	53	54018	1.1.1.1	192.168.2.4
Oct 23, 2024 11:21:10.507673979 CEST	55907	53	192.168.2.4	1.1.1.1
Oct 23, 2024 11:21:10.515588045 CEST	53	55907	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 23, 2024 11:21:08.306536913 CEST	192.168.2.4	1.1.1.1	0xd3f9	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Oct 23, 2024 11:21:10.507673979 CEST	192.168.2.4	1.1.1.1	0x4940	Standard query (0)	56.163.245.4.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 23, 2024 11:21:08.318250895 CEST	1.1.1.1	192.168.2.4	0xd3f9	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Oct 23, 2024 11:21:10.515588045 CEST	1.1.1.1	192.168.2.4	0x4940	Name error (3)	56.163.245.4.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	05:20:33
Start date:	23/10/2024
Path:	C:\Users\user\Desktop\IEW113_2311a.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\IEW113_2311a.exe"
Imagebase:	0xd10000
File size:	5'302'512 bytes
MD5 hash:	1BB2447F9AE84781BCFA73EDA1606D72
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	05:20:35
Start date:	23/10/2024
Path:	C:\Users\user\Desktop\IEW113_2311a.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\IEW113_2311a.exe" -run {192AB307-8DDD-45B1-BC93-D10838BCC13F} 0\|Yes\|No\|C:\Windows\System32\msiexec.exe /i C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Package\SetupIEW.msi
Imagebase:	0xd10000
File size:	5'302'512 bytes
MD5 hash:	1BB2447F9AE84781BCFA73EDA1606D72
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	05:20:35
Start date:	23/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Package\SetupIEW.msi
Imagebase:	0x7ff7a80d0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	05:20:35
Start date:	23/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7a80d0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	05:20:36
Start date:	23/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\MsiExec.exe -Embedding 87308A77B4DC65560968A93A1904E71A C
Imagebase:	0x7ff7a80d0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	05:20:47
Start date:	23/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\MsiExec.exe -Embedding 026172C647FCA3CC45C109DD1CF65201
Imagebase:	0x7ff7a80d0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	05:20:47
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 1F622DA67DE9472AD76099B184CCC342
Imagebase:	0x770000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	05:20:49
Start date:	23/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\MsiExec.exe -Embedding 41D4778385EEC697935AEB0EB737BBE8 E Global\MSI0000
Imagebase:	0x7ff7a80d0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	05:20:49
Start date:	23/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c pnputil /add-driver "C:\Program Files\Sony\Imaging Edge Webcam\Driver\*.inf" /install
Imagebase:	0x7ff7f51c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	05:20:49
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	05:20:49
Start date:	23/10/2024
Path:	C:\Windows\System32\pnputil.exe
Wow64 process (32bit):	false
Commandline:	pnputil /add-driver "C:\Program Files\Sony\Imaging Edge Webcam\Driver\*.inf" /install
Imagebase:	0x7ff6450a0000
File size:	301'568 bytes
MD5 hash:	DE03AC6962C0655E6F769F881295DE3F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	05:20:50
Start date:	23/10/2024
Path:	C:\Windows\System32\drvinst.exe
Wow64 process (32bit):	false
Commandline:	DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\ImagingEdgeWebcam_Driver.inf" "9" "40c79f59f" "000000000000015C" "WinSta0\Default" "0000000000000168" "208" "C:\Program Files\Sony\Imaging Edge Webcam\Driver"
Imagebase:	0x7ff6edb80000
File size:	337'920 bytes
MD5 hash:	294990C88B9D1FE0A54A1FA8BF4324D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	05:20:50
Start date:	23/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{94bae122-cba7-1d4a-abe9-55200fb5c9ba} Global\{f15111e6-e2a2-7143-bb08-c644d6dcff21} C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam_Driver.inf C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam.cat
Imagebase:	0x7ff6d2c00000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	13.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	24.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	44

Executed Functions

Function 00D2A360 Relevance: 134.7, APIs: 70, Strings: 6, Instructions: 1681synchronizationmemorythreadCOMMON

Download Yara Rule

APIs

OpenEventW.KERNEL32(00100002,00000000,?), ref: 00D2A743
GetCurrentProcessId.KERNEL32 ref: 00D2A833
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 00D2A887
GetLastError.KERNEL32 ref: 00D2A891
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00D2A92F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 00D2A93F
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00D2A94F
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00D2A976
ResetEvent.KERNEL32(?,?,?), ref: 00D2A9B2
GetLastError.KERNEL32 ref: 00D2A9F6
ShellExecuteExW.SHELL32(0000003C), ref: 00D2AA46
GetLastError.KERNEL32(00000000), ref: 00D2AA59
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D2AA7E
FreeLibrary.KERNEL32(00000000), ref: 00D2AAAA
GetProcessId.KERNEL32(?,00000000), ref: 00D2AADB
AllowSetForegroundWindow.USER32(00000000), ref: 00D2AB9C
WaitForInputIdle.USER32(?,0000EA60), ref: 00D2ABAD
AllowSetForegroundWindow.USER32(00000000), ref: 00D2ABB8
GetTickCount.KERNEL32 ref: 00D2ABBE
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00D2ABE9
GetExitCodeProcess.KERNEL32(?,00000000), ref: 00D2AC17
CloseHandle.KERNEL32(?), ref: 00D2AC28
WaitForSingleObject.KERNEL32(?,00000000), ref: 00D2AC54
SetEvent.KERNEL32(?), ref: 00D2AC67
WaitForSingleObject.KERNEL32(?,00000000), ref: 00D2AC79
GetTickCount.KERNEL32 ref: 00D2AC7B
WaitForSingleObject.KERNEL32(?,00000000), ref: 00D2AC9F
WaitForSingleObject.KERNEL32(?,00001388,?), ref: 00D2AD91
GetTickCount.KERNEL32 ref: 00D2AD97
SetEvent.KERNEL32(?), ref: 00D2ADE4
SetEvent.KERNEL32(?,00000000), ref: 00D2AE23
SetEvent.KERNEL32(?,00000000), ref: 00D2AE38
WaitForSingleObject.KERNEL32(?,00002710), ref: 00D2AE4A
TerminateThread.KERNEL32(?,80004004), ref: 00D2AE62
CloseHandle.KERNEL32(?), ref: 00D2AE79
CloseHandle.KERNEL32(?), ref: 00D2AEB6
CloseHandle.KERNEL32(?), ref: 00D2AECD
CloseHandle.KERNEL32(?), ref: 00D2AEE4
CloseHandle.KERNEL32(?), ref: 00D2AEFB
DeleteCriticalSection.KERNEL32(?), ref: 00D2AF19
GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000), ref: 00D2B1B5
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000100), ref: 00D2B3FA
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000100), ref: 00D2B41C
GetCurrentProcess.KERNEL32(00000008,?), ref: 00D2B5BE
OpenProcessToken.ADVAPI32(00000000), ref: 00D2B5C1
GetTokenInformation.KERNELBASE(FFFFFFFF,00000002,00000000,00000000,?), ref: 00D2B5F2
GetLastError.KERNEL32 ref: 00D2B5FC
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00D2B613
GetTokenInformation.KERNELBASE(FFFFFFFF,00000002,00000000,00000000,00000000), ref: 00D2B656
AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000222,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D2B683
EqualSid.ADVAPI32(00000000,00000004), ref: 00D2B6A8
LookupAccountSidW.ADVAPI32(00000000,00000004,?,00000100,?,00000100,?), ref: 00D2B6E3
GetLastError.KERNEL32 ref: 00D2B6ED
FreeSid.ADVAPI32(00000000), ref: 00D2B716
GlobalFree.KERNEL32(00000000), ref: 00D2B71D
CloseHandle.KERNELBASE(FFFFFFFF), ref: 00D2B73B
CoInitializeEx.COMBASE(00000000,00000000), ref: 00D2B786
GetActiveWindow.USER32 ref: 00D2B7B3
SetLastError.KERNEL32(0000000E), ref: 00D2B7D8
GetCurrentProcess.KERNEL32(?,0000000D), ref: 00D2B804
FlushInstructionCache.KERNEL32(00000000), ref: 00D2B807
GetCurrentThreadId.KERNEL32 ref: 00D2B819
EnterCriticalSection.KERNEL32(00D558B4), ref: 00D2B82A
LeaveCriticalSection.KERNEL32(00D558B4), ref: 00D2B84B
GlobalLock.KERNEL32(00000000), ref: 00D2B863
DialogBoxIndirectParamW.USER32(00000000,00000000,00D23BE0,00000000), ref: 00D2B87C
GlobalUnlock.KERNEL32(00000000), ref: 00D2B885
GlobalFree.KERNEL32(00000000), ref: 00D2B88C
GlobalFree.KERNEL32(00000000), ref: 00D2B8AB

Strings

Local\Packman_Exec_%s, xrefs: 00D2A727
open, xrefs: 00D2A602
Wow64RevertWow64FsRedirection, xrefs: 00D2AA78
%25, xrefs: 00D2A465
%20, xrefs: 00D2A449
Yes, xrefs: 00D2A50D, 00D2A564

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Event$CloseHandleWait$ErrorGlobalLastProcess$FreeObjectSingle$CountCriticalCurrentSection$CreateInitializeTickTokenWindow$AllowFileForegroundFormatInformationModuleNameOpenThread$AccountActiveAddressAllocAllocateCacheCodeDateDeleteDialogEnterEqualExecuteExitFlushIdleIndirectInputInstructionLeaveLibraryLockLookupMultipleObjectsParamProcResetShellSpinTerminateTimeUnlock
String ID: %20$%25$Local\Packman_Exec_%s$Wow64RevertWow64FsRedirection$Yes$open
API String ID: 698854990-2970576115
Opcode ID: 1791dcc5497fa3a4650c62405d4028d5afb9e114f34adad7cc07d92a2e67a21f
Instruction ID: 473729113069f9723b771aa6c1047888a50a210d67c5f3e1a8d32893b4549e69
Opcode Fuzzy Hash: 1791dcc5497fa3a4650c62405d4028d5afb9e114f34adad7cc07d92a2e67a21f
Instruction Fuzzy Hash: 52E2CF70A013299FDB20DF28DC48B99B7B5EF55314F1882D9E409EB2A1DB719E84CF61

Function 00D20AC0 Relevance: 65.7, APIs: 33, Strings: 4, Instructions: 901windowlibraryloaderCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000,70CDB3AB), ref: 00D20BE5
IsIconic.USER32(?), ref: 00D20C07
SendMessageW.USER32(?,00000027,00000000,00000000), ref: 00D20C2C
GetSystemMetrics.USER32(0000000B), ref: 00D20C3A
GetSystemMetrics.USER32(0000000C), ref: 00D20C40
GetModuleHandleW.KERNEL32(kernel32.dll,70CDB3AB), ref: 00D20D4F
GetProcAddress.KERNEL32(00000000,RegisterApplicationRestart), ref: 00D20D63
GetCommandLineW.KERNEL32 ref: 00D20D70
SetEvent.KERNEL32(?,70CDB3AB), ref: 00D20DF2
SetWindowTextW.USER32(?,?), ref: 00D210C9
SetDlgItemTextW.USER32(FFFFFFFF,000003F3,?), ref: 00D21148
SetDlgItemTextW.USER32(FFFFFFFF,000003F3,?), ref: 00D211C2
SendMessageW.USER32(?,00000402,000003E8,00000000), ref: 00D211F3
KillTimer.USER32(?,?,70CDB3AB), ref: 00D2125D
IsWindow.USER32(?), ref: 00D212AA
KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 00D212B9
GetSystemMenu.USER32(?,00000000), ref: 00D212C4
EnableMenuItem.USER32(00000000,0000F060,00000002), ref: 00D212DA
SetDlgItemTextW.USER32(00000004,000003F3,?), ref: 00D21340
ShowWindow.USER32(00000004,00000005), ref: 00D21386
ShowWindow.USER32(?,00000005,70CDB3AB), ref: 00D21408
IsWindow.USER32(?), ref: 00D21411
EnableWindow.USER32(?,00000001), ref: 00D21420
GetSystemMenu.USER32(?,00000000), ref: 00D2142B
EnableMenuItem.USER32(00000000,0000F060,00000000), ref: 00D2143D
SetDlgItemTextW.USER32(FFFFFFFF,000003F3,?), ref: 00D2149C
IsWindow.USER32(?), ref: 00D214A5
EnableWindow.USER32(?,00000000), ref: 00D214B4
GetSystemMenu.USER32(FFFFFFFF,00000000), ref: 00D214BF
EnableMenuItem.USER32(00000000,0000F060,00000002), ref: 00D214D5
SetDlgItemTextW.USER32(00000006,000003F3,?), ref: 00D2153B
ShowWindow.USER32(00000006,00000005), ref: 00D21583
SetEvent.KERNEL32(?,70CDB3AB), ref: 00D215FC

Strings

RegisterApplicationRestart, xrefs: 00D20D5D
MessageInfo.xml, xrefs: 00D20F6D
kernel32.dll, xrefs: 00D20D4A
s, xrefs: 00D20B4E

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Window$Item$MenuText$EnableSystem$Show$EventMessageMetricsSend$AddressCallbackCommandDispatcherHandleIconicKillLineModuleProcTimerUser
String ID: MessageInfo.xml$RegisterApplicationRestart$kernel32.dll$s
API String ID: 3051885035-2535979818
Opcode ID: cd325ef298c6b7e97f26a7eec6af7b1a693c23d518989ddfa58edb330dd89390
Instruction ID: ea2251475898e783d59c6287c7f47cd4447549e676667c7233de2e08f3f0a1f7
Opcode Fuzzy Hash: cd325ef298c6b7e97f26a7eec6af7b1a693c23d518989ddfa58edb330dd89390
Instruction Fuzzy Hash: CF72D274A00725AFEB21CF64E855BADBBB1FF24318F188119E915DB691CB75EC40CBA0

Function 00D1B740 Relevance: 58.7, APIs: 19, Strings: 14, Instructions: 984windowCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 00D1B897
PathFindExtensionW.SHLWAPI(?,00D4D3FC,00000002), ref: 00D1B9D3
CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,.exe,000000FF,00000000), ref: 00D1BA71

Part of subcall function 00D18780: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,?,00D45778), ref: 00D187BE
Part of subcall function 00D18780: FindResourceW.KERNEL32(00000000,?,00000006), ref: 00D18809

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00D1BE34
PostMessageW.USER32(?,0000811A,00000000,00000000), ref: 00D1C173
ShellExecuteExW.SHELL32(0000003C), ref: 00D1C180
GetProcessId.KERNELBASE(?), ref: 00D1C19D
AllowSetForegroundWindow.USER32(00000000), ref: 00D1C1AE
WaitForInputIdle.USER32(?,00000BB8), ref: 00D1C1BF
AllowSetForegroundWindow.USER32(?), ref: 00D1C1D0
PostMessageW.USER32(?,0000811B,00000000,00000000), ref: 00D1C1EC
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00D1C224
SetEvent.KERNEL32(?), ref: 00D1C243
GetExitCodeProcess.KERNEL32(?,?), ref: 00D1C29C
CloseHandle.KERNEL32(?), ref: 00D1C2B3
GetLastError.KERNEL32 ref: 00D1C2CB
PostMessageW.USER32(?,0000811C,00000000,00000000), ref: 00D1C2FE
CloseHandle.KERNEL32(?), ref: 00D1C44D

Part of subcall function 00D116F0: __CxxThrowException@8.LIBVCRUNTIME ref: 00D11706
Part of subcall function 00D116F0: HeapAlloc.KERNEL32(?,00000000,?,?,?,00D52C84,?,?,00D136E6,80070057,?,?,?,00D12FB0,?,?), ref: 00D1171B

Strings

Local\Packman_Exec_%s, xrefs: 00D1B87D
runas, xrefs: 00D1B82C
/C , xrefs: 00D1BCC3
%25, xrefs: 00D1BF26
\cmd.exe, xrefs: 00D1BBFD
.bat, xrefs: 00D1B9F2, 00D1BA08
.cmd, xrefs: 00D1BA2A, 00D1BA3B
-run , xrefs: 00D1BF56
D, xrefs: 00D1B7CE
<, xrefs: 00D1B7EB
open, xrefs: 00D1B80F
%20, xrefs: 00D1BF3B
Yes, xrefs: 00D1B94E, 00D1B967, 00D1B971, 00D1BA9E, 00D1BAC1, 00D1BAC2, 00D1BDA3
.exe, xrefs: 00D1BA58, 00D1BA65

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: FindMessagePost$AllowCloseEventForegroundHandleProcessResourceWaitWindow$AllocCodeCompareCreateErrorException@8ExecuteExitExtensionFileHeapIdleInputLastModuleMultipleNameObjectsPathShellStringThrow
String ID: %20$%25$-run $.bat$.cmd$.exe$/C $<$D$Local\Packman_Exec_%s$Yes$\cmd.exe$open$runas
API String ID: 3503205883-1239623122
Opcode ID: d8186a9f609e0da56774f4ae884702a0f3347786424e6deed210a5c0cbe9e416
Instruction ID: 3430fd01560528851f5c21922ad1fbd16fc39071396d3b4a40185d790d54ad2a
Opcode Fuzzy Hash: d8186a9f609e0da56774f4ae884702a0f3347786424e6deed210a5c0cbe9e416
Instruction Fuzzy Hash: 87927D30A41619AFDB10DF68DC98B99B7B5FF44314F1482D9E409AB2A1DF70AE85CF60

Function 00D21BF0 Relevance: 39.3, APIs: 26, Instructions: 305
windowcomtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00D21C28
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D21C46
SetWindowLongW.USER32(?,000000EC,00000080), ref: 00D21C52
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,?,?,?,00D459C0,000000FF,?,00D20B65,70CDB3AB), ref: 00D21C63
GetSystemMenu.USER32(?,00000000,70CDB3AB,?,?,?,00D459C0,000000FF,?,00D20B65,70CDB3AB), ref: 00D21C73
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00D21C85
GetSystemMetrics.USER32(0000000B), ref: 00D21C93
GetSystemMetrics.USER32(0000000C), ref: 00D21C99
GetSystemMetrics.USER32(00000031), ref: 00D21C9F
GetSystemMetrics.USER32(00000032), ref: 00D21CA6
LoadImageW.USER32(00000064,00000001,00000000,00000000,00000000), ref: 00D21CBE
LoadImageW.USER32(00000064,00000001,?,00000000,00000000), ref: 00D21CD6
SendMessageW.USER32(?,00000080,00000001,?), ref: 00D21CEE
SendMessageW.USER32(?,00000080,00000000,?), ref: 00D21CFF
SetDlgItemTextW.USER32(?,00000002,?), ref: 00D21D3E
SetDlgItemTextW.USER32(?,000003F3,?), ref: 00D21D7E
GetDlgItem.USER32(?,00000002), ref: 00D21D8E
GetDlgItem.USER32(?,000003F2), ref: 00D21D9E
IsWindow.USER32(00000000), ref: 00D21DA7
SendMessageW.USER32(?,00000406,00000000,000003E8), ref: 00D21DC0
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00D21DD2
CoCreateInstance.COMBASE(00D4D9D8,00000000,00000017,00D4D9C8,?), ref: 00D21DEA
SetTimer.USER32(?,0000002D,00000042,00000000), ref: 00D21E2F
ShowWindow.USER32(?,00000005,?,?,?,00D459C0,000000FF), ref: 00D21E49
SetForegroundWindow.USER32(?), ref: 00D21E52
ResetEvent.KERNEL32(?,?,?,?,?,00D459C0,000000FF), ref: 00D21EF7

Part of subcall function 00D116F0: __CxxThrowException@8.LIBVCRUNTIME ref: 00D11706
Part of subcall function 00D116F0: HeapAlloc.KERNEL32(?,00000000,?,?,?,00D52C84,?,?,00D136E6,80070057,?,?,?,00D12FB0,?,?), ref: 00D1171B

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Window$ItemSystem$MessageMetricsSend$Long$ImageLoadMenuText$AllocCreateEnableEventException@8ForegroundHeapInstanceResetShowThrowTimer
String ID:
API String ID: 2619141099-0
Opcode ID: 028abf72606b32b0036062450e4e06bc8574dbf6f0fbb577adadda46d7ca2e3a
Instruction ID: 8c23619c935ac999f7ee50fa54d475839d1ad3ae1c8575ad9a6990bffac72f5c
Opcode Fuzzy Hash: 028abf72606b32b0036062450e4e06bc8574dbf6f0fbb577adadda46d7ca2e3a
Instruction Fuzzy Hash: A1B1D075A40305AFDB119F64DC96BA97FB4EF08711F188199FA05AF2E6CBB19900CF60

Function 00D235D0 Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 418
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D11910: GetProcessHeap.KERNEL32(?,?,00000000), ref: 00D1193C
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D11967
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D119E5

Part of subcall function 00D199C0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,000000BC), ref: 00D19A4C
Part of subcall function 00D199C0: VerSetConditionMask.KERNEL32(00000000,?,?,000000BC), ref: 00D19A50
Part of subcall function 00D199C0: VerSetConditionMask.KERNEL32(00000000,?,?,?,000000BC), ref: 00D19A54
Part of subcall function 00D199C0: VerifyVersionInfoW.KERNEL32(?,00000023,00000000), ref: 00D19A77

CreateCompatibleDC.GDI32(00000000), ref: 00D23663
EnumFontFamiliesExW.GDI32(00000000,?,00D235C0,00000000,00000000), ref: 00D2369C
DeleteDC.GDI32(00000000), ref: 00D236DD
FindResourceW.KERNEL32(00000000,?,00000005), ref: 00D236F6
SizeofResource.KERNEL32(00000000,00000000), ref: 00D23705
LoadResource.KERNEL32(00000000,00000000), ref: 00D23727
LockResource.KERNEL32(00000000), ref: 00D23732
GlobalAlloc.KERNEL32(00000040,00000001), ref: 00D23747
GlobalLock.KERNEL32(00000000), ref: 00D2375A
GlobalFree.KERNEL32(00000000), ref: 00D2376A

Part of subcall function 00D18780: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,?,00D45778), ref: 00D187BE
Part of subcall function 00D18780: FindResourceW.KERNEL32(00000000,?,00000006), ref: 00D18809

GlobalUnlock.KERNEL32(?), ref: 00D23ABB
GlobalUnlock.KERNEL32(?), ref: 00D23AD2

Strings

Segoe UI, xrefs: 00D236B0
MS Shell Dlg, xrefs: 00D236AB, 00D236CF, 00D236D0, 00D23A73

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Resource$Global$ConditionFindMask$Init_thread_footerLockUnlock$AllocCompatibleCreateDeleteEnumFamiliesFontFreeHeapInfoLoadProcessSizeofVerifyVersion
String ID: MS Shell Dlg$Segoe UI
API String ID: 1746237089-2394893074
Opcode ID: cb5bcbbbf26921c7e3074c37823c1422adc3036f4a2d2023a8e066e4f582c295
Instruction ID: ac921f5a54f450725c0d78fc0b0746d811319032f794d7533ae872ea3a447fd9
Opcode Fuzzy Hash: cb5bcbbbf26921c7e3074c37823c1422adc3036f4a2d2023a8e066e4f582c295
Instruction Fuzzy Hash: 0FE13A75A002258BDB209F68EC41BBAB7B5FF65308F184169E945DB381EB389E45CB70

Function 00D2E57D Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,?,00000000,00D23C5D,?,?,80004005,80004005,?,00D230FB,?,000000A0,?,?), ref: 00D2E5A6
HeapAlloc.KERNEL32(00000000,?,?,80004005,80004005,?,00D230FB,?,000000A0,?,?), ref: 00D2E5AD

Part of subcall function 00D2E688: IsProcessorFeaturePresent.KERNEL32(0000000C,00D2E594,?,00000000,00D23C5D,?,?,80004005,80004005,?,00D230FB,?,000000A0,?,?), ref: 00D2E68A

InterlockedPopEntrySList.KERNEL32(00785B58,?,00000000,00D23C5D,?,?,80004005,80004005,?,00D230FB,?,000000A0,?,?), ref: 00D2E5BD
VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000040,?,?,80004005,80004005,?,00D230FB,?,000000A0,?,?), ref: 00D2E5E4
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,?,80004005,80004005,?,00D230FB,?,000000A0,?,?), ref: 00D2E5F8
InterlockedPopEntrySList.KERNEL32(00000000,?,?,80004005,80004005,?,00D230FB,?,000000A0,?,?), ref: 00D2E60B
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,80004005,80004005,?,00D230FB,?,000000A0,?,?), ref: 00D2E61E

Strings

X[x, xrefs: 00D2E582, 00D2E598

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID: X[x
API String ID: 2460949444-2592070539
Opcode ID: 1d6b5876e40e612bd3b058b0d44d0fa9520c312d030ae989435c8fef76797f33
Instruction ID: 22135a61fc7ac5b855f30eba8ff37d7f0e4aca7264938063f1ec15ce40bb2b3c
Opcode Fuzzy Hash: 1d6b5876e40e612bd3b058b0d44d0fa9520c312d030ae989435c8fef76797f33
Instruction Fuzzy Hash: 5E1190796457316BE6311B64BC88F662758EF7579EF190920F941D6360EB60CC0046B4

Function 00D1E890 Relevance: 14.5, APIs: 6, Strings: 2, Instructions: 470
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTime.KERNEL32(?,?,00000001,?,70CDB3AB,?,?), ref: 00D1E9B1
SystemTimeToFileTime.KERNEL32(?,?), ref: 00D1E9C2
FindFirstFileW.KERNELBASE(00000000,?), ref: 00D1EA20
FindNextFileW.KERNEL32(?,?,?), ref: 00D1EDF5
FindClose.KERNEL32(?), ref: 00D1EE1C

Strings

{????????-????-????-????-????????????}, xrefs: 00D1E9FE
0123456789abcdefABCDEF, xrefs: 00D1ECC8

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: FileFindTime$System$CloseFirstNext
String ID: 0123456789abcdefABCDEF${????????-????-????-????-????????????}
API String ID: 1385230233-2180135798
Opcode ID: 2b97ef91af6a2b1181aa1d9354a6f54877ca2a94a6360e2427c3af7dbc0ab78d
Instruction ID: a874c9205fcd8550b20a2767d4fd8d91cde61d7abb54ebb6ff77e65cfcb3fa6d
Opcode Fuzzy Hash: 2b97ef91af6a2b1181aa1d9354a6f54877ca2a94a6360e2427c3af7dbc0ab78d
Instruction Fuzzy Hash: 3E029031A00616AFDB24DB24DC49BE9B7B5FF55310F1842D9E81A97291EF319E84CFA0

Function 00D15480 Relevance: 13.7, APIs: 9, Instructions: 240
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D15B20: GetNamedSecurityInfoW.ADVAPI32(?,00000001,00000004,00000000,00000000,00000000,00000000,00000000,?,70CDB3AB), ref: 00D15B86

GetSecurityDescriptorDacl.ADVAPI32(00000000,?,?,?,?,00000001), ref: 00D154C5
GetAce.ADVAPI32(?,00000000,?,?,00000001), ref: 00D1559D
BuildExplicitAccessWithNameW.ADVAPI32(?,?,00000000,?,?,?,?,00000001), ref: 00D1562C
SetEntriesInAclW.ADVAPI32(00000000,?,00000000,00000000,?,00000001), ref: 00D1569C
LocalAlloc.KERNEL32(00000000,00000008,?,00000001), ref: 00D156A8
InitializeAcl.ADVAPI32(00000000,00000008,00000002,?,00000001), ref: 00D156BA
GetLastError.KERNEL32(?,00000001), ref: 00D156CA
LocalFree.KERNEL32(?,?,00000001), ref: 00D156F1
LocalFree.KERNEL32(00000000,?,00000001), ref: 00D156FF

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Local$FreeSecurity$AccessAllocBuildDaclDescriptorEntriesErrorExplicitInfoInitializeLastNameNamedWith
String ID:
API String ID: 32545959-0
Opcode ID: d782bb3e714dc25226dfbc4cfa49561ccc87f1423dfa70317e8556edf459777a
Instruction ID: 24ee0b3a6d5f992980abaa4f4c1fa1c9cd6b45fada43d309022977362338c5f1
Opcode Fuzzy Hash: d782bb3e714dc25226dfbc4cfa49561ccc87f1423dfa70317e8556edf459777a
Instruction Fuzzy Hash: 2281C371E01615EBDB148F64E885BEEBBB5EF85300F088169E815E7296DB38CD41CBB0

Function 00D15730 Relevance: 12.2, APIs: 8, Instructions: 164COMMON

Download Yara Rule

APIs

Part of subcall function 00D15B20: GetNamedSecurityInfoW.ADVAPI32(?,00000001,00000004,00000000,00000000,00000000,00000000,00000000,?,70CDB3AB), ref: 00D15B86

GetSecurityDescriptorDacl.ADVAPI32(00000000,00000000,00000000,?), ref: 00D15795
CreateWellKnownSid.ADVAPI32(00000016,00000000,?,00000100), ref: 00D157F7
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,00000100), ref: 00D1581A
GetUserNameW.ADVAPI32(?,00000100), ref: 00D1583B
LookupAccountNameW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 00D15883
GetAce.ADVAPI32(00000000,00000000,?), ref: 00D158FB
EqualSid.ADVAPI32(?,-00000008), ref: 00D15911
LocalFree.KERNEL32(00000000), ref: 00D1598C

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: CreateKnownNameSecurityWell$AccountDaclDescriptorEqualFreeInfoLocalLookupNamedUser
String ID:
API String ID: 4259123070-0
Opcode ID: a9f09e64176fdede957f586bab442588e0b2f9ee7d8ef17d4398455a0817858f
Instruction ID: aed0588442adf4a85589c2be8f0b84455b20c95a8bd7ccd0342bcd5306311374
Opcode Fuzzy Hash: a9f09e64176fdede957f586bab442588e0b2f9ee7d8ef17d4398455a0817858f
Instruction Fuzzy Hash: 31612B75D0822CDBDB61CB24DC80BEAB7F8EB49350F4401D6D50DA2241DB78AEC58FA1

Function 00D1A830 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 331libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,70CDB3AB,?,?,?,?,?,?,?,?,70CDB3AB,?,?,?,00000000,00D4527D), ref: 00D1A887
GetProcAddress.KERNEL32(00000000,70CDB3AB), ref: 00D1A89A
GetDiskFreeSpaceExW.KERNELBASE(?,?,?,00000000,?,?,?,?,?,?,?,?,70CDB3AB,?,?), ref: 00D1A8C0

Strings

kernel32.dll, xrefs: 00D1A874
ExW, xrefs: 00D1A86D

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: AddressDiskFreeHandleModuleProcSpace
String ID: ExW$kernel32.dll
API String ID: 1197914913-1367044033
Opcode ID: 246a2471890b7766b09660080e41088a4626fc7a6944daa0bef9b4cde0fdebe7
Instruction ID: 330be16d8423bceceda516207a73644d8f6019652df0f7070e125eaa35a3e934
Opcode Fuzzy Hash: 246a2471890b7766b09660080e41088a4626fc7a6944daa0bef9b4cde0fdebe7
Instruction Fuzzy Hash: C4D19FB1A01219AFCB24DF68D894BEDB7B4FF48310F04459AE519A7291DF30AE85CF64

Function 00D15BD0 Relevance: 9.9, APIs: 6, Instructions: 867fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,?,?,80070002), ref: 00D15E39
FindNextFileW.KERNELBASE(000000FF,?,?,?,80070002), ref: 00D164CE
GetLastError.KERNEL32(?,?,80070002), ref: 00D164E9

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: FileFind$ErrorFirstLastNext
String ID:
API String ID: 1230121326-0
Opcode ID: 858844ae454016281a597e5c3885d3076fc268eb0d296694a966187cb25c1d7c
Instruction ID: 156d2668a2f74b7f6c08283aa583383878f2be682d1aade9b46c7d60c122fe4b
Opcode Fuzzy Hash: 858844ae454016281a597e5c3885d3076fc268eb0d296694a966187cb25c1d7c
Instruction Fuzzy Hash: 9A825D34A05615DFDB20DF28D888B99B7B1FF45310F1882E9E8199B295DB31EE85CF60

Function 00D1B2C0 Relevance: 3.0, APIs: 2, Instructions: 44fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,?,?,00000250,?), ref: 00D1B2FF
FindClose.KERNELBASE(00000000,?,00000250,?), ref: 00D1B32F

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: dbb3c53472e4312f39b61c33b1c88d2616f008962d6620331340b554b3afd7ca
Instruction ID: 996e2f7043189d5659a59849ef2c43c4cc1e7a1f6c11717739c1dcaa203385f9
Opcode Fuzzy Hash: dbb3c53472e4312f39b61c33b1c88d2616f008962d6620331340b554b3afd7ca
Instruction Fuzzy Hash: 8E0175756187449BC220EF24E84AAABB7D8FB89324F504B09F85883280D771E944C6E2

Function 00D1DC20 Relevance: 49.9, APIs: 23, Strings: 5, Instructions: 918windowsynchronizationtimeCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 00D1DC8A

Part of subcall function 00D1B2C0: FindFirstFileW.KERNELBASE(?,?,?,00000250,?), ref: 00D1B2FF

Part of subcall function 00D1A410: GetTempPathW.KERNEL32(00000105,?,?,00000010,?,00000000,00D4527D,000000FF,?,80004005,80004005), ref: 00D1A4B2

PathFileExistsW.KERNELBASE(?,?,?), ref: 00D1DCEF
CreateDirectoryW.KERNELBASE(?,00000000,?,?), ref: 00D1DCFB

Part of subcall function 00D15730: GetSecurityDescriptorDacl.ADVAPI32(00000000,00000000,00000000,?), ref: 00D15795
Part of subcall function 00D15730: CreateWellKnownSid.ADVAPI32(00000016,00000000,?,00000100), ref: 00D157F7
Part of subcall function 00D15730: CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,00000100), ref: 00D1581A
Part of subcall function 00D15730: GetUserNameW.ADVAPI32(?,00000100), ref: 00D1583B
Part of subcall function 00D15730: LookupAccountNameW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 00D15883

CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D1DD85
LookupAccountSidW.ADVAPI32(00000000,?,?,00000100,?,?,?), ref: 00D1DDD2
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,00000100,?,?,?,?,?,?,?,?), ref: 00D1DDF7
LookupAccountSidW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 00D1DE3B
GetUserNameW.ADVAPI32(?,00000100), ref: 00D1DE66
BuildExplicitAccessWithNameW.ADVAPI32(?,?,001F01FF,00000002,00000003,?,?,?,?,?,?,?,?), ref: 00D1DEAB
SetEntriesInAclW.ADVAPI32(00000003,?,00000061,00000000,?,?,?,?,?,?,?,?), ref: 00D1DED0
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 00D1DEFB
PathFileExistsW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D1E0D9
CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D1E0EA
PathFileExistsW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D1E102
CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D1E113
PostMessageW.USER32(00000000,00008111,00000000,00000000), ref: 00D1E15C
PostMessageW.USER32(00000000,00008112,00000001,00000000), ref: 00D1E2B7
PostMessageW.USER32(00000000,00008112,00000000,00000000), ref: 00D1E2DD
PostMessageW.USER32(00000000,00008113,00000000,00000000), ref: 00D1E2F7
WaitForSingleObject.KERNEL32(00D1FBAF,000001F4,?,?,00000002,00000000,00000000,?,?,?,00000000), ref: 00D1E32A

Part of subcall function 00D1FE60: PathFileExistsW.KERNELBASE(?,00000008,00D1E4B7,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D1FE64
Part of subcall function 00D1FE60: CreateDirectoryW.KERNELBASE(?,00000000,?,00000008,00D1E4B7), ref: 00D1FE70

PostMessageW.USER32(00000000,00008114,00000000,00000000), ref: 00D1E4D7
GetLocalTime.KERNEL32(?), ref: 00D1E5A5
PostMessageW.USER32(?,00008115,?,00000000), ref: 00D1E7EA

Strings

ExtractedFiles_%04d%02d%02dT%02d%02d%02d.%03d.log, xrefs: 00D1E5F8
Package\, xrefs: 00D1E3FF
!!!53AAED7C-68E7-413C-A5FD-D9F76477D66A, xrefs: 00D1E181, 00D1E18E
E8FF0748-2339-49f9-9A79-824D7561736C.cab, xrefs: 00D1E1B7, 00D1E1C4
Support\, xrefs: 00D1E03A

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Create$FileMessagePost$NamePath$DirectoryExistsKnownWell$AccountLookup$LocalUser$AccessBuildDaclDescriptorEntriesExplicitFindFirstFreeModuleObjectSecuritySingleTempTimeWaitWith
String ID: !!!53AAED7C-68E7-413C-A5FD-D9F76477D66A$E8FF0748-2339-49f9-9A79-824D7561736C.cab$ExtractedFiles_%04d%02d%02dT%02d%02d%02d.%03d.log$Package\$Support\
API String ID: 2966010313-1054188327
Opcode ID: 2a5f6293910032851a3d1d2abf65a4a231cc2f4063fbffaa344e95878b0eea08
Instruction ID: f02c0bf2cc601e73bd54d332ba39ee184b20a1081c3d80b40acb8f2659ce880b
Opcode Fuzzy Hash: 2a5f6293910032851a3d1d2abf65a4a231cc2f4063fbffaa344e95878b0eea08
Instruction Fuzzy Hash: 94829070A00615AFDB10CF68DC84BD9B7B9EF45314F14829AE919A7291DF70AE85CFB0

Function 00D16F10 Relevance: 43.0, APIs: 19, Strings: 5, Instructions: 971synchronizationthreadfileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,70CDB3AB,80040006,00000010,00000010), ref: 00D16F8E
LeaveCriticalSection.KERNEL32(?), ref: 00D16FBB
WaitForSingleObject.KERNEL32(?,00000000), ref: 00D16FEB
CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,!!!E8FF0748-2339-49f9-9A79-824D7561736C,000000FF), ref: 00D17033
CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,!!!53AAED7C-68E7-413C-A5FD-D9F76477D66A,000000FF), ref: 00D1706C
PathFileExistsW.KERNELBASE(?,?,?), ref: 00D1721D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00D17229
WaitForSingleObject.KERNEL32(?,00000000), ref: 00D1727F
CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,Settings.ini,000000FF), ref: 00D17320
CompareStringW.KERNEL32(0000007F,00000001,-00000010,000000FF,E8FF0748-2339-49f9-9A79-824D7561736C.cab,000000FF), ref: 00D17345
EnterCriticalSection.KERNEL32(?), ref: 00D1735A
LeaveCriticalSection.KERNEL32(?), ref: 00D17387
GetCurrentThreadId.KERNEL32 ref: 00D1769E
GetCurrentThreadId.KERNEL32 ref: 00D176AA
TlsGetValue.KERNEL32(00000001), ref: 00D176CD
TlsSetValue.KERNEL32(00000001,00D4D004), ref: 00D176ED
TlsGetValue.KERNEL32 ref: 00D17701
DeleteFileW.KERNELBASE(?), ref: 00D17789
WaitForSingleObject.KERNEL32(?,00000000), ref: 00D178F4

Strings

PA=n, xrefs: 00D17750
!!!53AAED7C-68E7-413C-A5FD-D9F76477D66A, xrefs: 00D17041, 00D17060
Settings.ini, xrefs: 00D17303, 00D17314
!!!E8FF0748-2339-49f9-9A79-824D7561736C, xrefs: 00D17008, 00D17027
E8FF0748-2339-49f9-9A79-824D7561736C.cab, xrefs: 00D1732B, 00D17339

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: CompareCriticalSectionString$ObjectSingleValueWait$CurrentEnterFileLeaveThread$CreateDeleteDirectoryExistsPath
String ID: !!!53AAED7C-68E7-413C-A5FD-D9F76477D66A$!!!E8FF0748-2339-49f9-9A79-824D7561736C$E8FF0748-2339-49f9-9A79-824D7561736C.cab$PA=n$Settings.ini
API String ID: 2253311208-3772288626
Opcode ID: 6d1c4e0d41bb29dbbc64eeac6df79ec859a172d0a6b336279c8a259d1e681818
Instruction ID: 0a7d87817434271d37cd13a4c289af634d9ae0039500b3bc0b0169ebf0523b47
Opcode Fuzzy Hash: 6d1c4e0d41bb29dbbc64eeac6df79ec859a172d0a6b336279c8a259d1e681818
Instruction Fuzzy Hash: 33923C70A05605EFDB10DF68D884BDDB7B1FF05314F1886A9E469AB2A1DB30AD85CF60

Function 00D1F010 Relevance: 42.7, APIs: 17, Strings: 7, Instructions: 726
registrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00D1F046
GetNativeSystemInfo.KERNELBASE(?), ref: 00D1F056
PathFileExistsW.KERNELBASE(?,?), ref: 00D1F0C0
PathFileExistsW.KERNELBASE(?,?,00000000), ref: 00D1F200
RegQueryValueExW.ADVAPI32(00000000,LaunchInstaller,00000000,?,?,?,80000002,SOFTWARE\Sony Corporation\VAIO update,00020019), ref: 00D1F32E
RegCloseKey.ADVAPI32(00000000), ref: 00D1F33C
RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Sony Corporation\VAIO update,00020019), ref: 00D1F364
_wcsstr.LIBVCRUNTIME ref: 00D1F3ED
_wcsstr.LIBVCRUNTIME ref: 00D1F4BC
PathFileExistsW.SHLWAPI(?,%PACKTOOLTEMP%,?), ref: 00D1F504
CreateDirectoryW.KERNEL32(?,00000000), ref: 00D1F510
CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,?,000000FF,?,00000000), ref: 00D1F651
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 00D1F6E8
GetLastError.KERNEL32 ref: 00D1F6F2
GetTickCount.KERNEL32 ref: 00D1F7BB

Part of subcall function 00D199C0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,000000BC), ref: 00D19A4C
Part of subcall function 00D199C0: VerSetConditionMask.KERNEL32(00000000,?,?,000000BC), ref: 00D19A50
Part of subcall function 00D199C0: VerSetConditionMask.KERNEL32(00000000,?,?,?,000000BC), ref: 00D19A54
Part of subcall function 00D199C0: VerifyVersionInfoW.KERNEL32(?,00000023,00000000), ref: 00D19A77

WaitForSingleObject.KERNEL32(00D1FBAF,00007530,00000000,?), ref: 00D1F8D2
DeleteCriticalSection.KERNEL32(?), ref: 00D1F8F6

Strings

%PACKTOOLTEMP%, xrefs: 00D1F4B6, 00D1F4F6
Temp, xrefs: 00D1F4DC
LaunchInstaller, xrefs: 00D1F328
Settings.ini, xrefs: 00D1F09F
SOFTWARE\Sony Corporation\VAIO update, xrefs: 00D1F2DE
&, xrefs: 00D1F756
%PACKTOOLROOT%, xrefs: 00D1F3E7, 00D1F483

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: ConditionCountExistsFileMaskPath$CloseCriticalInfoSectionTick_wcsstr$CompareCreateDeleteDirectoryErrorInitializeLastNativeObjectQuerySingleSpinStringSystemValueVerifyVersionWait
String ID: %PACKTOOLROOT%$%PACKTOOLTEMP%$&$LaunchInstaller$SOFTWARE\Sony Corporation\VAIO update$Settings.ini$Temp
API String ID: 1270599173-3622933857
Opcode ID: c8186188bc7452fb0d4df25dbe6784862829410c083e269bc08a69f0b0a4ed64
Instruction ID: 4e95fa2faa8b01995c428b8981e290e381f09cac81934008b12e01451562745c
Opcode Fuzzy Hash: c8186188bc7452fb0d4df25dbe6784862829410c083e269bc08a69f0b0a4ed64
Instruction Fuzzy Hash: 1752A070A01605EFDB14CF68D854BEEBBB1FF05314F188269E465AB291DB74A984CFB0

Function 00D1A0A0 Relevance: 26.9, APIs: 9, Strings: 6, Instructions: 605
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D11910: GetProcessHeap.KERNEL32(?,?,00000000), ref: 00D1193C
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D11967
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D119E5

GetModuleHandleW.KERNEL32(shell32.dll), ref: 00D1A118
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00D1A12C
PathFileExistsW.SHLWAPI(?,Downloads,00000009,?,00000001,?,00D1AAFD), ref: 00D1A39B
CreateDirectoryW.KERNEL32(?,00000000,?,Downloads,00000009,?,00000001,?,00D1AAFD), ref: 00D1A3A8
GetTempPathW.KERNEL32(00000105,?,?,00000010,?,00000000,00D4527D,000000FF,?,80004005,80004005), ref: 00D1A4B2
PathFileExistsW.KERNELBASE(00000000,?,00000001,?,?,00000010,?,00000000,00D4527D,000000FF,?,80004005,80004005), ref: 00D1A56E
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00000010,?,00000000,00D4527D,000000FF,?,80004005,80004005), ref: 00D1A57A
PathFileExistsW.SHLWAPI(?,Sony Corporation,00000010,?,00000001,?,00D1AAFD), ref: 00D1A6C8
CreateDirectoryW.KERNEL32(?,00000000,?,00D1AAFD), ref: 00D1A6D4

Part of subcall function 00D116F0: __CxxThrowException@8.LIBVCRUNTIME ref: 00D11706
Part of subcall function 00D116F0: HeapAlloc.KERNEL32(?,00000000,?,?,?,00D52C84,?,?,00D136E6,80070057,?,?,?,00D12FB0,?,?), ref: 00D1171B

Strings

SHGetKnownFolderPath, xrefs: 00D1A126
Sony Packaging Tool, xrefs: 00D1A766
Sony Corporation, xrefs: 00D1A6B1
SPackTool, xrefs: 00D1A582
shell32.dll, xrefs: 00D1A100
Downloads, xrefs: 00D1A38D

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Path$CreateDirectoryExistsFile$HeapInit_thread_footer$AddressAllocException@8HandleModuleProcProcessTempThrow
String ID: Downloads$SHGetKnownFolderPath$SPackTool$Sony Corporation$Sony Packaging Tool$shell32.dll
API String ID: 985261093-955954178
Opcode ID: cfe772b6aadcc19b898bbe9523608e7b0bf78c1a9db5ccd027d9bba08057a1e5
Instruction ID: bd784b7f85e86f211992717693654e3384c8ad0ad18e6f94091aac9fde05d829
Opcode Fuzzy Hash: cfe772b6aadcc19b898bbe9523608e7b0bf78c1a9db5ccd027d9bba08057a1e5
Instruction Fuzzy Hash: DD22E131A01611ABDB24DF68DC55BEAB3B1EF40310F0842A8E9559B291DFB59EC4CFB1

Function 00D14120 Relevance: 25.1, APIs: 5, Strings: 9, Instructions: 568
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D11910: GetProcessHeap.KERNEL32(?,?,00000000), ref: 00D1193C
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D11967
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D119E5

CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000004,00000080,00000000,?,?,?), ref: 00D143A8
GetFileSizeEx.KERNEL32(00000000,?), ref: 00D143FD
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00D145AF
WriteFile.KERNEL32(?,?,00000000,00000000,00000000), ref: 00D146CE
CloseHandle.KERNEL32(?), ref: 00D146DA

Strings

false, xrefs: 00D1455C
ErrorCode:0x%08x, xrefs: 00D14656
Folder:%s, xrefs: 00D14621
true, xrefs: 00D14562, 00D1456A
Changed, xrefs: 00D1466A
Signature:%s"%s", xrefs: 00D14571
Package:%I64d%s, xrefs: 00D14486
Deleted, xrefs: 00D14684
Created, xrefs: 00D1469E

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: File$Init_thread_footer$CloseCreateHandleHeapPointerProcessSizeWrite
String ID: Folder:%s$Changed$Created$Deleted$ErrorCode:0x%08x$Package:%I64d%s$Signature:%s"%s"$false$true
API String ID: 745663689-1134783121
Opcode ID: 901865c0feb02941bdbdde91439f8596ea284df8854116a6bbbe5b8455f80d41
Instruction ID: 329776e7067175de4aaa8d28fdc067306e01fe3b7217dbfb55be4acb231ed38a
Opcode Fuzzy Hash: 901865c0feb02941bdbdde91439f8596ea284df8854116a6bbbe5b8455f80d41
Instruction Fuzzy Hash: 3B327A71900659ABDB20DB28DC54BDAB7F5FF04314F188298E499A7281DF31AE85CFE0

Function 00D224E0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 184
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageW.USER32(?,00000408,00000000,00000000), ref: 00D2251D
EnterCriticalSection.KERNEL32(?,?,?,?), ref: 00D2258E
LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 00D225C1
SendMessageW.USER32(?,00000405,00000000,00000000), ref: 00D22624
SendMessageW.USER32(?,00000408,00000000,00000000), ref: 00D22632
SendMessageW.USER32(?,00000411,00000000,00000000), ref: 00D22644
SendMessageW.USER32(?,00000410,?,00000000), ref: 00D22659

Strings

-, xrefs: 00D224E9

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: MessageSend$CriticalSection$EnterLeave
String ID: -
API String ID: 4009585992-2547889144
Opcode ID: 95e06f1c52a8ddbf967aa865c3f08b45d613a354c6ebc5bcae39f9c47abd2ad3
Instruction ID: 548e0f91210821f726fc535a56099d1aa0c33e1d811a32b258282547b1718ce3
Opcode Fuzzy Hash: 95e06f1c52a8ddbf967aa865c3f08b45d613a354c6ebc5bcae39f9c47abd2ad3
Instruction Fuzzy Hash: AB51F1B1704711BBE7108F24EC81B6AB791FF58714F044529F605AB6D1CBB1EC60CBA5

Function 00D2F5C4 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D2F303: CreateFileW.KERNELBASE(00000000,00000000,?,00D2F66D,?,?,00000000,?,00D2F66D,00000000,0000000C), ref: 00D2F320

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D2F6D8
__dosmaperr.LIBCMT ref: 00D2F6DF
GetFileType.KERNELBASE(00000000), ref: 00D2F6EB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D2F6F5
__dosmaperr.LIBCMT ref: 00D2F6FE
CloseHandle.KERNEL32(00000000), ref: 00D2F71E
CloseHandle.KERNEL32(?), ref: 00D2F868
GetLastError.KERNEL32 ref: 00D2F89A
__dosmaperr.LIBCMT ref: 00D2F8A1

Strings

H, xrefs: 00D2F826

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 1ded99c6e517336cc59d6fc311549296927197123dfb5aea958e391869a163c8
Instruction ID: 1951ffe6796e16820d5fc339ddaa11a1d8b11f69260c3814feb723ba663526b1
Opcode Fuzzy Hash: 1ded99c6e517336cc59d6fc311549296927197123dfb5aea958e391869a163c8
Instruction Fuzzy Hash: ECA1E432A042648FDF199F68E851BAD7BB0EF16329F280169F811DB3E1D7319912CB71

Function 00D430CC Relevance: 15.1, APIs: 10, Instructions: 135
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00D430ED
GetLastError.KERNEL32 ref: 00D430F9
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D43128
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00D43139
FreeLibrary.KERNEL32(00000000), ref: 00D43153
GetProcAddress.KERNEL32(00000000,?), ref: 00D431BB
GetLastError.KERNEL32 ref: 00D431C7
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D431F6
RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 00D43207
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D4323E

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: AccessDloadReleaseSectionWrite$ErrorExceptionLastLibraryRaise$AddressFreeLoadProc
String ID:
API String ID: 202095176-0
Opcode ID: 9251c5b9f4a33aa2f4aeb882874df71cd2f7ff94cdfd6747c6d73fc10190f11c
Instruction ID: a98c163e5d6f46ecb5282a9cfe1afb371597b2fea22ad4a08bf4699929cc4e2c
Opcode Fuzzy Hash: 9251c5b9f4a33aa2f4aeb882874df71cd2f7ff94cdfd6747c6d73fc10190f11c
Instruction Fuzzy Hash: 45415C3990131A9FDF11DF98D984AADB7B9EF55350B590069F900E7350DB70DE05CAB0

Function 00D1C520 Relevance: 14.9, APIs: 5, Strings: 3, Instructions: 912COMMON

Download Yara Rule

APIs

PathFindExtensionW.SHLWAPI(?,70CDB3AB,?,?,?), ref: 00D1C585

Part of subcall function 00D1D0B0: RegQueryValueExW.KERNELBASE(00000000,00D4D2B8,00000000,00000001,00000000,?), ref: 00D1D18A

_wcschr.LIBVCRUNTIME ref: 00D1C701

Part of subcall function 00D1D0B0: RegCloseKey.KERNELBASE(00000000), ref: 00D1D1FF
Part of subcall function 00D1D0B0: RegQueryValueExW.KERNELBASE(00000000,00D4D2B8,00000000,00D1C5B1,00000000,00000000,80000000,70CDB3AB,00D1C5B1,\shell\open\command,00000013), ref: 00D1D25E
Part of subcall function 00D1D0B0: RegCloseKey.KERNELBASE(00000000), ref: 00D1D2E5
Part of subcall function 00D1D0B0: RegCloseKey.ADVAPI32(00000000,80000000,?,?), ref: 00D1D31D

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,00D4D464,-00000010), ref: 00D1CBAB
_wcschr.LIBVCRUNTIME ref: 00D1CBEF

Part of subcall function 00D20150: _wcsstr.LIBVCRUNTIME ref: 00D201D5
Part of subcall function 00D20150: _wcsstr.LIBVCRUNTIME ref: 00D201E9

CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,?,000000FF,?,00000000,?,00000001,?,?,?,00D4D464,-00000010), ref: 00D1CFD8

Strings

"%1", xrefs: 00D1CCF7
"%L", xrefs: 00D1CD3B
"%l", xrefs: 00D1CD19

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Close$QueryValue_wcschr_wcsstr$CompareEnvironmentExpandExtensionFindPathStringStrings
String ID: "%1"$"%L"$"%l"
API String ID: 1226520755-2359337105
Opcode ID: 14089e4a97db8bd49c51948f718572ea66194308e5d336f193cf97c9286410df
Instruction ID: ea33c2d0d0c618b4c0e3224064a150f652fea7ae73f88f8dc4f26daf059e2067
Opcode Fuzzy Hash: 14089e4a97db8bd49c51948f718572ea66194308e5d336f193cf97c9286410df
Instruction Fuzzy Hash: 66827035A41215AFDB24DF68D888BA9B7B1FF58310F1481D9E4099B291DF30AE85CFA0

Function 00D2D410 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 394
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D11910: GetProcessHeap.KERNEL32(?,?,00000000), ref: 00D1193C
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D11967
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D119E5

GetModuleFileNameW.KERNEL32(00000000,?,00000104,70CDB3AB,?,00000000), ref: 00D2D58A
GetFileVersionInfoSizeW.KERNELBASE(?,?,?,00000000), ref: 00D2D5A8
GetFileVersionInfoW.KERNELBASE(?,00000000,00000000,00000000), ref: 00D2D5D8
VerQueryValueW.KERNELBASE(00000000,\VarFileInfo\Translation,?,?), ref: 00D2D604

Strings

\VarFileInfo\Translation, xrefs: 00D2D5FE
PackagerCID, xrefs: 00D2D680
\StringFileInfo\%04x%04x\%s, xrefs: 00D2D4A5
PackagerLID, xrefs: 00D2D79E

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: File$InfoInit_thread_footerVersion$HeapModuleNameProcessQuerySizeValue
String ID: PackagerCID$PackagerLID$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
API String ID: 2707572544-3816212884
Opcode ID: feb68c5642b69aed5bd12259c8bbc975442f22255ef5d51c1c42dbd1fcf24c27
Instruction ID: e896e7c9984f1b53607ae5368c8e0f0e4a01426b422158f0fa277f8c466997e0
Opcode Fuzzy Hash: feb68c5642b69aed5bd12259c8bbc975442f22255ef5d51c1c42dbd1fcf24c27
Instruction Fuzzy Hash: 37F1B371A006199FDB10DF68D888BAEF7B5FF54318F144199E819E7291DB34AD84CFA0

Function 00D27C00 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsW.KERNELBASE(00D45778,?,70CDB3AB,00D45778,Execution_x86), ref: 00D27C15

Strings

FileName, xrefs: 00D27C47
Options, xrefs: 00D27C65
ForceElevation, xrefs: 00D27C27
AdditionalOptionsForSilentMode, xrefs: 00D27CA1
WaitMode, xrefs: 00D27CB9
AdditionalOptionsForGuiMode, xrefs: 00D27C83
WaitTimeout, xrefs: 00D27CE4

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: ExistsFilePath
String ID: AdditionalOptionsForGuiMode$AdditionalOptionsForSilentMode$FileName$ForceElevation$Options$WaitMode$WaitTimeout
API String ID: 1174141254-4188049611
Opcode ID: 2a98b9577860f1cd89359bcec0cfd5202d799c7ec89f7cb5cea3b8ce72717f58
Instruction ID: 0d1fc4426629198f5c1cff542b25d9163ed2add6480d1360ac3e4843d3b16eab
Opcode Fuzzy Hash: 2a98b9577860f1cd89359bcec0cfd5202d799c7ec89f7cb5cea3b8ce72717f58
Instruction Fuzzy Hash: 2D21FB72B001186BCB01AB54AC81ABF7B5EDFA5319F184069FC04A7342DE329E1797F5

Function 00D2FF2C Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 048f235fcb9d8ec86a230828980a61b143b0a658da8711d3d214dd67c5457a94
Instruction ID: 808e29c2af20830b453c38f6577fcf261ddfaf7c8e48c28bad0e8abeb14a5ef2
Opcode Fuzzy Hash: 048f235fcb9d8ec86a230828980a61b143b0a658da8711d3d214dd67c5457a94
Instruction Fuzzy Hash: DAC1D274A04359AFCF11DFA8E865BAEBFB0AF1A314F184194E940EB392C7709941CB75

Function 00D2D530 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 295COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,70CDB3AB,?,00000000), ref: 00D2D58A
GetFileVersionInfoSizeW.KERNELBASE(?,?,?,00000000), ref: 00D2D5A8
GetFileVersionInfoW.KERNELBASE(?,00000000,00000000,00000000), ref: 00D2D5D8
VerQueryValueW.KERNELBASE(00000000,\VarFileInfo\Translation,?,?), ref: 00D2D604

Part of subcall function 00D11910: GetProcessHeap.KERNEL32(?,?,00000000), ref: 00D1193C
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D11967
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D119E5

Strings

\VarFileInfo\Translation, xrefs: 00D2D5FE
PackagerCID, xrefs: 00D2D680
PackagerLID, xrefs: 00D2D79E

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: File$InfoInit_thread_footerVersion$HeapModuleNameProcessQuerySizeValue
String ID: PackagerCID$PackagerLID$\VarFileInfo\Translation
API String ID: 2707572544-2772592279
Opcode ID: fbd2bbed7754aac7e4e17ab7371fe932394835e1c801ba59c484e0a1e901e316
Instruction ID: 894148ae8d283ca01794e5fee5dcce82898b28f1ae8cbba76501af256a00ee92
Opcode Fuzzy Hash: fbd2bbed7754aac7e4e17ab7371fe932394835e1c801ba59c484e0a1e901e316
Instruction Fuzzy Hash: 4AC1C331A00619DFDB20DF28D888BA9F7B5FF55318F1842A9E819D7291DB34AD85CF60

Function 00D1D0B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 231registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D11910: GetProcessHeap.KERNEL32(?,?,00000000), ref: 00D1193C
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D11967
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D119E5

Part of subcall function 00D20690: GetModuleHandleW.KERNEL32(Advapi32.dll,?,000000BC,00000000,?,?,00D1F996,80000002,SOFTWARE\Sony Corporation\VAIO update,00020019,000000BC), ref: 00D206B4
Part of subcall function 00D20690: RegCloseKey.ADVAPI32(00000000,?,000000BC,00000000,?,?,00D1F996,80000002,SOFTWARE\Sony Corporation\VAIO update,00020019,000000BC), ref: 00D20717

RegQueryValueExW.KERNELBASE(00000000,00D4D2B8,00000000,00000001,00000000,?), ref: 00D1D18A
RegCloseKey.KERNELBASE(00000000), ref: 00D1D1FF
RegQueryValueExW.KERNELBASE(00000000,00D4D2B8,00000000,00D1C5B1,00000000,00000000,80000000,70CDB3AB,00D1C5B1,\shell\open\command,00000013), ref: 00D1D25E
RegCloseKey.KERNELBASE(00000000), ref: 00D1D2E5
RegCloseKey.ADVAPI32(00000000,80000000,?,?), ref: 00D1D31D

Strings

\shell\open\command, xrefs: 00D1D21D

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Close$Init_thread_footerQueryValue$HandleHeapModuleProcess
String ID: \shell\open\command
API String ID: 2189336815-3053425699
Opcode ID: f8aee6302a868b4335a54069b11bbcee82e64b1f761ef8aea186f0b8e5daf7e4
Instruction ID: 8b284285158cd82e4318b1c408e0217268ad463172724205004bbfd904552b7d
Opcode Fuzzy Hash: f8aee6302a868b4335a54069b11bbcee82e64b1f761ef8aea186f0b8e5daf7e4
Instruction Fuzzy Hash: 0A81AA71A00219AFDB14CFA8EC94BEEBBB9EF45304F14412CE911E7290DB78A944CB75

Function 00D17C70 Relevance: 10.7, APIs: 7, Instructions: 180COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00D17CE0
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00D17D2A
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D17D52
__aulldvrm.LIBCMT ref: 00D17D71
__fread_nolock.LIBCMT ref: 00D17DE9
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00500000,00000000,?,?,?), ref: 00D17E2F
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00500000,00000000,?,?,?), ref: 00D17E56

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: CriticalSection$EnterLeave__fread_nolock$__aulldvrm
String ID:
API String ID: 209981013-0
Opcode ID: 4edaf15e390278b78a94b40f838a695801668b3de52f5ae70b7c553a1f2ffa0e
Instruction ID: e2f945ca2c8c6ef746f1d10844f7ef5526f7cdcd3bd543699ba6c9ae5a5cee81
Opcode Fuzzy Hash: 4edaf15e390278b78a94b40f838a695801668b3de52f5ae70b7c553a1f2ffa0e
Instruction Fuzzy Hash: 7351A375A0420AEBDF149F54E881BEEBBB5FF44310F18856AF8049B351EB759D808BB1

Function 00D227B0 Relevance: 10.6, APIs: 7, Instructions: 136windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00D227E7
SetDlgItemTextW.USER32(?,000003F3,00000000), ref: 00D22842
SetWindowLongW.USER32(?,000000F0,?), ref: 00D22876
SendMessageW.USER32(?,0000040A,00000000,00000000), ref: 00D2288F
SendMessageW.USER32(?,00000408,00000000,00000000), ref: 00D228D0
SendMessageW.USER32(?,00000402,00000064,00000000), ref: 00D228E3
SendMessageW.USER32(?,00000410,00000002,00000000), ref: 00D228F1

Part of subcall function 00D11910: GetProcessHeap.KERNEL32(?,?,00000000), ref: 00D1193C
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D11967
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D119E5

Part of subcall function 00D18780: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,?,00D45778), ref: 00D187BE
Part of subcall function 00D18780: FindResourceW.KERNEL32(00000000,?,00000006), ref: 00D18809

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: MessageSend$FindInit_thread_footerLongResourceWindow$HeapItemProcessText
String ID:
API String ID: 1252265373-0
Opcode ID: c95d15568ac940e0c89bb5f56a952fc10e83bef342187646de9b90e1a5414c5e
Instruction ID: 2f154a03d9b311731a6c656e6a13b66faaefabccec191394570f1b568549b2d4
Opcode Fuzzy Hash: c95d15568ac940e0c89bb5f56a952fc10e83bef342187646de9b90e1a5414c5e
Instruction Fuzzy Hash: 7A412670600755FFE7118B24DC85F69BBA0FF01324F184229F6259A5D1CBB0ED60CBA0

Function 00D15290 Relevance: 10.6, APIs: 7, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D15B20: GetNamedSecurityInfoW.ADVAPI32(?,00000001,00000004,00000000,00000000,00000000,00000000,00000000,?,70CDB3AB), ref: 00D15B86

GetSecurityDescriptorDacl.ADVAPI32(00000000,00000000,00000000,?), ref: 00D152DE
GetAce.ADVAPI32(00000000,00000000,?), ref: 00D1532D
LocalFree.KERNEL32(00000000), ref: 00D153B9
LocalAlloc.KERNEL32(00000000,00000008), ref: 00D153C3
InitializeAcl.ADVAPI32(00000000,00000008,00000002), ref: 00D153D4
GetLastError.KERNEL32 ref: 00D153DE
LocalFree.KERNEL32(00000000), ref: 00D153F8

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Local$FreeSecurity$AllocDaclDescriptorErrorInfoInitializeLastNamed
String ID:
API String ID: 303464733-0
Opcode ID: 863bfbecefa788af4ee3bd09193fd2c36fa55b1785dfa64341cf227217e5a0f6
Instruction ID: ed16e50bf6f35651876518fff337ed9d63ee8c3f12a97383704861c83a793b54
Opcode Fuzzy Hash: 863bfbecefa788af4ee3bd09193fd2c36fa55b1785dfa64341cf227217e5a0f6
Instruction Fuzzy Hash: 73410674A05604FBDB108B64B844BEFBBF8AF92340F084059E855E7385DBB99985CBB0

Function 00D20690 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,?,000000BC,00000000,?,?,00D1F996,80000002,SOFTWARE\Sony Corporation\VAIO update,00020019,000000BC), ref: 00D206B4
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00D206CB
RegOpenKeyExW.KERNELBASE(000000BC,00020019,00000000,?,00000000,?,000000BC,00000000,?,?,00D1F996,80000002,SOFTWARE\Sony Corporation\VAIO update,00020019,000000BC), ref: 00D20704
RegCloseKey.ADVAPI32(00000000,?,000000BC,00000000,?,?,00D1F996,80000002,SOFTWARE\Sony Corporation\VAIO update,00020019,000000BC), ref: 00D20717

Strings

Advapi32.dll, xrefs: 00D206AF
RegOpenKeyTransactedW, xrefs: 00D206C5

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 823179699-3913318428
Opcode ID: 912a74258ebc0a3f3cc8ffc4bf654518636e21834fb75fb637ff0fa73d7d37e1
Instruction ID: bd95f74549fac4d22b61ed366f87fa82d9d420df6f30db1f741425c1e27117b2
Opcode Fuzzy Hash: 912a74258ebc0a3f3cc8ffc4bf654518636e21834fb75fb637ff0fa73d7d37e1
Instruction Fuzzy Hash: 1E11D031601215FBDB208F54EC48F5ABBB9EF68305F188025F905D7291D771E910DB70

Function 00D17B70 Relevance: 9.1, APIs: 6, Instructions: 89filetimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00D17C70: __fread_nolock.LIBCMT ref: 00D17CE0
Part of subcall function 00D17C70: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00D17D2A
Part of subcall function 00D17C70: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D17D52

CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,?), ref: 00D17BE8
GetLastError.KERNEL32(?,?,?,?,80004005), ref: 00D17BF0
SetFileTime.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,80004005), ref: 00D17C10
CloseHandle.KERNEL32(00000000,?,?,?,?,80004005), ref: 00D17C1D
GetLastError.KERNEL32(?,?,?,?,80004005), ref: 00D17C2E
CloseHandle.KERNEL32(00000000,?,?,?,?,80004005), ref: 00D17C44

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: CloseCriticalErrorFileHandleLastSection$CreateEnterLeaveTime__fread_nolock
String ID:
API String ID: 328854730-0
Opcode ID: bd89c6959bc1fd25508bc1a0115d38d0c672a76982791b2331eef8c3139e745d
Instruction ID: 069ed6057d8a3c34c9026aeafaa32d94f01e60fa2a8c1b24e81bb63ed2470dea
Opcode Fuzzy Hash: bd89c6959bc1fd25508bc1a0115d38d0c672a76982791b2331eef8c3139e745d
Instruction Fuzzy Hash: 7F2105377043147BDB310E59AC05BAA7B76EB40761F140225FE05E62E0EB62AD649BF0

Function 00D12BF0 Relevance: 9.1, APIs: 6, Instructions: 55timefileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000003,00000080,00000000), ref: 00D12C10
DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00D12C31
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00D12C60
SetFileTime.KERNELBASE(00000000,?,00000000,?), ref: 00D12C6F
CloseHandle.KERNEL32(00000000), ref: 00D12C76
SetFileAttributesW.KERNELBASE(?,?), ref: 00D12C83

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: File$Time$AttributesCloseCreateDateHandleLocal
String ID:
API String ID: 820720069-0
Opcode ID: e7abd0d4e5daeebe780968291b4c9d9931c39e9cfeef48a9a855455d4e656ab2
Instruction ID: 0360583c1cbce167d58fc4a71c469ccfa5bbf9d403dcc9648073a0904394c126
Opcode Fuzzy Hash: e7abd0d4e5daeebe780968291b4c9d9931c39e9cfeef48a9a855455d4e656ab2
Instruction Fuzzy Hash: D5118C35604305BBD711DF24DC48BAB7BA9EF89720F044A19F954D62A0DB709A548AA2

Function 00D2D920 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 261COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,70CDB3AB,00000000,00000000,00000000), ref: 00D2D96B
GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 00D2D989
GetFileVersionInfoW.KERNELBASE(?,00000000,00000000,00000000), ref: 00D2D9B9

Part of subcall function 00D11910: GetProcessHeap.KERNEL32(?,?,00000000), ref: 00D1193C
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D11967
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D119E5

Strings

\VarFileInfo\Translation, xrefs: 00D2D9DF
ProductName, xrefs: 00D2DA5A

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: File$InfoInit_thread_footerVersion$HeapModuleNameProcessSize
String ID: ProductName$\VarFileInfo\Translation
API String ID: 374866722-1082745354
Opcode ID: dc7a2a6360f563586a34ae60ccc20f99e528f47f31028dbcf49c9f3236bb4f07
Instruction ID: b9fef218f4580aa7d437f6c3dbf2b3972e426996cf5a6699e48121f5dccdc511
Opcode Fuzzy Hash: dc7a2a6360f563586a34ae60ccc20f99e528f47f31028dbcf49c9f3236bb4f07
Instruction Fuzzy Hash: EBA1D571A006199FCB20DF68EC98BA9B7F5FF55324F1442A9E819D7290DB30AD84CF60

Function 00D159B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,70CDB3AB,00000000,00000000,?,?,?,?,00000000,00D44D28,000000FF,?,00D156E1,00000000,?,00000001), ref: 00D159E4
GetProcAddress.KERNEL32(00000000,?), ref: 00D15A19
TreeResetNamedSecurityInfoW.ADVAPI32(?,00000001,20000004,00000000,00000000,00000001,00000000,00D156E1,00000000,00000001,00000000,?), ref: 00D15A68

Strings

Advapi32.dll, xrefs: 00D159DF
foW, xrefs: 00D159FB

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: AddressHandleInfoModuleNamedProcResetSecurityTree
String ID: Advapi32.dll$foW
API String ID: 4240558307-761691787
Opcode ID: d12c642c07335672d3266635ee1ead3490547d39d0f0961a1171389913d6bde3
Instruction ID: 18e871093ba562c7ce268d5061bef8629c5a75207a36267095bd882e6707dfda
Opcode Fuzzy Hash: d12c642c07335672d3266635ee1ead3490547d39d0f0961a1171389913d6bde3
Instruction Fuzzy Hash: DB318F35E41B19ABD710CF68EC45B9DB7B4FF05720F048355F811A7290EB74A9408BA0

Function 00D1FB80 Relevance: 7.7, APIs: 5, Instructions: 216windowsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00D1DC20: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 00D1DC8A

WaitForSingleObject.KERNEL32(000003E8,000003E8,70CDB3AB), ref: 00D1FBC1
SendMessageW.USER32(00000000,00008116,00000000,00000000), ref: 00D1FCF9
SendMessageW.USER32(00000000,00008116,00000000,00000000), ref: 00D1FD3C
PostMessageW.USER32(00000000,0000811E,00000000,00000000), ref: 00D1FD57
PostMessageW.USER32(?,00008120,00000000,00000000), ref: 00D1FD7A

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Message$PostSend$FileModuleNameObjectSingleWait
String ID:
API String ID: 3772598651-0
Opcode ID: bef21c163474575ec0e27095b6a841ebf488b2bd9374790d00cba279332e8c4e
Instruction ID: a4348a7b85a45e0f3d05d680e7937c982f5dc0714a095e98dc5c9483c2792f54
Opcode Fuzzy Hash: bef21c163474575ec0e27095b6a841ebf488b2bd9374790d00cba279332e8c4e
Instruction Fuzzy Hash: 6B71E770604745BBDB21CF28E885BAAB7E6EF45720F18466DE9559B2D1DF30D880CBB0

Function 00D16750 Relevance: 7.6, APIs: 5, Instructions: 126COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00D167D1
__fread_nolock.LIBCMT ref: 00D16825
__fread_nolock.LIBCMT ref: 00D16847
__fread_nolock.LIBCMT ref: 00D16859
__fread_nolock.LIBCMT ref: 00D1686E

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: c1e3b38c02735ddfd460862a487928dc54cc803e5fa17e6ca5c4c77eebdd6cf7
Instruction ID: 4ca1d12c01ad13dd8e7cddd02053b1138ac62ca82692fde5fad9576dc1bdc966
Opcode Fuzzy Hash: c1e3b38c02735ddfd460862a487928dc54cc803e5fa17e6ca5c4c77eebdd6cf7
Instruction Fuzzy Hash: 86419471D00219ABDF20DE58DC91BEEB7A9FF55310F088955FD18AB280EB71D9808BB1

Function 00D22E30 Relevance: 7.6, APIs: 5, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D11910: GetProcessHeap.KERNEL32(?,?,00000000), ref: 00D1193C
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D11967
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D119E5

Part of subcall function 00D18780: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,?,00D45778), ref: 00D187BE
Part of subcall function 00D18780: FindResourceW.KERNEL32(00000000,?,00000006), ref: 00D18809

SetDlgItemTextW.USER32(00000006,00000002,?), ref: 00D22E95
IsWindow.USER32(?), ref: 00D22E9E
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00D22EAD
GetSystemMenu.USER32(00000006,00000000,?,?,?,00000000,00D45AE8,000000FF,?,00D21549), ref: 00D22EB8
EnableMenuItem.USER32(00000000,0000F060,00000000), ref: 00D22ECA

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: FindInit_thread_footerItemMenuResource$CallbackDispatcherEnableHeapProcessSystemTextUserWindow
String ID:
API String ID: 2041721316-0
Opcode ID: 3c2a0dafa08b96aea9afb27e2e6db3ddb41a79086546b249013e0693627dd1ac
Instruction ID: bf9a87007080fa6b7cce980e85f733e939d08da18918b056ef644aa93fa00f65
Opcode Fuzzy Hash: 3c2a0dafa08b96aea9afb27e2e6db3ddb41a79086546b249013e0693627dd1ac
Instruction Fuzzy Hash: 7421D731600B05BFD7119F64EC1AF6ABBA8FF04721F144629F921D76E0DB71A910CB60

Function 00D30FF2 Relevance: 7.6, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?), ref: 00D31008
GetLastError.KERNEL32(?,?,?), ref: 00D31012
__dosmaperr.LIBCMT ref: 00D31019
SetFilePointerEx.KERNELBASE(?,?,?,?,?), ref: 00D31037
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 00D3105D

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: FilePointer$ErrorLast__dosmaperr
String ID:
API String ID: 1114809156-0
Opcode ID: f4c23f9b4583be1b38f4580999bdc326d0d70dbef90d44a45e7f06c2b607a9bc
Instruction ID: 61ca9fee09eb79219dc7f42790289d1930dc473ae254883dcf8050c1d0fdf7da
Opcode Fuzzy Hash: f4c23f9b4583be1b38f4580999bdc326d0d70dbef90d44a45e7f06c2b607a9bc
Instruction Fuzzy Hash: 7E018C79901269BBCF209FA5DD088EF7F3DEF05760F104295F928962A0C7318A90DBB0

Function 00D1A410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 00D11910: GetProcessHeap.KERNEL32(?,?,00000000), ref: 00D1193C
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D11967
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D119E5

GetTempPathW.KERNEL32(00000105,?,?,00000010,?,00000000,00D4527D,000000FF,?,80004005,80004005), ref: 00D1A4B2
PathFileExistsW.KERNELBASE(00000000,?,00000001,?,?,00000010,?,00000000,00D4527D,000000FF,?,80004005,80004005), ref: 00D1A56E
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00000010,?,00000000,00D4527D,000000FF,?,80004005,80004005), ref: 00D1A57A

Strings

SPackTool, xrefs: 00D1A582

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Init_thread_footerPath$CreateDirectoryExistsFileHeapProcessTemp
String ID: SPackTool
API String ID: 1121568719-339126481
Opcode ID: 38d0cdc79e87d82e84c87a5b003b6e86f24a4424b7e49cdc5cbad47b26acae3d
Instruction ID: 494510994bbd5139f437b71cc7ba7c26e11550b6a3cb91b412f01863af283b63
Opcode Fuzzy Hash: 38d0cdc79e87d82e84c87a5b003b6e86f24a4424b7e49cdc5cbad47b26acae3d
Instruction Fuzzy Hash: BA41FF71A02601AFEB149F28E859BEEF3A2EF44710F084169E5059B290EF759980CB71

Function 00D28450 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

PathFileExistsW.KERNELBASE(?,?,70CDB3AB,?,?,00000000,00D45778,000000FF,?,80004005,70CDB3AB), ref: 00D28491
PathIsDirectoryW.SHLWAPI(?), ref: 00D284A0

Strings

Package, xrefs: 00D284BC
ProductName, xrefs: 00D284B7

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Path$DirectoryExistsFile
String ID: Package$ProductName
API String ID: 1302732169-1800297090
Opcode ID: 5a9bdd6c92c27d5f42a0b87d3aae13eba564fcd5ef1c1d3873f6f649befcc696
Instruction ID: 7dbb387e59431812746485b35670132fa16a3b9ec6cca0414ac1b929cb54711b
Opcode Fuzzy Hash: 5a9bdd6c92c27d5f42a0b87d3aae13eba564fcd5ef1c1d3873f6f649befcc696
Instruction Fuzzy Hash: 78119D71601615EBC710DFA9EC85B6ABBA8FB59724F14832EF421D7391DF35A8009BB0

Function 00D168C0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 286COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00D169BF
__fread_nolock.LIBCMT ref: 00D169D8

Strings

!!!53AAED7C-68E7-413C-A5FD-D9F76477D66A, xrefs: 00D16A7C

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: __fread_nolock
String ID: !!!53AAED7C-68E7-413C-A5FD-D9F76477D66A
API String ID: 2638373210-1292548740
Opcode ID: 5743fb7abff1d69542ff11b66e53157634e9d689be8ee593fba9336cdcd7064c
Instruction ID: ae1c5183733f37550155dccd1a2f826b29465944990794c573e68bb525ea43a1
Opcode Fuzzy Hash: 5743fb7abff1d69542ff11b66e53157634e9d689be8ee593fba9336cdcd7064c
Instruction Fuzzy Hash: 25A18271A00209AFDB00DFA8D940BDEB7F5EF55314F188169E815EB245EB31D984CBB0

Function 00D12310 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 251synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000000,70CDB3AB), ref: 00D12359

Strings

W, xrefs: 00D125A9

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: ObjectSingleWait
String ID: W
API String ID: 24740636-2737232454
Opcode ID: 34ae646482d671f5816c51a2e70c70c54cceb6811744e8e6b45bab1b1acc568e
Instruction ID: 5a9090a027646064587a90c5dc0dcc2b1b2e8f9f034d97832f31ebd683446084
Opcode Fuzzy Hash: 34ae646482d671f5816c51a2e70c70c54cceb6811744e8e6b45bab1b1acc568e
Instruction Fuzzy Hash: EBA19070A0150AABDB10DF68DC98BE9F7B5FF54310F188299E41997291EB31EE94CF60

Function 00D23CB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,00000000), ref: 00D23D1A
SetWindowLongW.USER32(00000001,00000000,00000000), ref: 00D23D66

Strings

$, xrefs: 00D23CED

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: CallbackDispatcherLongUserWindow
String ID: $
API String ID: 2095706538-3993045852
Opcode ID: 68a43232f1c147dc8301eb4b63065fafb0a0d134188fa48f6fe61f9dc528e01d
Instruction ID: 0da1ded19e2b46461f7146f37f8cf48ab9fcbf0d74b98c7791db27862db0a109
Opcode Fuzzy Hash: 68a43232f1c147dc8301eb4b63065fafb0a0d134188fa48f6fe61f9dc528e01d
Instruction Fuzzy Hash: 2F315A75900218ABCF24CF59E48479EBBB1EF58718F28815AE8089B295C378DE55CFA0

Function 00D3095C Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f849e85d34b290ee65b87c1a66f2721674c3226c8fffa89d5f9bd067347709
Instruction ID: 431237681359f1838a28d0c586f2cc4ae00a8d1d774fc10fe1301e658496d420
Opcode Fuzzy Hash: a4f849e85d34b290ee65b87c1a66f2721674c3226c8fffa89d5f9bd067347709
Instruction Fuzzy Hash: AD51CE71E0021AABDB11DFA8E865FAEBFB8EF15318F180059F504AB292D7319901CB71

Function 00D11CC0 Relevance: 4.7, APIs: 3, Instructions: 167threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D11CED
TlsSetValue.KERNEL32(00000001,00000000,?,?,?,?,Function_000349A0,000000FF), ref: 00D11D21
TlsGetValue.KERNEL32(?,?,?,?,Function_000349A0,000000FF), ref: 00D11D31

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Value$CurrentThread
String ID:
API String ID: 1393879374-0
Opcode ID: 207e391c3163a5f01672625201fd23027e46c55a4e2aaa1e497e77c9c99dc316
Instruction ID: ea803571c7e9ee27ce7481f8a8714a69dfacbdf057f93c2d8457731a39efec0c
Opcode Fuzzy Hash: 207e391c3163a5f01672625201fd23027e46c55a4e2aaa1e497e77c9c99dc316
Instruction Fuzzy Hash: 1A515175600902AFE311CF29D948A55F7E5FF45321B58C769E525C76A5EB30EC80CFA0

Function 00D30C91 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,00000000,?,00D30BAF,00000000,00D52558,0000000C), ref: 00D30CE7
GetLastError.KERNEL32(?,00D30BAF,00000000,00D52558,0000000C), ref: 00D30CF1
__dosmaperr.LIBCMT ref: 00D30D1C

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 15f67b5c786f8116082337cd4230d082eaecd62e344d3072f9f4e14b9032a630
Instruction ID: 0a803311aa56cb2cb7c1a9537c6fb69b7604da92054bdbf26f351d0d34a02e3a
Opcode Fuzzy Hash: 15f67b5c786f8116082337cd4230d082eaecd62e344d3072f9f4e14b9032a630
Instruction Fuzzy Hash: 8B0189336096204AC6241374BD6573E6FA9CF82B30F3D0349F804CB2C2DA21CC8182F0

Function 00D33A7F Relevance: 4.6, APIs: 3, Instructions: 54threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,?,Function_0002392B,00000000,00000000,00000000), ref: 00D33AC8
GetLastError.KERNEL32(?,?,?,00D21F10,00000000,00000000), ref: 00D33AD4
__dosmaperr.LIBCMT ref: 00D33ADB

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 11080d1ea32cc92ca153ff43be3ff403032bfc7f282562366cb2542e5403a885
Instruction ID: 4e92fc7631bdc960b850e8212bca89f64f067209456a3eeb9857f7222f3b027c
Opcode Fuzzy Hash: 11080d1ea32cc92ca153ff43be3ff403032bfc7f282562366cb2542e5403a885
Instruction Fuzzy Hash: F401BC37108229AFCB25AFA1DD05AAF7F69EF85320F150068F94587250DB72DA11DBB0

Function 00D30F74 Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,?,00000000,00000010,00000000,00D525D8,00D525D8,?,00D310B2,?,00000000,00000002,00000000), ref: 00D30FAD
GetLastError.KERNEL32(?,00D310B2,?,00000000,00000002,00000000,?,00D30A14,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 00D30FB7
__dosmaperr.LIBCMT ref: 00D30FBE

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 045e361a883f49026b0e59e098879ce30780647fc9b99c9cb2a397935fd92821
Instruction ID: d12762620a21139c2a88af6336cb705980a99bbb808b816fa15cae5179d037f8
Opcode Fuzzy Hash: 045e361a883f49026b0e59e098879ce30780647fc9b99c9cb2a397935fd92821
Instruction Fuzzy Hash: 57012432614618AFCB259F99EC158AE3F29EF85331F280249F910CB2D0EA31DD018BB0

Function 00D11A50 Relevance: 4.5, APIs: 3, Instructions: 47COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000001,?), ref: 00D11A81
SetFileAttributesW.KERNEL32(?,00000080,?), ref: 00D11A96
__wsopen_s.LIBCMT ref: 00D11AB6

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: AttributesFileValue__wsopen_s
String ID:
API String ID: 1350581000-0
Opcode ID: 7904fc4f3c40392e366d5e53de8a8346910346630528dc9a371f7147c5158d94
Instruction ID: 7b1e84bbeb18c608a0c53fe9ee7728c375b11268d12a2676889e5a44a2696f6d
Opcode Fuzzy Hash: 7904fc4f3c40392e366d5e53de8a8346910346630528dc9a371f7147c5158d94
Instruction Fuzzy Hash: C3018074A00209ABCB14EF64DC45AEA7778EF15310F044698F95997290DB70AED5CFA0

Function 00D11EE0 Relevance: 3.3, APIs: 2, Instructions: 330filethreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D11F5D
DeleteFileW.KERNEL32(?), ref: 00D122C9

Part of subcall function 00D116F0: __CxxThrowException@8.LIBVCRUNTIME ref: 00D11706
Part of subcall function 00D116F0: HeapAlloc.KERNEL32(?,00000000,?,?,?,00D52C84,?,?,00D136E6,80070057,?,?,?,00D12FB0,?,?), ref: 00D1171B

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: AllocCurrentDeleteException@8FileHeapThreadThrow
String ID:
API String ID: 276536369-0
Opcode ID: 467e37480c7cb6fd5c1553f92751082925891b26fc45a82d257e2d288e19bf18
Instruction ID: 7713b4f5a6c637de1c6ad93646da753a5b3d3959e8e240507c725a71417c9201
Opcode Fuzzy Hash: 467e37480c7cb6fd5c1553f92751082925891b26fc45a82d257e2d288e19bf18
Instruction Fuzzy Hash: 07D1AD31600705AFD724CF28E889BAAB3F1FF54314F148658E54A97691EB32E995CFA0

Function 00D11ED1 Relevance: 3.3, APIs: 2, Instructions: 300threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D11F5D

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: eded8f80f7523502387687017f5f7e5d5988a5b662b9cbedd5046f32eeb1b94b
Instruction ID: 678fe5967f9148156f647c817014aac053fe4b5ff92e9bed0ba1c6d15bb6d9ed
Opcode Fuzzy Hash: eded8f80f7523502387687017f5f7e5d5988a5b662b9cbedd5046f32eeb1b94b
Instruction Fuzzy Hash: 59C19C31600705AFD724CF24E889BAAB3F1FF15314F148659E44A97691EB32E9D5CF60

Function 00D3392B Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00D52678,00000010), ref: 00D3393E
ExitThread.KERNEL32 ref: 00D33945

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: fc7979c7565b1c6fcba05c25cbc2435badaa8a83074f8b540be18c41f3bac2e4
Instruction ID: 1aa74f68573eec032f7dc7be925b6f80c735288a764bb14869e1954714a5c6f7
Opcode Fuzzy Hash: fc7979c7565b1c6fcba05c25cbc2435badaa8a83074f8b540be18c41f3bac2e4
Instruction Fuzzy Hash: 4FF0A974900304AFCB04AFB0D90AB6D7B74FF45710F140588F801AB2A2CBB06944DFB0

Function 00D41C2C Relevance: 3.0, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00D42B37

Part of subcall function 00D415F8: RaiseException.KERNEL32(?,?,?,?,?,?,?), ref: 00D41658

__CxxThrowException@8.LIBVCRUNTIME ref: 00D42B54

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID:
API String ID: 3476068407-0
Opcode ID: c08d14f7850ffa4c9c2120366221c36c26e74e3a8681b825060470b7858cbe62
Instruction ID: f3c19c37bf5fc46af15dfca114f57c6561cacb3dcad0ee37f26403eda3ba97ec
Opcode Fuzzy Hash: c08d14f7850ffa4c9c2120366221c36c26e74e3a8681b825060470b7858cbe62
Instruction Fuzzy Hash: AAF0BE3894020DBB8B04BEA4ED5ADACB33CCA00320F904120BD25E18D1EB70EA8D86F0

Function 00D1FE60 Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

PathFileExistsW.KERNELBASE(?,00000008,00D1E4B7,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D1FE64
CreateDirectoryW.KERNELBASE(?,00000000,?,00000008,00D1E4B7), ref: 00D1FE70

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: CreateDirectoryExistsFilePath
String ID:
API String ID: 2624722123-0
Opcode ID: c85c15a70cff9e00c8f961d343d66d2ba06533ad02aedb3e345d818eb7e21de2
Instruction ID: ed361985fba8658739d150964ca467a93e292377d6c1e105b7e2acda1b991707
Opcode Fuzzy Hash: c85c15a70cff9e00c8f961d343d66d2ba06533ad02aedb3e345d818eb7e21de2
Instruction Fuzzy Hash: 05C08C3221A7307B2E512F747C09AEB339C9F132A130D01A6F801C2229EB908EC325F4

Function 00D313B9 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 547b9d3942d9302d61c2489017d13f62519e86ce4d6c7339f332d6fe9d214fb0
Instruction ID: dc102fc85a15879ce2cafade15897528a9e4b3796023635921615b143b04c9ce
Opcode Fuzzy Hash: 547b9d3942d9302d61c2489017d13f62519e86ce4d6c7339f332d6fe9d214fb0
Instruction Fuzzy Hash: 1151D479A00259AFDB10CF68C841EA97BB5EF85364F198168E8499B391C731ED42CBB0

Function 00D1E761 Relevance: 1.6, APIs: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00008115,?,00000000), ref: 00D1E7EA

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5ba5da73776e69eb224e393582df4d06a3db3504408f46d2084778e25a60f5e3
Instruction ID: 2921c76010ac4c7a72454f4170449eebf01d2ad34e915b27e2f061fc00dad713
Opcode Fuzzy Hash: 5ba5da73776e69eb224e393582df4d06a3db3504408f46d2084778e25a60f5e3
Instruction Fuzzy Hash: 3B11DA30640605ABFB248B58A8C57ADB3A5EB84724F28436AED15AB2D2CF356CC1C774

Function 00D15B20 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetNamedSecurityInfoW.ADVAPI32(?,00000001,00000004,00000000,00000000,00000000,00000000,00000000,?,70CDB3AB), ref: 00D15B86

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: InfoNamedSecurity
String ID:
API String ID: 1443090519-0
Opcode ID: e9076c2db63c378bf64d4d102ea92e09f2c5ba475ef56ebcfa3b9fe56622aebb
Instruction ID: 89d7f9e493b7c650796acdaa68fb8c79b89f8e07d56114f173489e1ee6d7dba5
Opcode Fuzzy Hash: e9076c2db63c378bf64d4d102ea92e09f2c5ba475ef56ebcfa3b9fe56622aebb
Instruction Fuzzy Hash: 5E119031A00605AFD720CF58DC45FAAF7B8EB85720F204769F825E73D0DB75A9048B60

Function 00D36B0A Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00D36B48

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 22a7f07ef3925f1fd86ca61bc1bdab885ff9f32ed90bac70dd5b566d4cf24e5c
Instruction ID: 0312a07d96f2df39c0250cb0ca131075d38244e2e3d500809178619c713d7a71
Opcode Fuzzy Hash: 22a7f07ef3925f1fd86ca61bc1bdab885ff9f32ed90bac70dd5b566d4cf24e5c
Instruction Fuzzy Hash: 4A111871A0420AAFCB05DF58E94199ABBF5EF48310F1444A9F809EB351D631DA258B75

Function 00D20610 Relevance: 1.6, APIs: 1, Instructions: 51registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00D4D2B8,00000000,00000000,00000000,?,00000000,70CDB3AB,?,00D1D2A7,00000000,?,00D1C5B1), ref: 00D2063A

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0dae8f5dfc396b89dbe79c59eea6437211354e3605d61112e87d25eda769eaa3
Instruction ID: 06523744cf8f83d9d47b4dc6b10a44d005e042242e21a1be08f5ee5c367247c8
Opcode Fuzzy Hash: 0dae8f5dfc396b89dbe79c59eea6437211354e3605d61112e87d25eda769eaa3
Instruction Fuzzy Hash: BE0171326002259BDB248F59E841FAAB7A8EFA4715F18442AED14C7291D3B1D860C7E0

Function 00D31247 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f407dd03f602743dff2079fdc306f43a2bce5ca4ed51b34785bbfad9e7900a3
Instruction ID: 26baa46daada1279504dd552e5027d38b9840c28a1096aefd29cfe12e71b9d23
Opcode Fuzzy Hash: 4f407dd03f602743dff2079fdc306f43a2bce5ca4ed51b34785bbfad9e7900a3
Instruction Fuzzy Hash: A4F0C83E500A246AD6223A69AC03B5B3B98CF42374F158715F864D75D2CEB4E90297BD

Function 00D36357 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00D42D2F,?,?,00D41564,?,?,?,?,?,00D42CC0,00D42D2F,?,?,?,?), ref: 00D36389

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2360420286ab3f018b898826e140c47c20abb1d966afc7bdf5e7f91c3e93d35c
Instruction ID: 6d3e40018f9b5d7122cac877c994a67a5b4d73b45fb11bddfb27d8f2b3896d67
Opcode Fuzzy Hash: 2360420286ab3f018b898826e140c47c20abb1d966afc7bdf5e7f91c3e93d35c
Instruction Fuzzy Hash: B5E09231205324BBEB213AA5AC04B9A7A88DF827B0F2E8120FC49DB1D0DB61DC4085F1

Function 00D15AC0 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

LookupAccountSidW.ADVAPI32(00000000,-00000008,?,00000100,?,?,?), ref: 00D15B07

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: AccountLookup
String ID:
API String ID: 4168731179-0
Opcode ID: 1afef272e2d43a8b81e3739848559f03ab19dc32762a30d6fd6c842cec4135b2
Instruction ID: a0511f35712f1a050ce519413d664b3093736b2f324dc4da44ca9bb08d132f18
Opcode Fuzzy Hash: 1afef272e2d43a8b81e3739848559f03ab19dc32762a30d6fd6c842cec4135b2
Instruction Fuzzy Hash: B4F012B590131C9BD711DF50DC49BDBB7BCEB04300F1042DAA859D2241DA746E888EA0

Function 00D2F303 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00D2F66D,?,?,00000000,?,00D2F66D,00000000,0000000C), ref: 00D2F320

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 60df5843aac4221d648910f79729a2d328cc2f2db55d1e07d7dc04e4cf692faf
Instruction ID: c8f6d7d5d587b0b10488c7e11dc79a56819fad9b61aa2508e96ad20720de3209
Opcode Fuzzy Hash: 60df5843aac4221d648910f79729a2d328cc2f2db55d1e07d7dc04e4cf692faf
Instruction Fuzzy Hash: A4D06C3200020DBFDF128F84DC06EDA3BAAFB48714F014000BA1896160C732E861AB90

Function 00D11BC0 Relevance: 1.3, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000001), ref: 00D11BD0

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 9db1aa600665f5a6ea7e741822f274f8a8bc8f42e0f91a2c108bf4e1a1cec67f
Instruction ID: e43488d35136769993ecc3b79cfe05e742c32f0a01478a56741c065cd0ebe47c
Opcode Fuzzy Hash: 9db1aa600665f5a6ea7e741822f274f8a8bc8f42e0f91a2c108bf4e1a1cec67f
Instruction Fuzzy Hash: 67D0C9342043086B8F081B78AC0586937A9AB197257404A14F92AC62A0EB31D8A18664

Non-executed Functions

Function 00D2BED0 Relevance: 38.1, APIs: 25, Instructions: 647processsynchronizationCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000000,70CDB3AB,74DEDFCE,00000000,?), ref: 00D2BF2E
ResetEvent.KERNEL32(?), ref: 00D2BF3F
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00D2BF92
GetLastError.KERNEL32 ref: 00D2BF9A
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000000), ref: 00D2BFB3
WaitForSingleObject.KERNEL32(?,00000000), ref: 00D2C005
Process32FirstW.KERNEL32(00000000,?), ref: 00D2C028
Process32NextW.KERNEL32(00000000,0000022C), ref: 00D2C0AA
CloseHandle.KERNEL32(00000000), ref: 00D2C0B9
__dtol3.LIBCMT ref: 00D2C127
__dtol3.LIBCMT ref: 00D2C142
EnterCriticalSection.KERNEL32(?), ref: 00D2C165
CloseHandle.KERNEL32(00000000), ref: 00D2C233
LeaveCriticalSection.KERNEL32(?), ref: 00D2C28C
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000000), ref: 00D2C2A6

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Wait$MultipleObjects$CloseCriticalHandleProcess32Section__dtol3$CreateEnterErrorEventFirstLastLeaveNextObjectResetSingleSnapshotToolhelp32
String ID:
API String ID: 2898051543-0
Opcode ID: 18ecfca1edee7ed565f4b96e58503e5cb8545a737e27cd638b8ef6bdb31667aa
Instruction ID: 4a7c8dee27aaa98d387c68d0f011213179aeae240b28526a13851392c3bfd222
Opcode Fuzzy Hash: 18ecfca1edee7ed565f4b96e58503e5cb8545a737e27cd638b8ef6bdb31667aa
Instruction Fuzzy Hash: 57424D30A113298FDB20DF54DC88B6DB7B5EF65318F1851D9D409AB2A1DB70AD85CF60

Function 00D1B350 Relevance: 16.8, APIs: 11, Instructions: 311fileCOMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00D1B3BA
FindFirstFileW.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00D1B454
DeleteFileW.KERNEL32(00000010,?,?,?,?,?,?,?,?,00000000), ref: 00D1B654
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00D1B65C
GetFileAttributesW.KERNEL32(00000010,?,?,?,?,?,?,?,?,00000000), ref: 00D1B66C
SetFileAttributesW.KERNEL32(00000010,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00D1B682
DeleteFileW.KERNEL32(00000010,?,?,?,?,?,?,?,?,00000000), ref: 00D1B689

Part of subcall function 00D116F0: __CxxThrowException@8.LIBVCRUNTIME ref: 00D11706
Part of subcall function 00D116F0: HeapAlloc.KERNEL32(?,00000000,?,?,?,00D52C84,?,?,00D136E6,80070057,?,?,?,00D12FB0,?,?), ref: 00D1171B

FindNextFileW.KERNEL32(000000FF,?,?,?,?,?,?,00000000), ref: 00D1B69D
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00D1B6AB
FindClose.KERNEL32(000000FF,?,?,?,?,?,00000000), ref: 00D1B6B2
RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00D1B6C1

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: File$Find$AttributesDeleteErrorLast$AllocCloseDirectoryException@8FirstHeapNextRemoveThrow_wcsrchr
String ID:
API String ID: 1402220867-0
Opcode ID: 95efc7d7f6e8b6c45a8f5c527b0449736866491b0ee4ecac7f2db6504423b215
Instruction ID: 1ab5ff267d3c9119f12ee5b3569578b317c435e2027373bf790d91fce175aae4
Opcode Fuzzy Hash: 95efc7d7f6e8b6c45a8f5c527b0449736866491b0ee4ecac7f2db6504423b215
Instruction Fuzzy Hash: 1AC1B230A04616AFDB24EF24DC48BA9B3B1FF51324F184299E4199B291DF319E85CF60

Function 00D2E688 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,00D2E594,?,00000000,00D23C5D,?,?,80004005,80004005,?,00D230FB,?,000000A0,?,?), ref: 00D2E68A
GetProcessHeap.KERNEL32(00000008,00000008,00000000,?,0000000C,00D2E594,?,00000000,00D23C5D,?,?,80004005,80004005,?,00D230FB,?), ref: 00D2E6B0
HeapAlloc.KERNEL32(00000000,?,?,80004005,80004005,?,00D230FB,?,000000A0,?,?), ref: 00D2E6B7
InitializeSListHead.KERNEL32(00000000,?,?,80004005,80004005,?,00D230FB,?,000000A0,?,?), ref: 00D2E6C4
GetProcessHeap.KERNEL32(00000000,00000000,?,?,80004005,80004005,?,00D230FB,?,000000A0,?,?), ref: 00D2E6D9
HeapFree.KERNEL32(00000000,?,?,80004005,80004005,?,00D230FB,?,000000A0,?,?), ref: 00D2E6E0

Strings

X[x, xrefs: 00D2E694, 00D2E6E8

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID: X[x
API String ID: 1475849761-2592070539
Opcode ID: 0c8c9c8f7db3b50aea7f722c5beb44f7a8c756a4b2d307447efa41481d0f9ce2
Instruction ID: fef615e5a80a1f3604f43018683b231c1db50b0b5e092aa49bca9c88d568ddd3
Opcode Fuzzy Hash: 0c8c9c8f7db3b50aea7f722c5beb44f7a8c756a4b2d307447efa41481d0f9ce2
Instruction Fuzzy Hash: 61F062356457119BEB219F79BC08B1677F8EFA5717F190869F995D3390DB70840086B0

Function 00D3A172 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00D3A2B8

Strings

1#SNAN, xrefs: 00D3B4B7
1#INF, xrefs: 00D3B4C5
1#IND, xrefs: 00D3B4B0
1#QNAN, xrefs: 00D3B4BE

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 7dce635ba7f5d401cca2635f4705057b58689ce5253567bd79388c193500d6dd
Instruction ID: 00711a9bbfd8fb287cf1285753f23dcbc72fa5fa53cac29e47788709209e8e73
Opcode Fuzzy Hash: 7dce635ba7f5d401cca2635f4705057b58689ce5253567bd79388c193500d6dd
Instruction Fuzzy Hash: 94C25D72E046288FDB25CF28DD407EAB7B5EB44315F1941EAD48DE7240E778AE818F61

Function 00D11120 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(00000010,00000104), ref: 00D111B8
LoadLibraryW.KERNEL32(?), ref: 00D1122E
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D1127A

Strings

Wow64DisableWow64FsRedirection, xrefs: 00D11274
kernel32.dll, xrefs: 00D111F4

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: AddressDirectoryLibraryLoadProcSystem
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 1849391631-3689287502
Opcode ID: fd7c4870cd8946546f98359930205a48459db51ad174b7731f0d953471f9fe8a
Instruction ID: 3fbf1bb4c91b40e8ea86fbfa0b668371149faeb6c3e09fbfb405a8547f61d699
Opcode Fuzzy Hash: fd7c4870cd8946546f98359930205a48459db51ad174b7731f0d953471f9fe8a
Instruction Fuzzy Hash: 1B41F235A01606AFD700DF68EC45B9AF7B4FF00321F18426DEA24D7390EB749984CBA0

Function 00D24350 Relevance: 6.3, APIs: 4, Instructions: 301fileCOMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00D24398
FindFirstFileW.KERNEL32(00000000,?,?,?,00000250,000000BC), ref: 00D2443B

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: FileFindFirst_wcsrchr
String ID:
API String ID: 2346706130-0
Opcode ID: 70071b3a12100e61eca742e342a6651e9f5f9d2650e5552dddd660f87e2661a8
Instruction ID: 76c8162c37db0e4ca3a5c79024b21f0acda3b10a9f294e8414c5f40284973d19
Opcode Fuzzy Hash: 70071b3a12100e61eca742e342a6651e9f5f9d2650e5552dddd660f87e2661a8
Instruction Fuzzy Hash: 2BC1D534901225DFDB24DF24D848BADB7B1FF25318F1842D9E8599B291DB31AE85CFA0

Function 00D26160 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,?,74DF18A0), ref: 00D261A3
PathFileExistsW.SHLWAPI(?), ref: 00D26270

Part of subcall function 00D41DCD: ___report_securityfailure.LIBCMT ref: 00D41DD2

Part of subcall function 00D262C0: FormatMessageW.KERNEL32(00002400,?,00000000,00000000,?,00000400,?,?,00D262B8,?), ref: 00D2631C
Part of subcall function 00D262C0: ExitProcess.KERNEL32 ref: 00D26358

Strings

\, xrefs: 00D261D3

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: File$ExistsExitFormatMessageModuleNamePathProcess___report_securityfailure
String ID: \
API String ID: 2526623405-2967466578
Opcode ID: e50e165a89059ebb6f03aaeb76198cbd6db79af248e4e5ee6e0af8c2c0e5dd10
Instruction ID: 5d8a73d8dbccabd0a3643522f2148cd334e0160b21e3ad7818f4d695c08d0911
Opcode Fuzzy Hash: e50e165a89059ebb6f03aaeb76198cbd6db79af248e4e5ee6e0af8c2c0e5dd10
Instruction Fuzzy Hash: 39319335900319DBDB20DF64EC89BEA73B4FF64305F4909A9E819D7241EA70EE448BB4

Function 00D2ED34 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00D2EE2C
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00D2EE36
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00D2EE43

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: cd0fd5314887fd29a919820390f03d15b2f94aa143996d3a0c96271ed323be5a
Instruction ID: 5f7bf6735572e55953b991dbdaf971e13e145c30338b8d3cdf8c80fbb906bcf6
Opcode Fuzzy Hash: cd0fd5314887fd29a919820390f03d15b2f94aa143996d3a0c96271ed323be5a
Instruction Fuzzy Hash: 3C31B47590122CABCB21DF64D889799BBB4FF18310F5045EAE81CA6260E7709B858F64

Function 00D38357 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,00D3832D,00000003,00D527E0,0000000C,00D38484,00000003,00000002,00000000,?,00D38C28,00000003), ref: 00D38378
TerminateProcess.KERNEL32(00000000,?,00D3832D,00000003,00D527E0,0000000C,00D38484,00000003,00000002,00000000,?,00D38C28,00000003), ref: 00D3837F
ExitProcess.KERNEL32 ref: 00D38391

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f124ad5dda26fc48b2ba3992d0be6c0539982bc32326d66bd1da18dd32f1b909
Instruction ID: 8fd9fa24e320fb79daa9cd9ff2fcb9937d182c6e5c3ca7ef6a2173e2a8e19eec
Opcode Fuzzy Hash: f124ad5dda26fc48b2ba3992d0be6c0539982bc32326d66bd1da18dd32f1b909
Instruction Fuzzy Hash: 72E09235004348AFCB116F64D909A593B69EF45741F080514F905DA231DF75DD46EAB0

Function 00D35070 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6577380b73edbc4b63dbb8dd09a5e825a3226a4ce9f38be01e8e5c6190e2d4f
Instruction ID: 07967fdd111f5562f4b1c8eec02b40f05a15fb752c687db6967c833b457ef050
Opcode Fuzzy Hash: b6577380b73edbc4b63dbb8dd09a5e825a3226a4ce9f38be01e8e5c6190e2d4f
Instruction Fuzzy Hash: C3023D71E016199FDF18CFA9D8806AEB7F1FF48314F298169D819EB344D731AA418BA4

Function 00D27420 Relevance: 3.3, APIs: 2, Instructions: 283COMMON

Download Yara Rule

APIs

Part of subcall function 00D11910: GetProcessHeap.KERNEL32(?,?,00000000), ref: 00D1193C
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D11967
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D119E5

GetLocaleInfoW.KERNEL32(?,00000059,-00000010,00000055,?,?,?,?,?,?), ref: 00D27498
GetLocaleInfoW.KERNEL32(00000055,0000005A,00000010,00000055,?,?,?,?,?,?), ref: 00D27521

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: InfoInit_thread_footerLocale$HeapProcess
String ID:
API String ID: 1688948774-0
Opcode ID: d8a2b072e8caf622a898955ea07d8d2daff796cc25cf207f0e952828248c29f3
Instruction ID: 902d6fca4c501121192002aed3bcd131f2bb727bb510355c53d42ec0ec988266
Opcode Fuzzy Hash: d8a2b072e8caf622a898955ea07d8d2daff796cc25cf207f0e952828248c29f3
Instruction Fuzzy Hash: 58A1C130A00A169FDB14DF68D894AAEF7B1FF54315F188269E501AB391DB35AD40CFB1

Function 00D3E27B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00D3E276,?,?,00000008,?,?,00D3DE8B,00000000), ref: 00D3E4A8

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 756e61a6746402f6f40965048e00eb7c61413651fa870ae8449eed31ad99e4ae
Instruction ID: a250bc7488881f8c21ad8149e2631ec3d03a426ca907a2714cd41e5995711aaf
Opcode Fuzzy Hash: 756e61a6746402f6f40965048e00eb7c61413651fa870ae8449eed31ad99e4ae
Instruction Fuzzy Hash: AFB11731610609DFDB19CF28C48AB657BA0FF49365F298658E8DACF2E1C335E981CB50

Function 00D42428 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00032434,00D41F68), ref: 00D4242D

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2bb4f9bb5b2bccc48c255fdef3da659192d384df430040d3c113a0f0b842585f
Instruction ID: 1504e0cd157e88b6740dea9e94f6df8ba9fc4aff07086d1bc56667b8154841d5
Opcode Fuzzy Hash: 2bb4f9bb5b2bccc48c255fdef3da659192d384df430040d3c113a0f0b842585f
Instruction Fuzzy Hash:

Function 00D32EAF Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083147a5da8526bdb83dd6901ea744af8df62b964b145b96448c638da553af26
Instruction ID: 53567a4d71d1223348f14bdc06f14637210050473d10cc29b0fd30053fc5cddc
Opcode Fuzzy Hash: 083147a5da8526bdb83dd6901ea744af8df62b964b145b96448c638da553af26
Instruction Fuzzy Hash: EA616872E0070967DA389E6A4E96BBE63B4EF01744F1C451AF882DB291D611EE42C375

Function 00D12BA0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1677516f7373781ef9d4a44839d3ede3a2748da950797cbd942917065d14b12e
Instruction ID: c07b39908a6bfb4b846254f4b3027af614e3e7642a3a822fd0817a4eebfc261c
Opcode Fuzzy Hash: 1677516f7373781ef9d4a44839d3ede3a2748da950797cbd942917065d14b12e
Instruction Fuzzy Hash: EFF08C32648A489FD301CF28D844B55F7E8FB49724F1087AAE829C7B90EB35A8008A90

Function 00D22F10 Relevance: 37.2, APIs: 19, Strings: 2, Instructions: 484COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(?), ref: 00D22F89

Strings

..., xrefs: 00D22FFF
C, xrefs: 00D23174

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: IncrementInterlocked
String ID: ...$C
API String ID: 3508698243-3570410515
Opcode ID: e5506c1ae59b4ca40217bec64f341491c4f60b954fe30e3ce241c27d3cec9785
Instruction ID: c41dcdb2d496e9d3808e433691d53a541131a8267fd7e51ddfde5758d0a9f2ff
Opcode Fuzzy Hash: e5506c1ae59b4ca40217bec64f341491c4f60b954fe30e3ce241c27d3cec9785
Instruction Fuzzy Hash: A7129EB0A012199FDB20DF68DC98B99B7B8FF54314F0442E9E509A7291DB34AF84CF64

Function 00D1DA90 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 142registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted,00000000,00020006,00D1D8B5,?,8004000B,00000000), ref: 00D1DAB9
RegDeleteValueW.ADVAPI32(00000000,?,?,8004000B,00000000), ref: 00D1DACF
RegCloseKey.ADVAPI32(00000000,?,8004000B,00000000), ref: 00D1DAE7
RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers,00000000,00020006,00000000,?,8004000B,00000000), ref: 00D1DB12
RegDeleteValueW.ADVAPI32(00000000,?,?,8004000B,00000000), ref: 00D1DB22
RegCloseKey.ADVAPI32(00000000,?,8004000B,00000000), ref: 00D1DB3A
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers,00000000,00020006,00000000,?,8004000B,00000000), ref: 00D1DB65
RegDeleteValueW.ADVAPI32(00000000,?,?,8004000B,00000000), ref: 00D1DB75
RegCloseKey.ADVAPI32(00000000,?,8004000B,00000000), ref: 00D1DB8D
GetNativeSystemInfo.KERNEL32(?,?,8004000B,00000000), ref: 00D1DBA7
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers,00000000,00020106,00000000,?,8004000B,00000000), ref: 00D1DBDC
RegDeleteValueW.ADVAPI32(00000000,?,?,8004000B,00000000), ref: 00D1DBEA
RegCloseKey.ADVAPI32(00000000,?,8004000B,00000000), ref: 00D1DC02

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers, xrefs: 00D1DB08, 00D1DB5B, 00D1DBD2
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted, xrefs: 00D1DAAB

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: CloseDeleteOpenValue$InfoNativeSystem
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted$SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
API String ID: 3037930393-3357135698
Opcode ID: 0014a6b6550e02b07a273b32bfd13daee3a862a762d4c42aa0a1ce4a34a58153
Instruction ID: 123b769b5c1067680a329812cfe5172c8f282c1854c2a9ed01cdc382c8ff9d92
Opcode Fuzzy Hash: 0014a6b6550e02b07a273b32bfd13daee3a862a762d4c42aa0a1ce4a34a58153
Instruction Fuzzy Hash: 8F41CA34A45314FBDF288AA9AD8ABEE76FBEF85301F144066F806E1160DB704D449670

Function 00D1D940 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 116registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted,00000000,00020019,00D1D8A6,?,8004000B,00000000), ref: 00D1D96F
RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?,8004000B,00000000), ref: 00D1D97D
RegCloseKey.ADVAPI32(00000000,?,8004000B,00000000), ref: 00D1D993
RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers,00000000,00020019,00000000,?,8004000B,00000000), ref: 00D1D9B5
RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?,8004000B,00000000), ref: 00D1D9C3
RegCloseKey.ADVAPI32(00000000,?,8004000B,00000000), ref: 00D1D9D9
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers,00000000,00020019,00000000,?,8004000B,00000000), ref: 00D1D9FB
RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?,8004000B,00000000), ref: 00D1DA09
RegCloseKey.ADVAPI32(00000000,?,8004000B,00000000), ref: 00D1DA1F
GetNativeSystemInfo.KERNEL32(?,?,8004000B,00000000), ref: 00D1DA30
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers,00000000,00020119,00000000,?,8004000B,00000000), ref: 00D1DA5C
RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?,8004000B,00000000), ref: 00D1DA6A
RegCloseKey.ADVAPI32(00000000,?,8004000B,00000000), ref: 00D1DA80

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers, xrefs: 00D1D9AB, 00D1D9F1, 00D1DA52
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted, xrefs: 00D1D95A

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: CloseOpenQueryValue$InfoNativeSystem
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted$SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
API String ID: 3098212041-3357135698
Opcode ID: 99f382a3ab46edce2d2c64988b506e8ad9665b8f4e75d638b541ea8ae5926af6
Instruction ID: d4b7d81bff8a4ae234e9fb2b049ee73dac4172572b44f8a3cb845c22b80e5abd
Opcode Fuzzy Hash: 99f382a3ab46edce2d2c64988b506e8ad9665b8f4e75d638b541ea8ae5926af6
Instruction Fuzzy Hash: E8314B75A41318FFFB209FA19D49FFA7ABDEB09705F500055BD04E2190DB748E04AAB0

Function 00D1D360 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 415libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,70CDB3AB,?,?,?), ref: 00D1D3D5
GetProcAddress.KERNEL32(00000000,IsWow64Process2), ref: 00D1D403
GetCurrentProcess.KERNEL32(00000000,00000000), ref: 00D1D421
GetProcAddress.KERNEL32(?,IsWow64GuestMachineSupported), ref: 00D1D469
FreeLibrary.KERNEL32(?), ref: 00D1D52A
GetModuleFileNameW.KERNEL32(00000000,?,00000100,?,?,?), ref: 00D1D58A
GetNativeSystemInfo.KERNEL32(?), ref: 00D1D5B0
EnterCriticalSection.KERNEL32(00D56B68), ref: 00D1D678
LeaveCriticalSection.KERNEL32(00D56B68), ref: 00D1D6F4
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,?), ref: 00D1D895

Strings

IsWow64Process2, xrefs: 00D1D3E9
Sony Corporation, xrefs: 00D1D73F, 00D1D78D
kernel32.dll, xrefs: 00D1D3C0
IsWow64GuestMachineSupported, xrefs: 00D1D457

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Module$AddressCriticalFileNameProcSection$CurrentEnterFreeHandleInfoLeaveLibraryNativeProcessSystem
String ID: IsWow64GuestMachineSupported$IsWow64Process2$Sony Corporation$kernel32.dll
API String ID: 4244204107-2597118593
Opcode ID: 9a1866619576bb4df56e6f95f0fd4c715a89fe9eda8ceab4fa9df4910cdc6a28
Instruction ID: cf12a35bd84a8a6e8d3fab37c04dd46cd1942e4ffc0799b6ec4384fab474e679
Opcode Fuzzy Hash: 9a1866619576bb4df56e6f95f0fd4c715a89fe9eda8ceab4fa9df4910cdc6a28
Instruction Fuzzy Hash: 9DF1B5B0A00215ABEB20DF64E884BE9B7B6FF15314F480199E949A7281DF74ADC4CF75

Function 00D14A80 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 110COMMON

Download Yara Rule

APIs

PathFindExtensionW.SHLWAPI(?,00000000,?,?,?,80070002,70CDB3AB,?), ref: 00D14AA5
CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,.exe,000000FF,?,80070002,70CDB3AB,?), ref: 00D14ACF
CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,.dll,000000FF,?,80070002,70CDB3AB,?), ref: 00D14AF8
CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,.sys,000000FF,?,80070002,70CDB3AB,?), ref: 00D14B21
CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,.cab,000000FF,?,80070002,70CDB3AB,?), ref: 00D14B42
CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,.ini,000000FF,?,80070002,70CDB3AB,?), ref: 00D14B63
CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,.msi,000000FF,?,80070002,70CDB3AB,?), ref: 00D14B84

Strings

.msi, xrefs: 00D14B6E, 00D14B78
.dll, xrefs: 00D14ADE, 00D14AEC
.ini, xrefs: 00D14B4D, 00D14B57
.sys, xrefs: 00D14B07, 00D14B15
.cab, xrefs: 00D14B2C, 00D14B36
.exe, xrefs: 00D14AB5, 00D14AC3

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: CompareString$ExtensionFindPath
String ID: .cab$.dll$.exe$.ini$.msi$.sys
API String ID: 1827704098-1439086709
Opcode ID: 79d118c381862a39df4c3418b27e54485ee24d7f8c23bdff01f1467c9fb23ce0
Instruction ID: f17265734a9393a1335fc4444c8207b3bba0728ab3c898bb1598b3e048c66a2e
Opcode Fuzzy Hash: 79d118c381862a39df4c3418b27e54485ee24d7f8c23bdff01f1467c9fb23ce0
Instruction Fuzzy Hash: 3131A33174C381BBDB204B1CED49FAA35619B42734F3803A5B979A73E5CE7498848570

Function 00D23FC0 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 187libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00D11910: GetProcessHeap.KERNEL32(?,?,00000000), ref: 00D1193C
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D11967
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D119E5

GetSystemDirectoryW.KERNEL32(00000010,00000105), ref: 00D2406D
LoadLibraryW.KERNEL32(00000000,Rstrtmgr.dll,0000000C), ref: 00D24142
GetProcAddress.KERNEL32(00000000,RmStartSession), ref: 00D2415B
GetProcAddress.KERNEL32(00000001,RmRegisterResources), ref: 00D24168
GetProcAddress.KERNEL32(00000001,RmGetList), ref: 00D24175
GetProcAddress.KERNEL32(00000001,RmEndSession), ref: 00D24182
FreeLibrary.KERNEL32(00000001), ref: 00D241C4

Strings

RmRegisterResources, xrefs: 00D2415D
RmEndSession, xrefs: 00D24177
Rstrtmgr.dll, xrefs: 00D24131
RmStartSession, xrefs: 00D24155
RmGetList, xrefs: 00D2416A

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: AddressProc$Init_thread_footerLibrary$DirectoryFreeHeapLoadProcessSystem
String ID: RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr.dll
API String ID: 4048991055-3940193402
Opcode ID: 94a41b03042874b25c6453a43f668d5a4b0bee60f8da2f605aca74274ed0783d
Instruction ID: 473ed6b470a2d3a359cf219aee8313d64154b4df37536cbd356cbefbccf903c7
Opcode Fuzzy Hash: 94a41b03042874b25c6453a43f668d5a4b0bee60f8da2f605aca74274ed0783d
Instruction Fuzzy Hash: DA71DD31900316DBEB11DF68D849BAEBBB1FF20318F084558E910AB2D5DBB59984CFB0

Function 00D38CA6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00D38CEA

Part of subcall function 00D3B50E: _free.LIBCMT ref: 00D3B52B
Part of subcall function 00D3B50E: _free.LIBCMT ref: 00D3B53D
Part of subcall function 00D3B50E: _free.LIBCMT ref: 00D3B54F
Part of subcall function 00D3B50E: _free.LIBCMT ref: 00D3B561
Part of subcall function 00D3B50E: _free.LIBCMT ref: 00D3B573
Part of subcall function 00D3B50E: _free.LIBCMT ref: 00D3B585
Part of subcall function 00D3B50E: _free.LIBCMT ref: 00D3B597
Part of subcall function 00D3B50E: _free.LIBCMT ref: 00D3B5A9
Part of subcall function 00D3B50E: _free.LIBCMT ref: 00D3B5BB
Part of subcall function 00D3B50E: _free.LIBCMT ref: 00D3B5CD
Part of subcall function 00D3B50E: _free.LIBCMT ref: 00D3B5DF
Part of subcall function 00D3B50E: _free.LIBCMT ref: 00D3B5F1
Part of subcall function 00D3B50E: _free.LIBCMT ref: 00D3B603

_free.LIBCMT ref: 00D38CDF

Part of subcall function 00D359E0: RtlFreeHeap.NTDLL(00000000,00000000,?,00D3B6A3,00000105,00000000,00000105,00000000,?,00D3B6CA,00000105,00000007,00000105,?,00D38E3E,00000105), ref: 00D359F6
Part of subcall function 00D359E0: GetLastError.KERNEL32(00000105,?,00D3B6A3,00000105,00000000,00000105,00000000,?,00D3B6CA,00000105,00000007,00000105,?,00D38E3E,00000105,00000105), ref: 00D35A08

_free.LIBCMT ref: 00D38D01
_free.LIBCMT ref: 00D38D16
_free.LIBCMT ref: 00D38D21
_free.LIBCMT ref: 00D38D43
_free.LIBCMT ref: 00D38D56
_free.LIBCMT ref: 00D38D64
_free.LIBCMT ref: 00D38D6F
_free.LIBCMT ref: 00D38DA7
_free.LIBCMT ref: 00D38DAE
_free.LIBCMT ref: 00D38DCB
_free.LIBCMT ref: 00D38DE3

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9a4d76235b78ea379a7d9a1c4eedf1430ce15bfd7963dd64fcfd0495eb374271
Instruction ID: 73e2d45247f58c4576d3e1a003994301b01bbe392d6d708be3ac714126f029e0
Opcode Fuzzy Hash: 9a4d76235b78ea379a7d9a1c4eedf1430ce15bfd7963dd64fcfd0495eb374271
Instruction Fuzzy Hash: F4314931600B05DFEB21AA38F846B5AB3E8EF103A0F59442AF458D7195DF71AD90EB34

Function 00D2A160 Relevance: 16.6, APIs: 11, Instructions: 144timefileCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,?,00000000), ref: 00D2A188
SystemTimeToFileTime.KERNEL32(?,?,?,?,00000000), ref: 00D2A1A2
SystemTimeToFileTime.KERNEL32(?,?,?,?,00000000), ref: 00D2A1CE
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,00000000), ref: 00D2A1DE
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,00000000), ref: 00D2A1FD
GetFileTime.KERNEL32(00000000,00000000,00000000,?,?,?,00000000), ref: 00D2A216
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00D2A21D
FileTimeToSystemTime.KERNEL32(?,?,?,?,00000000), ref: 00D2A26D
SystemTimeToFileTime.KERNEL32(?,?,?,?,00000000), ref: 00D2A28B
FileTimeToLocalFileTime.KERNEL32(?,?,?,?,00000000), ref: 00D2A2E8
FileTimeToSystemTime.KERNEL32(?,?,?,?,00000000), ref: 00D2A2FB

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Time$File$System$CloseCreateHandleLocalModuleName
String ID:
API String ID: 730736748-0
Opcode ID: 3d86327bd285ab1c47736e61e83daa27212f8bc23b043da90e74c7d44c95fe4b
Instruction ID: 6fb1a2e4154344d60e74f765e3352579b3c72d33110ffc1c5b56787e1745d56b
Opcode Fuzzy Hash: 3d86327bd285ab1c47736e61e83daa27212f8bc23b043da90e74c7d44c95fe4b
Instruction Fuzzy Hash: 4B5109759013299BCB20DFA8DC88BD9B7B8FB19305F1411EAE509A6250DB34AF84CF65

Function 00D26630 Relevance: 16.2, APIs: 7, Strings: 2, Instructions: 445libraryloaderthreadCOMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 00D2668E
LCMapStringW.KERNEL32(0000007F,00000100,?,00000000,?,00000000,00D45E41,00000001,?,?,00000000,?,00000000), ref: 00D26709
LCMapStringW.KERNEL32(0000007F,00000200,00D45E41,C3FFFCB5,00D45E41,C3FFFCB5), ref: 00D2675E
LCMapStringW.KERNEL32(0000007F,00000100,00000000,?,00000000,?,70CDB3AB,?,?,00000000), ref: 00D2690F
GetModuleHandleW.KERNEL32(kernel32.dll,70CDB3AB,00000010,00000010,00000000,00000010,00000010,00000000,?,00000000,00D45F00,000000FF,?,00D220A0,?), ref: 00D269BB
GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 00D269CF
GetThreadLocale.KERNEL32(?,00000000,00D45F00,000000FF,?,00D220A0,?,?,00D4D2B8,00000000), ref: 00D26A6A

Strings

GetThreadPreferredUILanguages, xrefs: 00D269C9
kernel32.dll, xrefs: 00D269A8

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: String$AddressHandleLocaleModuleProcThread_wcschr
String ID: GetThreadPreferredUILanguages$kernel32.dll
API String ID: 44655413-1646127487
Opcode ID: 825ab30476ee240535b01c111ce95579ccbfd660805795781cc6b34182bcce02
Instruction ID: 56f624f909e48aa191b4641aa43f3a26928de2cc5c9795410a156054dad8b9c0
Opcode Fuzzy Hash: 825ab30476ee240535b01c111ce95579ccbfd660805795781cc6b34182bcce02
Instruction Fuzzy Hash: BCF1BE71A002169FDB14DF68D885BAEF7B5EF55324F188269E811EB291DB30ED44CBB0

Function 00D2CEC0 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 309comCOMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000000), ref: 00D2CEEC
CoCreateInstance.COMBASE(00D4FB6C,00000000,00000001,00D474AC,00000000), ref: 00D2CF25
EnterCriticalSection.KERNEL32(00D56B68), ref: 00D2D06F
LeaveCriticalSection.KERNEL32(00D56B68), ref: 00D2D0DB
EnterCriticalSection.KERNEL32 ref: 00D2D111
LeaveCriticalSection.KERNEL32(00D56B68), ref: 00D2D187

Strings

Manufacturer, xrefs: 00D2D048
Model, xrefs: 00D2D0E8
\\.\root\CIMV2, xrefs: 00D2CF35

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: CriticalSection$EnterLeave$CreateInitializeInstance
String ID: Manufacturer$Model$\\.\root\CIMV2
API String ID: 3488008144-3560815201
Opcode ID: 7449a3664f0fbcc5c9003373f4fd86bd16322ae69cb63c4f887f34a961946947
Instruction ID: 3bf88237aca032657633810e9240f9da0d8d88ae017681fba5efb1267e246c09
Opcode Fuzzy Hash: 7449a3664f0fbcc5c9003373f4fd86bd16322ae69cb63c4f887f34a961946947
Instruction Fuzzy Hash: E4B1BA70A003169FDB10CFA8D858BAEBBB6EF55319F284168E911EB391CB71D904CB71

Function 00D25F40 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 160libraryloaderCOMMON

Download Yara Rule

APIs

SetDllDirectoryW.KERNEL32(00D4D2B8), ref: 00D25F7A
GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00D25FA2
GetVersionExW.KERNEL32(?), ref: 00D26044
GetModuleHandleW.KERNEL32(?), ref: 00D2604D
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D2605D
GetVersionExW.KERNEL32(?), ref: 00D260B7

Strings

SetDefaultDllDirectories, xrefs: 00D26057
\, xrefs: 00D25FC0
kernel32.dll, xrefs: 00D25FEC

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: DirectoryVersion$AddressHandleModuleProcSystem
String ID: SetDefaultDllDirectories$\$kernel32.dll
API String ID: 1445527400-3881611067
Opcode ID: d64b2f801104d7e729b0f03bf445466cdf10db675dd96e267ccdfc93ddb3ee04
Instruction ID: d99bf1567e5dacc848554f44896b31f2386f7e24af949e7aee58ab89f42d4dad
Opcode Fuzzy Hash: d64b2f801104d7e729b0f03bf445466cdf10db675dd96e267ccdfc93ddb3ee04
Instruction Fuzzy Hash: 7F510474D44329AFDF209F64EC49B9AB7A8FF20708F0444A5E909D3281E774EA44CBB1

Function 00D208F0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00D20910
GetWindow.USER32(00000000,00000004), ref: 00D20935
GetWindowRect.USER32(?,?), ref: 00D20948
GetWindowLongW.USER32(00000000,000000F0), ref: 00D2095C
MonitorFromWindow.USER32(?,00000002), ref: 00D20974
GetMonitorInfoW.USER32(00000000,?), ref: 00D2098C
GetWindowRect.USER32(00000000,?), ref: 00D209B6
SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015), ref: 00D20A9A

Strings

(, xrefs: 00D20982

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Window$LongMonitorRect$FromInfo
String ID: (
API String ID: 2882702216-3887548279
Opcode ID: 817630538e2d3a3356769dc014769d55dcdeac334044b273a378d4a0f0909fdc
Instruction ID: 4e179f14ec605f6dd4bb84411c94622bd6fa724aa4f12dbf69b4c2afbf11a614
Opcode Fuzzy Hash: 817630538e2d3a3356769dc014769d55dcdeac334044b273a378d4a0f0909fdc
Instruction Fuzzy Hash: 7451BE325087119FD711CF28DC09A1BBBE9FB98725F580619F885E32A5DB70ED44CBA2

Function 00D2BC20 Relevance: 15.1, APIs: 10, Instructions: 95synchronizationthreadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,70CDB3AB,?,?,?,00D44B30,000000FF), ref: 00D2BC54
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,70CDB3AB), ref: 00D2BC60
WaitForSingleObject.KERNEL32(?,00002710,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D2BC75
TerminateThread.KERNEL32(?,80004004,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D2BC8A
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,70CDB3AB), ref: 00D2BC98
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,70CDB3AB), ref: 00D2BCBD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,70CDB3AB), ref: 00D2BCCE
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,70CDB3AB), ref: 00D2BCDF
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,70CDB3AB), ref: 00D2BCF0
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,70CDB3AB), ref: 00D2BD05

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: CloseHandle$Event$CriticalDeleteObjectSectionSingleTerminateThreadWait
String ID:
API String ID: 559389250-0
Opcode ID: 2ab5aec6705c4f90ae73698142d3704c51ec7e0dd32c33600cadf50b8360f5f4
Instruction ID: b856d1ffc0a477696e9231efa9846117e7ab72c7f0e15c5c31a9fefe78f04360
Opcode Fuzzy Hash: 2ab5aec6705c4f90ae73698142d3704c51ec7e0dd32c33600cadf50b8360f5f4
Instruction Fuzzy Hash: E1317A70604B449BD7209F7AD944B57F7E8FF11728F080A1EE886C3B90DBB4E804CA60

Function 00D3579D Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D357B1

Part of subcall function 00D359E0: RtlFreeHeap.NTDLL(00000000,00000000,?,00D3B6A3,00000105,00000000,00000105,00000000,?,00D3B6CA,00000105,00000007,00000105,?,00D38E3E,00000105), ref: 00D359F6
Part of subcall function 00D359E0: GetLastError.KERNEL32(00000105,?,00D3B6A3,00000105,00000000,00000105,00000000,?,00D3B6CA,00000105,00000007,00000105,?,00D38E3E,00000105,00000105), ref: 00D35A08

_free.LIBCMT ref: 00D357BD
_free.LIBCMT ref: 00D357C8
_free.LIBCMT ref: 00D357D3
_free.LIBCMT ref: 00D357DE
_free.LIBCMT ref: 00D357E9
_free.LIBCMT ref: 00D357F4
_free.LIBCMT ref: 00D357FF
_free.LIBCMT ref: 00D3580A
_free.LIBCMT ref: 00D35818

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4b5d2b2e0bf0fb4d764771599d277bf64c56846dd9f8efa6120d78828f91fa4a
Instruction ID: 709474b37edefcf80fcebf3ec9a2dfb7c4fdd846e87a3779681096d88d80ea4c
Opcode Fuzzy Hash: 4b5d2b2e0bf0fb4d764771599d277bf64c56846dd9f8efa6120d78828f91fa4a
Instruction Fuzzy Hash: 0E117476510508EFCB01EF54E942DDA3BA5EF043A0F9640A5BA488B226DA31DF60DFB0

Function 00D20850 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 169COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(00D558B4,00000000,00D2BB15,?,?,?,?,?,?,?,?,?,80004005,80004005,80004005,70CDB3AB), ref: 00D208CE
GetWindowLongW.USER32(?,000000F0), ref: 00D20910
GetWindowRect.USER32(?,?), ref: 00D20948
GetWindowLongW.USER32(00000000,000000F0), ref: 00D2095C
MonitorFromWindow.USER32(?,00000002), ref: 00D20974
GetMonitorInfoW.USER32(00000000,?), ref: 00D2098C

Strings

(, xrefs: 00D20982

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Window$LongMonitor$CriticalDeleteFromInfoRectSection
String ID: (
API String ID: 1644989510-3887548279
Opcode ID: 44a2e471d39bd8f7d70960316942da67ab3deff5dd12f6883f479bfd38cdf4ed
Instruction ID: 0c1c278e1522574d7c763aaa60b7567f63b9df7e5132d697c3b41be432b24d25
Opcode Fuzzy Hash: 44a2e471d39bd8f7d70960316942da67ab3deff5dd12f6883f479bfd38cdf4ed
Instruction Fuzzy Hash: 3A51DE32504721CFD721DF28ED49A1ABBE4FB98755F580618F884E73A5DB70EC448BA2

Function 00D22920 Relevance: 13.8, APIs: 9, Instructions: 277windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D11910: GetProcessHeap.KERNEL32(?,?,00000000), ref: 00D1193C
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D11967
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D119E5

IsWindow.USER32(?), ref: 00D22C15
SetForegroundWindow.USER32(?), ref: 00D22C22
SendMessageW.USER32(?,00000408,00000000,00000000), ref: 00D22C7D
SendMessageW.USER32(?,00000402,00000064,00000000), ref: 00D22C90
SendMessageW.USER32(?,00000410,00000002,00000000), ref: 00D22C9E
SetDlgItemTextW.USER32(?,000003F3,?), ref: 00D22CB8
SetDlgItemTextW.USER32(?,00000002,?), ref: 00D22CF6

Part of subcall function 00D18780: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,?,00D45778), ref: 00D187BE
Part of subcall function 00D18780: FindResourceW.KERNEL32(00000000,?,00000006), ref: 00D18809

IsWindow.USER32(?), ref: 00D22D2B
SetForegroundWindow.USER32(?), ref: 00D22D38

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Window$MessageSend$FindForegroundInit_thread_footerItemResourceText$HeapProcess
String ID:
API String ID: 492539667-0
Opcode ID: a905ae4887016b7170df5f032a0f36f8d86c0a80dfabcd4f17208f6f77529b20
Instruction ID: 7cd5f09ed9bfcc3525009efb978411779cac5241187f6e82667a514b83ff365f
Opcode Fuzzy Hash: a905ae4887016b7170df5f032a0f36f8d86c0a80dfabcd4f17208f6f77529b20
Instruction Fuzzy Hash: 44B1C230600645FBDB01DF68DC49BADBBA0EF11315F188198F955AB2A2CBB1DE44CBB0

Function 00D26960 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 151libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,70CDB3AB,00000010,00000010,00000000,00000010,00000010,00000000,?,00000000,00D45F00,000000FF,?,00D220A0,?), ref: 00D269BB
GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 00D269CF
GetThreadLocale.KERNEL32(?,00000000,00D45F00,000000FF,?,00D220A0,?,?,00D4D2B8,00000000), ref: 00D26A6A

Part of subcall function 00D11910: GetProcessHeap.KERNEL32(?,?,00000000), ref: 00D1193C
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D11967
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D119E5

Part of subcall function 00D27420: GetLocaleInfoW.KERNEL32(?,00000059,-00000010,00000055,?,?,?,?,?,?), ref: 00D27498
Part of subcall function 00D27420: GetLocaleInfoW.KERNEL32(00000055,0000005A,00000010,00000055,?,?,?,?,?,?), ref: 00D27521

Strings

GetUserPreferredUILanguages, xrefs: 00D26B89
en-US, xrefs: 00D26F31
GetThreadPreferredUILanguages, xrefs: 00D269C9
kernel32.dll, xrefs: 00D269A8, 00D26B68

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Locale$InfoInit_thread_footer$AddressHandleHeapModuleProcProcessThread
String ID: GetThreadPreferredUILanguages$GetUserPreferredUILanguages$en-US$kernel32.dll
API String ID: 158005059-2515003104
Opcode ID: 531cf09026f9e115821e3e09a63fb7844a9a7af7f7dff6e066c825d144e1ca40
Instruction ID: 6f02f678c2d4065d136ebe09d6e818d18243949337738ddbc72b1f7ff3555ac7
Opcode Fuzzy Hash: 531cf09026f9e115821e3e09a63fb7844a9a7af7f7dff6e066c825d144e1ca40
Instruction Fuzzy Hash: A951E571A00316AFDB10DFA4E845BAFB7A9FF51314F188129E915A7281DB71ED04CBB1

Function 00D14BE0 Relevance: 12.4, APIs: 8, Instructions: 362fileCOMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000010), ref: 00D14D8E
PathIsDirectoryW.SHLWAPI(00000010), ref: 00D14D9F
SHCreateDirectoryExW.SHELL32(?,00000010,00000000,?,00000001,?), ref: 00D14E38
CreateFileW.KERNEL32(00000010,C0000000,00000000,00000000,00000002,00000080,00000000,?,00000001,?), ref: 00D14E5A
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D14E6E
SetEndOfFile.KERNEL32(00000000), ref: 00D14E75
CloseHandle.KERNEL32(00000000), ref: 00D14E7C
PathFileExistsW.SHLWAPI(00000010), ref: 00D14E83

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: File$Path$CreateDirectoryExists$CloseHandlePointer
String ID:
API String ID: 1363924364-0
Opcode ID: 6da37d6d5f7df1eaac62015c21b8746d0aac7893b08bd045f41c916a28f4b8d1
Instruction ID: a81112029b17ab3c9934e9cea22b9b42160a6972ee732a6bbf68cff4c74e7a9f
Opcode Fuzzy Hash: 6da37d6d5f7df1eaac62015c21b8746d0aac7893b08bd045f41c916a28f4b8d1
Instruction Fuzzy Hash: 74D1B130A00605AFDB10DF68E884BEEB7B5FF55324F188268E415AB291DB70DD85CBB0

Function 00D28E50 Relevance: 12.3, APIs: 8, Instructions: 321COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,00000000,000000FF), ref: 00D28F2E
CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,?,000000FF), ref: 00D28F50
CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,00000000,000000FF), ref: 00D28F8A
CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,00000000,000000FF), ref: 00D28FAB

Part of subcall function 00D297C0: CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,00000000,000000FF,00000000,?,?,?,?,?,?,?,80004005), ref: 00D29847

CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,?,000000FF), ref: 00D28FEE
CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,?,000000FF), ref: 00D29013
CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,?,000000FF), ref: 00D2906A
CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,?,000000FF), ref: 00D2908F

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: fc59ecdb246c8e8d81a84e2dcf6d3796052d238700e0ebc4b2445e5ea884897f
Instruction ID: b090c13b523b17558f4bf4071cd2425a6988c1eab58899d1d68650a716be79db
Opcode Fuzzy Hash: fc59ecdb246c8e8d81a84e2dcf6d3796052d238700e0ebc4b2445e5ea884897f
Instruction Fuzzy Hash: 26B19275A05125ABDF14CF58DD9097DF7A6AFA5328F284369F822A73C4DB70AD00C670

Function 00D2CDF0 Relevance: 12.1, APIs: 8, Instructions: 62synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00D2CE1D
GetCurrentProcess.KERNEL32(00000000), ref: 00D2CE2A
DuplicateHandle.KERNEL32(00000000), ref: 00D2CE31
CreateThread.KERNEL32(00000000,00000000,00D2CEC0,00000000,00000000,?), ref: 00D2CE51
GetLastError.KERNEL32 ref: 00D2CE5A
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00D2CE79
GetLastError.KERNEL32 ref: 00D2CE83
CloseHandle.KERNEL32(00000000), ref: 00D2CEA0

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: CurrentErrorHandleLastProcess$CloseCreateDuplicateObjectSingleThreadWait
String ID:
API String ID: 3681073619-0
Opcode ID: a6ced7efc2b635edfd4b56c63293570d50ee2f0765372027ec1a27256065471e
Instruction ID: 357dcc71162951e8cfce04b3c2154444a7c264c6ebb3a5c4c4d8a36728e055de
Opcode Fuzzy Hash: a6ced7efc2b635edfd4b56c63293570d50ee2f0765372027ec1a27256065471e
Instruction Fuzzy Hash: 72216774A05308AFEB248FA0EC09B6D3BB9AB25306F544198F905D73E0E7719D00CB74

Function 00D302E1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000010,00000000,?,?,?,?,?,?,?,00D30A56,?,00000000,00000010,00000000,00000000), ref: 00D30323
__fassign.LIBCMT ref: 00D3039E
__fassign.LIBCMT ref: 00D303B9
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000010,00000005,00000000,00000000), ref: 00D303DF
WriteFile.KERNEL32(?,00000010,00000000,00D30A56,00000000,?,?,?,?,?,?,?,?,?,00D30A56,?), ref: 00D303FE
WriteFile.KERNEL32(?,?,00000001,00D30A56,00000000,?,?,?,?,?,?,?,?,?,00D30A56,?), ref: 00D30437

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e93aa382a857f4cae6bfc9590dfa0b4d37133973488bba5007cad4e9c890214a
Instruction ID: 9bff1e148eb7bd4b493515db6d5184c79fdc8e32faddc28b2c5bc8d2058e56df
Opcode Fuzzy Hash: e93aa382a857f4cae6bfc9590dfa0b4d37133973488bba5007cad4e9c890214a
Instruction Fuzzy Hash: FA517F71E002499FCB10CFA8D895AEEBBF8EF09310F18455AEA55E7291D7709A41CB70

Function 00D3F840 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D3F86B
___except_validate_context_record.LIBVCRUNTIME ref: 00D3F873
_ValidateLocalCookies.LIBCMT ref: 00D3F901
__IsNonwritableInCurrentImage.LIBCMT ref: 00D3F92C
_ValidateLocalCookies.LIBCMT ref: 00D3F981

Strings

csm, xrefs: 00D3F916

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: dcbc7ab7cb47e180f1e6bd2567a7d80c583b2f8a3f0b488f406e615cd9274be4
Instruction ID: b082ea01f903c5e2c17f4038a3e843f587d72754d8891f622af8772c607289bb
Opcode Fuzzy Hash: dcbc7ab7cb47e180f1e6bd2567a7d80c583b2f8a3f0b488f406e615cd9274be4
Instruction Fuzzy Hash: 4A418275E0030DABCF14DF68C844A9EBBB5EF45324F188165E9189B392D731EA55CBB0

Function 00D3B6B1 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D3B675: _free.LIBCMT ref: 00D3B69E

_free.LIBCMT ref: 00D3B6FF

Part of subcall function 00D359E0: RtlFreeHeap.NTDLL(00000000,00000000,?,00D3B6A3,00000105,00000000,00000105,00000000,?,00D3B6CA,00000105,00000007,00000105,?,00D38E3E,00000105), ref: 00D359F6
Part of subcall function 00D359E0: GetLastError.KERNEL32(00000105,?,00D3B6A3,00000105,00000000,00000105,00000000,?,00D3B6CA,00000105,00000007,00000105,?,00D38E3E,00000105,00000105), ref: 00D35A08

_free.LIBCMT ref: 00D3B70A
_free.LIBCMT ref: 00D3B715
_free.LIBCMT ref: 00D3B769
_free.LIBCMT ref: 00D3B774
_free.LIBCMT ref: 00D3B77F
_free.LIBCMT ref: 00D3B78A

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e9b08168233b1a37d51ad6ce9417977ce59fca0c8bd4effaac19f4f1c359b236
Instruction ID: 5c99d4d9f5aad46404b7027580aaafd1bf62bf6376a4a5dd6f26472484a46a35
Opcode Fuzzy Hash: e9b08168233b1a37d51ad6ce9417977ce59fca0c8bd4effaac19f4f1c359b236
Instruction Fuzzy Hash: 63112171540B08FAE520B7B0DC47FCB779CDF04764F844856B3996A057DB65B9148BB0

Function 00D255A0 Relevance: 9.3, APIs: 6, Instructions: 309COMMON

Download Yara Rule

APIs

__dtol3.LIBCMT ref: 00D255D2
__dtol3.LIBCMT ref: 00D2562E
__dtol3.LIBCMT ref: 00D25640
__dtol3.LIBCMT ref: 00D2570D
__dtol3.LIBCMT ref: 00D2571F

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: __dtol3
String ID:
API String ID: 148231140-0
Opcode ID: 68f0746eec6a068ba6d46c3a961596a888d1a76934460aa2926a96ae41d3b940
Instruction ID: 84d72100a2d03c422f630cb503c4638583e4a2ebc8a19dbe2a722a8fa89464dd
Opcode Fuzzy Hash: 68f0746eec6a068ba6d46c3a961596a888d1a76934460aa2926a96ae41d3b940
Instruction Fuzzy Hash: 38A1C471600B159FD724DF39E840A2AB7E5EF59324B18872DE85A977A5E730F880CB70

Function 00D21F80 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 482comCOMMON

Download Yara Rule

APIs

Part of subcall function 00D11910: GetProcessHeap.KERNEL32(?,?,00000000), ref: 00D1193C
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D11967
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D119E5

CoInitializeEx.COMBASE(00000000,00000002), ref: 00D21FF2
CoCreateInstance.COMBASE(00D4FCA8,00000000,00000017,00D4FC98,00000000), ref: 00D2204B

Strings

Title, xrefs: 00D22139
Message, xrefs: 00D22163
MessageInfo/, xrefs: 00D220D3

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Init_thread_footer$CreateHeapInitializeInstanceProcess
String ID: Message$MessageInfo/$Title
API String ID: 3177609248-2381594295
Opcode ID: 5eef45f38e8de3c1be254c9ed47acf2935153547733b194dcf6c07f679a3a85d
Instruction ID: e42f2a46f68e4fc5c404d541c0fdfcff7b4cf08ecb270c25e44a1b2f25aa7d2e
Opcode Fuzzy Hash: 5eef45f38e8de3c1be254c9ed47acf2935153547733b194dcf6c07f679a3a85d
Instruction Fuzzy Hash: 1702B070A00215EFDB04DFA8D894BAEBBB4EF65318F18815CE811AB291DB75AD05CB70

Function 00D39DCA Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00D332F9,00D332F9,?,?,?,00D3A01B,00000001,00000001,6FE85006), ref: 00D39E24
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00D3A01B,00000001,00000001,6FE85006,?,?,?), ref: 00D39EAA
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,6FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00D39FA4
__freea.LIBCMT ref: 00D39FB1

Part of subcall function 00D36357: RtlAllocateHeap.NTDLL(00000000,00D42D2F,?,?,00D41564,?,?,?,?,?,00D42CC0,00D42D2F,?,?,?,?), ref: 00D36389

__freea.LIBCMT ref: 00D39FBA
__freea.LIBCMT ref: 00D39FDF

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 67a11612f21d7c0c27176585c36981eabde0678d9b1ec7f0d947b75399043e0f
Instruction ID: 1f618e948bb3010d27f240c477b3bfdfda7307bc62629c3cfaba8db6285d5eed
Opcode Fuzzy Hash: 67a11612f21d7c0c27176585c36981eabde0678d9b1ec7f0d947b75399043e0f
Instruction Fuzzy Hash: 2151D0B2610216ABDB259F64CC91EBBF7AAEF40750F294628FD05D6244EBB4DC40C6B0

Function 00D23B10 Relevance: 9.2, APIs: 6, Instructions: 165threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00D558B4,?,00000010,?,?,?,80004005,80004005,?,00D230FB,?,000000A0,?,?), ref: 00D23BEE
GetCurrentThreadId.KERNEL32 ref: 00D23BFE
LeaveCriticalSection.KERNEL32(00D558B4,?,?,80004005,80004005,?,00D230FB,?,000000A0,?,?), ref: 00D23C2E
GetCurrentProcess.KERNEL32(?,0000000D,?,?,80004005,80004005,?,00D230FB,?,000000A0,?,?), ref: 00D23C7E
FlushInstructionCache.KERNEL32(00000000,?,?,80004005,80004005,?,00D230FB,?,000000A0,?,?), ref: 00D23C85
SetWindowLongW.USER32(?,00000004,?), ref: 00D23C95

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: CriticalCurrentSection$CacheEnterFlushInstructionLeaveLongProcessThreadWindow
String ID:
API String ID: 3823208529-0
Opcode ID: 594f758285fb91aa9af746211d6b89859b75f33fb722e5837c356a8f5d19bbc8
Instruction ID: 82a92dc464457f4bb25929a284e3ee1645d9d3779d6a1026ac10b04665915c10
Opcode Fuzzy Hash: 594f758285fb91aa9af746211d6b89859b75f33fb722e5837c356a8f5d19bbc8
Instruction Fuzzy Hash: FA511432601715AFCB10DF68E844A5ABBA4FF45324B08852AFD55DB350DB30ED00CBB0

Function 00D401F1 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00D401E8,00D3E9B0), ref: 00D401FF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D4020D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D40226
SetLastError.KERNEL32(00000000,?,00D401E8,00D3E9B0), ref: 00D40278

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 5efa4b951d605ae81e0e5b84453d7ef33db6253dcde3634a1e36566a977325ba
Instruction ID: aefeb495e83525c06590cd90e69e59038e89e63033415e168d692ed9a114c34c
Opcode Fuzzy Hash: 5efa4b951d605ae81e0e5b84453d7ef33db6253dcde3634a1e36566a977325ba
Instruction Fuzzy Hash: B801D436109712AFAB2536787CCD96A2F84EB02775B24023DF610D66E4EFB19C40A174

Function 00D35891 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00D33950,00D52678,00000010), ref: 00D35895
_free.LIBCMT ref: 00D358C8
_free.LIBCMT ref: 00D358F0
SetLastError.KERNEL32(00000000), ref: 00D358FD
SetLastError.KERNEL32(00000000), ref: 00D35909
_abort.LIBCMT ref: 00D3590F

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: d1797b10f6a190724681fad8aff96d323a62be0e6684c04846e63e0bf0e9bd6a
Instruction ID: 80b3a6465eaa84038181b46e1cf3920ebcf8f2abcef7ee66b1b9e5e9ba989021
Opcode Fuzzy Hash: d1797b10f6a190724681fad8aff96d323a62be0e6684c04846e63e0bf0e9bd6a
Instruction Fuzzy Hash: CDF0C23A248F01ABD6123734BC0AF1A2A69DFD2772F290624F914D32DAFF20CD029571

Function 00D1F960 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D20690: GetModuleHandleW.KERNEL32(Advapi32.dll,?,000000BC,00000000,?,?,00D1F996,80000002,SOFTWARE\Sony Corporation\VAIO update,00020019,000000BC), ref: 00D206B4
Part of subcall function 00D20690: RegCloseKey.ADVAPI32(00000000,?,000000BC,00000000,?,?,00D1F996,80000002,SOFTWARE\Sony Corporation\VAIO update,00020019,000000BC), ref: 00D20717

RegQueryValueExW.ADVAPI32(00000000,SilentExecution,00000000,?,?,?,80000002,SOFTWARE\Sony Corporation\VAIO update,00020019,000000BC), ref: 00D1F9BB
RegCloseKey.ADVAPI32(00000000), ref: 00D1F9C6
RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Sony Corporation\VAIO update,00020019,000000BC), ref: 00D1F9E1

Strings

SOFTWARE\Sony Corporation\VAIO update, xrefs: 00D1F96D
SilentExecution, xrefs: 00D1F9B5

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Close$HandleModuleQueryValue
String ID: SOFTWARE\Sony Corporation\VAIO update$SilentExecution
API String ID: 2971604672-3095134017
Opcode ID: a73c00c0017f7b0bff7a604b26312e224dc3e8a18ebbc1850cd2cd7993da12d2
Instruction ID: f8044a608e4ef1ef64ce1e965cd507bdc63be43a5d6d6ee9c3017b9e76ac7d4b
Opcode Fuzzy Hash: a73c00c0017f7b0bff7a604b26312e224dc3e8a18ebbc1850cd2cd7993da12d2
Instruction Fuzzy Hash: BA015E75D42228BFDB10AFA49C46BEFBBBCAF05705F100156E901B7241DB745A488AF1

Function 00D383DC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00D3838D,00000003,?,00D3832D,00000003,00D527E0,0000000C,00D38484,00000003,00000002), ref: 00D383FC
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D3840F
FreeLibrary.KERNEL32(00000000,?,?,?,00D3838D,00000003,?,00D3832D,00000003,00D527E0,0000000C,00D38484,00000003,00000002,00000000), ref: 00D38432

Strings

mscoree.dll, xrefs: 00D383F5
CorExitProcess, xrefs: 00D38407

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 705088d4b9f8065be4fe72d338db6023d5bd0e577bd8556bec6124878f16f37a
Instruction ID: 7bb1f1042cf840ae04e1fb215fd9fce1ad43c4931cbcd044aa5fcf21e4ef00f6
Opcode Fuzzy Hash: 705088d4b9f8065be4fe72d338db6023d5bd0e577bd8556bec6124878f16f37a
Instruction Fuzzy Hash: 4CF04F34A05318BFCB11AF91DC59B9EBFB5EB05752F0441A4F805E22A0CB709984DAB0

Function 00D2C7F0 Relevance: 7.6, APIs: 5, Instructions: 122COMMON

Download Yara Rule

APIs

Part of subcall function 00D11910: GetProcessHeap.KERNEL32(?,?,00000000), ref: 00D1193C
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D11967
Part of subcall function 00D11910: __Init_thread_footer.LIBCMT ref: 00D119E5

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00D2C87D
OpenProcess.KERNEL32(00001010,00000000,?), ref: 00D2C88C
OpenProcess.KERNEL32(00000400,00000000,?), ref: 00D2C89B
OpenProcess.KERNEL32(00001000,00000000,?), ref: 00D2C8AA
CloseHandle.KERNEL32(00000000,?,?), ref: 00D2C90B

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Process$Open$Init_thread_footer$CloseHandleHeap
String ID:
API String ID: 2529047482-0
Opcode ID: 04bda7e630de7ab769f8d31685375f3a0baafc7000aeea6e7e7f56aaeb28054c
Instruction ID: 2899ce8d097421428100bb8f9df5c54a53d552dd6fef77122698261fd1f82f29
Opcode Fuzzy Hash: 04bda7e630de7ab769f8d31685375f3a0baafc7000aeea6e7e7f56aaeb28054c
Instruction Fuzzy Hash: DF31E971940229ABDB219F54DC59FEEB7B8FF48714F4401A9F908E7280DB709E808AB4

Function 00D35915 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00D2EFDC,00D33BC6,?,?,?,00D26001,?,00000105,kernel32.dll,00000104), ref: 00D3591A
_free.LIBCMT ref: 00D3594F
_free.LIBCMT ref: 00D35976
SetLastError.KERNEL32(00000000,00000105,kernel32.dll,00000104), ref: 00D35983
SetLastError.KERNEL32(00000000,00000105,kernel32.dll,00000104), ref: 00D3598C

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 99225b312e80dff97eca6a9e1a40dff492ddc7cc907e935c4531599def0c25ab
Instruction ID: 247fdc67ec03696a89f97313f00e3988b09703f52c0350f57f4db6b88db2193e
Opcode Fuzzy Hash: 99225b312e80dff97eca6a9e1a40dff492ddc7cc907e935c4531599def0c25ab
Instruction Fuzzy Hash: EC01F436204F00FBC60227347C46F2B2669EBD17B2F290524F915D229AEF20CC054930

Function 00D3B60C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D3B624

Part of subcall function 00D359E0: RtlFreeHeap.NTDLL(00000000,00000000,?,00D3B6A3,00000105,00000000,00000105,00000000,?,00D3B6CA,00000105,00000007,00000105,?,00D38E3E,00000105), ref: 00D359F6
Part of subcall function 00D359E0: GetLastError.KERNEL32(00000105,?,00D3B6A3,00000105,00000000,00000105,00000000,?,00D3B6CA,00000105,00000007,00000105,?,00D38E3E,00000105,00000105), ref: 00D35A08

_free.LIBCMT ref: 00D3B636
_free.LIBCMT ref: 00D3B648
_free.LIBCMT ref: 00D3B65A
_free.LIBCMT ref: 00D3B66C

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c7216eac94f9206d6604a5577df04fb717c5233f000e2687e4f81f26b6f92016
Instruction ID: 9c9c2a0930dc07d047fa9400af792cc98178d4d6c09ca2546f1fd427a9c19e30
Opcode Fuzzy Hash: c7216eac94f9206d6604a5577df04fb717c5233f000e2687e4f81f26b6f92016
Instruction Fuzzy Hash: 73F01232504B04EB8625EB54F993D1A77D9EA04771F9D0806F549DB616CB30FD804BB8

Function 00D1FDF0 Relevance: 7.5, APIs: 5, Instructions: 37threadsynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 00D1FE01
WaitForSingleObject.KERNEL32(?,00002710), ref: 00D1FE14
GetExitCodeThread.KERNEL32(?,00000000), ref: 00D1FE25
TerminateThread.KERNEL32(?,00000000), ref: 00D1FE3A
CloseHandle.KERNEL32(?), ref: 00D1FE48

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Thread$CloseCodeEventExitHandleObjectSingleTerminateWait
String ID:
API String ID: 1204855442-0
Opcode ID: 8e8a5e89fba283afd62f1bc9ee8ea79ade35d42713a6d8890e821bad715de14f
Instruction ID: 39f499f5f83786bd8508f480bb478dc61e26eb6d15cc8742573fa438fb0aca6c
Opcode Fuzzy Hash: 8e8a5e89fba283afd62f1bc9ee8ea79ade35d42713a6d8890e821bad715de14f
Instruction Fuzzy Hash: 3BF01478604304EFDB308FA5EC08B9BBBF9EB05300F144969F946D2261EB71ED549AA0

Function 00D437FA Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D43818

Part of subcall function 00D359E0: RtlFreeHeap.NTDLL(00000000,00000000,?,00D3B6A3,00000105,00000000,00000105,00000000,?,00D3B6CA,00000105,00000007,00000105,?,00D38E3E,00000105), ref: 00D359F6
Part of subcall function 00D359E0: GetLastError.KERNEL32(00000105,?,00D3B6A3,00000105,00000000,00000105,00000000,?,00D3B6CA,00000105,00000007,00000105,?,00D38E3E,00000105,00000105), ref: 00D35A08

_free.LIBCMT ref: 00D4382A
_free.LIBCMT ref: 00D4383D
_free.LIBCMT ref: 00D4384E
_free.LIBCMT ref: 00D4385F

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6dfd9f185c38dd7616b3830091acdad813321b1ac1bd80c141e28df9e7fd267e
Instruction ID: 32417b9babb4d192c5c9b9dd269599b954cc48d79b7fd342a68020f349ebbccd
Opcode Fuzzy Hash: 6dfd9f185c38dd7616b3830091acdad813321b1ac1bd80c141e28df9e7fd267e
Instruction Fuzzy Hash: C3F0B770800B20DB8B52AF18BC429147EA4E7097727EA1106FC10D736ACA31DF91CFB5

Function 00D4324C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\IEW113_2311a.exe,00000104), ref: 00D43287
_free.LIBCMT ref: 00D43352
_free.LIBCMT ref: 00D4335C

Strings

C:\Users\user\Desktop\IEW113_2311a.exe, xrefs: 00D4327E, 00D43285, 00D432B4, 00D432EC

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\IEW113_2311a.exe
API String ID: 2506810119-18735487
Opcode ID: 3884189b1fadc830bb290bf0d866a36a3ae8c3102e008b6c2c645662119c0cea
Instruction ID: 2373d32821ab8dd136564832c2bf7b9c4137983bb138e001253dd2df4d7d8ac3
Opcode Fuzzy Hash: 3884189b1fadc830bb290bf0d866a36a3ae8c3102e008b6c2c645662119c0cea
Instruction Fuzzy Hash: 41315B71A04758EFDB21DF9D9889DAEBBB8EF85310B5840A6E904D7211DB709F40CBB0

Function 00D2E658 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00D2E653,?,?,00D21AD5,00000000,70CDB3AB,00000000,?,00000000,00D45980,000000FF,?,00D2193B), ref: 00D2E670
HeapFree.KERNEL32(00000000,?,00D2E653,?,?,00D21AD5,00000000,70CDB3AB,00000000,?,00000000,00D45980,000000FF,?,00D2193B), ref: 00D2E677
InterlockedPushEntrySList.KERNEL32(00785B58,?,?,00D2E653,?,?,00D21AD5,00000000,70CDB3AB,00000000,?,00000000,00D45980,000000FF,?,00D2193B), ref: 00D2E680

Strings

X[x, xrefs: 00D2E662

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Heap$EntryFreeInterlockedListProcessPush
String ID: X[x
API String ID: 1982578398-2592070539
Opcode ID: 1d276bd836190d71e942525549253db8087f5d9f3004498b0cfb0bfa86b06e69
Instruction ID: 311a009920cce7d1fc08a75faa6d8f7480b0d3c33625c3ca174050f16956e30b
Opcode Fuzzy Hash: 1d276bd836190d71e942525549253db8087f5d9f3004498b0cfb0bfa86b06e69
Instruction Fuzzy Hash: D6D05E351453149BCE105FB4BC48EAA376CEB29606F044844F60EC2251CB31D4408670

Function 00D375DB Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00D37666
__alldvrm.LIBCMT ref: 00D37867
__alldvrm.LIBCMT ref: 00D37889

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: ede50d2eaaeaadc1b7ac278e27b05d16cf2698b90d07cad9e01e171b5a337d04
Instruction ID: 8e6907a73c229cd77dccca3eaadbc16188fd719f9849b085c711a6780fea604b
Opcode Fuzzy Hash: ede50d2eaaeaadc1b7ac278e27b05d16cf2698b90d07cad9e01e171b5a337d04
Instruction Fuzzy Hash: 3DA148F2D08B869FEB318F68C8927AEBBE5EF55350F28416DE4859B281C2748D41C770

Function 00D27110 Relevance: 6.3, APIs: 4, Instructions: 282COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,00D4F584,000000FF,?,?,?,?,?,?,00D27085,00D4F590,en-US,70CDB3AB), ref: 00D27301
CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,00D4D2B8,000000FF,?,?,?,?,?,?,00D27085,00D4F590,en-US,70CDB3AB), ref: 00D27330
CompareStringW.KERNEL32(0000007F,00000001,-00000010,000000FF,00D4F584,000000FF,?,?,?,?,?,?,00D27085,00D4F590,en-US,70CDB3AB), ref: 00D27359
CompareStringW.KERNEL32(0000007F,00000001,-00000010,000000FF,00D4D2B8,000000FF,?,?,?,?,?,?,00D27085,00D4F590,en-US,70CDB3AB), ref: 00D2737C

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: 73eee8bb4358c1437a764473948d6e4f38fc8f8258fd19733794a214addecc79
Instruction ID: 26f55647d16d358f428f574b31e898b8028c37525b5a3fe07dd867799cd5b451
Opcode Fuzzy Hash: 73eee8bb4358c1437a764473948d6e4f38fc8f8258fd19733794a214addecc79
Instruction Fuzzy Hash: 63B19374A04216DFDB24CF68D884AAAB7B1FF55324F284759E821AB3D1DB709D01CBB4

Function 00D20150 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

_wcsstr.LIBVCRUNTIME ref: 00D201D5
_wcsstr.LIBVCRUNTIME ref: 00D201E9
_wcsstr.LIBVCRUNTIME ref: 00D2028B

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: _wcsstr
String ID:
API String ID: 1512112989-0
Opcode ID: 5a3e33e9c02627e6ada18dcc88ae25b6154d977897f62d69eb298dad7a47b168
Instruction ID: 50bc610639c81d1b4a92e5624b8f3e67b7f5a20f09c6f70c5c6d1bce06a75a0e
Opcode Fuzzy Hash: 5a3e33e9c02627e6ada18dcc88ae25b6154d977897f62d69eb298dad7a47b168
Instruction Fuzzy Hash: 7171C435E0022ADFCF14DFA8D8805AEBBB5EF68308B184569DD05A7311E770AE11CBB0

Function 00D35F82 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D360B1

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 01d586954f726e401c93bf37fe3c4151a4167a3b809c43ef36ae2792dcb86b82
Instruction ID: b284ee5984ab057528185dc105239a49642e6581a51333b7daa0616bd75a48ae
Opcode Fuzzy Hash: 01d586954f726e401c93bf37fe3c4151a4167a3b809c43ef36ae2792dcb86b82
Instruction Fuzzy Hash: 04413B31A00510BBDB386B789C43A7E3BB4DF02374F288665F518D71D1DB75C84196B2

Function 00D3B7DA Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,6FE85006,00D3299B,00000000,00000000,00D332F9,?,00D332F9,?,00000001,00D3299B,6FE85006,00000001,00D332F9,00D332F9), ref: 00D3B827
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D3B8B0
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00D3B8C2
__freea.LIBCMT ref: 00D3B8CB

Part of subcall function 00D36357: RtlAllocateHeap.NTDLL(00000000,00D42D2F,?,?,00D41564,?,?,?,?,?,00D42CC0,00D42D2F,?,?,?,?), ref: 00D36389

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: f9bf8a886c63aaae09ce5a6ea37c3d247015390902cb03f89e83cc63bfa6ebe8
Instruction ID: 840d84459509eb36eafa60cc982a5b0ddae9a605094356aa0859397569b0f2d8
Opcode Fuzzy Hash: f9bf8a886c63aaae09ce5a6ea37c3d247015390902cb03f89e83cc63bfa6ebe8
Instruction Fuzzy Hash: 2031BC72A0020AABDF259FA4DC85DBE7BA9EF40320F08422AFD04D6250E735DD54CBB0

Function 00D199C0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,000000BC), ref: 00D19A4C
VerSetConditionMask.KERNEL32(00000000,?,?,000000BC), ref: 00D19A50
VerSetConditionMask.KERNEL32(00000000,?,?,?,000000BC), ref: 00D19A54
VerifyVersionInfoW.KERNEL32(?,00000023,00000000), ref: 00D19A77

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: 8a1227918c7d8ebfef3ccd9d069d2062fc258ec864b27d78f233e15f5d3829a7
Instruction ID: cabe982458339f137cf7bf9145f648b17777a2ef1d78aa3e302f01b8344d0302
Opcode Fuzzy Hash: 8a1227918c7d8ebfef3ccd9d069d2062fc258ec864b27d78f233e15f5d3829a7
Instruction Fuzzy Hash: 69111FB16483446FE730DF25DC5ABABBAE8EF88714F00091EB588D72D0D67496048BA6

Function 00D404A9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00D404C3

Part of subcall function 00D40410: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00D4043F
Part of subcall function 00D40410: ___AdjustPointer.LIBCMT ref: 00D4045A

_UnwindNestedFrames.LIBCMT ref: 00D404D8
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00D404E9
CallCatchBlock.LIBVCRUNTIME ref: 00D40511

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: bd712df2a7aa408fd8cba9d741fe825c15ea50af91ee3bde0799e399d2f385d3
Instruction ID: a246cc2f86aebab17f2ea695fe4fd354f4d5e86d06bd3006605e324ed16ee895
Opcode Fuzzy Hash: bd712df2a7aa408fd8cba9d741fe825c15ea50af91ee3bde0799e399d2f385d3
Instruction Fuzzy Hash: A301D372100148BBDF12AE95CC45EEB7F6AEF88754F044518FB18A6122C736E961DFB0

Function 00D38573 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00D26001,00000000,00000000,?,00D3851A,00D26001,00000000,00000000,00000000,?,00D38717,00000006,FlsSetValue), ref: 00D385A5
GetLastError.KERNEL32(?,00D3851A,00D26001,00000000,00000000,00000000,?,00D38717,00000006,FlsSetValue,00D49608,FlsSetValue,00000000,00000364,?,00D35963), ref: 00D385B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00D3851A,00D26001,00000000,00000000,00000000,?,00D38717,00000006,FlsSetValue,00D49608,FlsSetValue,00000000), ref: 00D385BF

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 3cba80ca85e1123c9b22f90e7d4a28a8abb27086f3349322771146d9ec826f4c
Instruction ID: d6688f9716a0d0f5cec7caf9d9f5a8e957b47c6aac5a8f622b7f7923600a34ad
Opcode Fuzzy Hash: 3cba80ca85e1123c9b22f90e7d4a28a8abb27086f3349322771146d9ec826f4c
Instruction Fuzzy Hash: A101DB366063229BC7218F699C44A977768AF46BA1F180620FD55D7340DF30DD05DAF0

Function 00D19DF0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003), ref: 00D19E4D
VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003), ref: 00D19E55
VerSetConditionMask.KERNEL32(00000000,?,00000004,00000003,?,00000001,00000003), ref: 00D19E5D
VerifyVersionInfoW.KERNEL32(?,00000007,00000000), ref: 00D19E68

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: e432ec167840cfecf92dce5ca68e4a01bb3d09c439cff42f0fa6d18fa8a3d1f3
Instruction ID: a2c8ccc96637c80072f37f0de573d2a0040c8bd29510ca17764d388bae03c828
Opcode Fuzzy Hash: e432ec167840cfecf92dce5ca68e4a01bb3d09c439cff42f0fa6d18fa8a3d1f3
Instruction Fuzzy Hash: B30144B06443047BF6209F61DC1BF6B7BDCDB85B14F404919B6849A2C0D7B499148BE6

Function 00D264D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00D26516
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00D265D4

Part of subcall function 00D41DCD: ___report_securityfailure.LIBCMT ref: 00D41DD2

Strings

\, xrefs: 00D26534

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem___report_securityfailure
String ID: \
API String ID: 2038868494-2967466578
Opcode ID: bda3e07fbc389975428dcc00d6575ae1573799b90331961625d7ebef69c7b10b
Instruction ID: 61b0bd172e1c753aec08400eaf1dc7c142a610b570cd98e90cd28a7c89bfab2a
Opcode Fuzzy Hash: bda3e07fbc389975428dcc00d6575ae1573799b90331961625d7ebef69c7b10b
Instruction Fuzzy Hash: A831A17594032D9BCB24DF68EC89BEA77B4EB54304F0409A9E919D7244EB70DE848AA0

Function 00D22710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00D22748
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00D22789

Strings

<, xrefs: 00D2276A

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: CurrentMessageProcessSend
String ID: <
API String ID: 689086146-4251816714
Opcode ID: f1b514ece41683bb53d41da057a4256b31c50e39f41bafb6a19b15f956994a60
Instruction ID: 67504ad12e221adab0952a0fdd15752d8c20b30a806489c5188e834ef005bf04
Opcode Fuzzy Hash: f1b514ece41683bb53d41da057a4256b31c50e39f41bafb6a19b15f956994a60
Instruction Fuzzy Hash: C311A931604318AFDB21DF68E885BBEBBB8FB59741F510029F801E7240DB70AE05DAB1

Function 00D43552 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 00D43E50: GetEnvironmentStringsW.KERNEL32 ref: 00D43E54

_free.LIBCMT ref: 00D43593
_free.LIBCMT ref: 00D4359A

Strings

xAw, xrefs: 00D43552, 00D43580

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: _free$EnvironmentStrings
String ID: xAw
API String ID: 3523873077-2191555105
Opcode ID: 65f7005a3384f363738583fdebf0090ca1f8cf82d64b7be0882165005566b7b5
Instruction ID: 1fd840f5696f1f4c9935d470c33998553472f954c9c6e081d6e554fb2d4bb37e
Opcode Fuzzy Hash: 65f7005a3384f363738583fdebf0090ca1f8cf82d64b7be0882165005566b7b5
Instruction Fuzzy Hash: B6E09216A49B1147EA61323D7C56A6A1605CBD1375F990326FC64DB1C3DEA0CF0601B6

Function 00D2E46A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00D19970: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,00D2E499,70CDB3AB,8007000E,00000000,?,00D2DD39,?,70CDB3AB,00000010,00000010,?,?,00000000,00D465D0), ref: 00D19973
Part of subcall function 00D19970: GetLastError.KERNEL32(?,00D2DD39,?,70CDB3AB,00000010,00000010,?,?,00000000,00D465D0,000000FF,?,00D22070,?,?,00D4D2B8), ref: 00D1997D

IsDebuggerPresent.KERNEL32(70CDB3AB,8007000E,00000000,?,00D2DD39,?,70CDB3AB,00000010,00000010,?,?,00000000,00D465D0,000000FF,?,00D22070), ref: 00D2E49D
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,00D2DD39,?,70CDB3AB,00000010,00000010,?,?,00000000,00D465D0,000000FF,?,00D22070,?), ref: 00D2E4AC

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D2E4A7

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 450123788-631824599
Opcode ID: 9f7c4a8288b308b96d9aafb86e4acc41d0d8beee70bcc12167ea7be45351a281
Instruction ID: f7a8c9ead40a40a1a364206a1865d566395aa1ed8d81b2acc2d33b3870042817
Opcode Fuzzy Hash: 9f7c4a8288b308b96d9aafb86e4acc41d0d8beee70bcc12167ea7be45351a281
Instruction Fuzzy Hash: 23E06D746047608BC320AF24F808782BBE0AF14304F04895DE8A6C3790EBB4D4888BB1

Function 00D12F70 Relevance: 5.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,?), ref: 00D12FBF
GetLastError.KERNEL32 ref: 00D12FD0
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00D12FEB
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,00000000), ref: 00D13012

Memory Dump Source

Source File: 00000000.00000002.4181945815.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.4181911062.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182035078.0000000000D47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182083439.0000000000D55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4182134713.0000000000D57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_IEW113_2311a.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: d9d906596e89e9befddd8eff3a7ee3411cef804eb8a5f725697b1f9f10b4e730
Instruction ID: 663322f48ef9742c186ee9ed33ac75f04768270ae0ecf84d6d14c9b3e48e0223
Opcode Fuzzy Hash: d9d906596e89e9befddd8eff3a7ee3411cef804eb8a5f725697b1f9f10b4e730
Instruction Fuzzy Hash: 812137B9700306BFD7105F95EC85FA7BB6EEF45340F14422AF90187240EBA16E1887B0

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IEW113_2311a.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\3b1c82.rbs

C:\Program Files\Sony\Imaging Edge Webcam\Driver\ImagingEdgeWebcam.dll

C:\Program Files\Sony\Imaging Edge Webcam\Driver\ImagingEdgeWebcam_Driver.dll

C:\Program Files\Sony\Imaging Edge Webcam\Driver\ImagingEdgeWebcam_Driver.inf

C:\Program Files\Sony\Imaging Edge Webcam\Driver\imagingedgewebcam.cat

C:\Program Files\Sony\Imaging Edge Webcam\EULA.rtf

C:\Program Files\Sony\Imaging Edge Webcam\ImagingEdgeWebcamLauncher.exe

C:\Program Files\Sony\Imaging Edge Webcam\License.txt

C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\Lja_PTP_USB.dll

C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\Lja_PTP_WIA.dll

C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\libusb-1.0.dll

C:\Program Files\Sony\Imaging Edge Webcam\LjCore.dll

C:\Program Files\Sony\Imaging Edge Webcam\USBReset.exe

C:\Program Files\Sony\Imaging Edge Webcam\Webcam.exe

C:\Program Files\Sony\Imaging Edge Webcam\default.jpg

C:\Program Files\Sony\Imaging Edge Webcam\mfc140u.dll

C:\Program Files\Sony\Imaging Edge Webcam\mfcm140u.dll

C:\Program Files\Sony\Imaging Edge Webcam\msvcp140.dll

C:\Program Files\Sony\Imaging Edge Webcam\vcruntime140.dll

C:\Program Files\Sony\Imaging Edge Webcam\webcam_help.ico

Windows Analysis Report
IEW113_2311a.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre